SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Junos version 18.4R3-S2 on SRX does not authorize the "xml-mode netconf need-trailer" command

  • 1.  Junos version 18.4R3-S2 on SRX does not authorize the "xml-mode netconf need-trailer" command

    Posted 18 days ago
    I already asked this question in PyEZ mailing list, but perhaps this forum is a more appropriate for this issue as it's related to Junos itself and not the PyEZ library.

    I have a very restricted local user account named "inventory" for a script using PyEZ library in all my Juniper devices ranging from QFX series switches to MX series routers. This user belongs to class named "inventory" and this class has an "allow-commands" statement with value "show chassis hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show cli authorization" and "deny-commands" statement with value ".*":

    inventory@srx> show cli authorization
    Current user: 'inventory ' class 'inventory'
    Permissions:
        view        -- Can view current values and statistics
    Individual command authorization:
        Allow regular expression: show chassis hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show cli authorization
        Deny regular expression: .*
        Allow configuration regular expression: none
        Deny configuration regular expression: none
    
    inventory@srx>​


    Script calls the <get-chassis-inventory> and <close-session> RPCs, but under the hood "xml-mode netconf need-trailer" command(or its equivalent RPC) is executed when the NETCONF session is established and that's why the "allow-commands" statement takes this into account as well. However, in Junos version 18.4R3-S2 the "xml-mode netconf need-trailer" command is no longer authorized. Example:

    $ # NETCONF session to "srx" firewall running Junos 18.4R3-S2
    $ ssh -b 10.10.10.141 srx -l inventory -s netconf
    
    Password:
    
    error: unknown command: xml-mode
    $​


    There is no such issue with various other Junos releases ranging from 15.x to 18.x. Has anyone else encountered this problem? Is it a bug? Is there a PR for this? If such change was intentional, then where is it documented in the release notes?