[j-nsp] minimum permissions for napalm/pyez user
Andy Litzinger
andy.litzinger.lists at gmail.com
Thu Mar 14 18:22:56 EDT 2019
Hello!
We are attempting to use Napalm which I understand is using pyez/netconf
over ssh under the hood. We can get things to work with a full admin level
user, but we'd like to pare down the access to only what is required.
right now we are specifically hitting an issue where when we run the
napalm open() method with our restricted user it fails because it's trying
to drop into the shell and run the command "xml-mode netconf need-trailer"
. We verified this by logging the interactive commands at our router and
comparing what was run with an admin user vs our restricted user.
We get a the following error:
>>> import napalm_junos
>>> mx_router =
napalm_junos.JunOSDriver(hostname="ip.address",username="my_restricted_user",password="my_pass")
>>> mx_router.open()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/site-packages/napalm_junos/junos.py", line
106, in open
self.device.open()
File "/usr/local/lib/python2.7/site-packages/jnpr/junos/device.py", line
1291, in open
raise cnx_err
jnpr.junos.exception.ConnectError: ConnectError(host: ip.address, msg:
Unexpected session close
IN_BUFFER: `
error: unknown command: xml-mode
error: permission denied: netconf
`)
TIA!
-andy
More information about the juniper-nsp
mailing list