[j-nsp] minimum permissions for napalm/pyez user

Andy Litzinger andy.litzinger.lists at gmail.com
Thu Mar 14 18:22:56 EDT 2019

   We are attempting to use Napalm which I understand is using pyez/netconf
over ssh under the hood.  We can get things to work with a full admin level
user, but we'd like to pare down the access to only what is required.
  right now we are specifically hitting an issue where when we run the
napalm open() method with our restricted user it fails because it's trying
to drop into the shell and run the command "xml-mode netconf need-trailer"
.  We verified this by logging the interactive commands at our router and
comparing what was run with an admin user vs our restricted user.

We get a the following error:

>>> import napalm_junos
>>> mx_router =

>>> mx_router.open()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/napalm_junos/junos.py", line
106, in open
  File "/usr/local/lib/python2.7/site-packages/jnpr/junos/device.py", line
1291, in open
    raise cnx_err
jnpr.junos.exception.ConnectError: ConnectError(host: ip.address, msg:
Unexpected session close
error: unknown command: xml-mode

error: permission denied: netconf


More information about the juniper-nsp mailing list