SRX

 View Only
last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Junos version 18.4R3-S2 on SRX does not authorize the "xml-mode netconf need-trailer" command

  • 1.  Junos version 18.4R3-S2 on SRX does not authorize the "xml-mode netconf need-trailer" command

    Posted 11-17-2021 09:12
    I already asked this question in PyEZ mailing list, but perhaps this forum is a more appropriate for this issue as it's related to Junos itself and not the PyEZ library.

    I have a very restricted local user account named "inventory" for a script using PyEZ library in all my Juniper devices ranging from QFX series switches to MX series routers. This user belongs to class named "inventory" and this class has an "allow-commands" statement with value "show chassis hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show cli authorization" and "deny-commands" statement with value ".*":

    inventory@srx> show cli authorization
    Current user: 'inventory ' class 'inventory'
    Permissions:
        view        -- Can view current values and statistics
    Individual command authorization:
        Allow regular expression: show chassis hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show cli authorization
        Deny regular expression: .*
        Allow configuration regular expression: none
        Deny configuration regular expression: none
    
    inventory@srx>​


    Script calls the <get-chassis-inventory> and <close-session> RPCs, but under the hood "xml-mode netconf need-trailer" command(or its equivalent RPC) is executed when the NETCONF session is established and that's why the "allow-commands" statement takes this into account as well. However, in Junos version 18.4R3-S2 the "xml-mode netconf need-trailer" command is no longer authorized. Example:

    $ # NETCONF session to "srx" firewall running Junos 18.4R3-S2
    $ ssh -b 10.10.10.141 srx -l inventory -s netconf
    
    Password:
    
    error: unknown command: xml-mode
    $​


    There is no such issue with various other Junos releases ranging from 15.x to 18.x. Has anyone else encountered this problem? Is it a bug? Is there a PR for this? If such change was intentional, then where is it documented in the release notes?


  • 2.  RE: Junos version 18.4R3-S2 on SRX does not authorize the "xml-mode netconf need-trailer" command

    Posted 01-20-2022 10:13
    Adding the "junoscript" to "allow-commands" statement authorizes the "xml-mode netconf need-trailer" command in newer Junos versions required for establishing the NETCONF session. Tested with 18.4R3-S2 and 19.4R2.6. In addition, one has to extend the ".*netconf" regex for example to ".*netconf.*". Otherwise the authorization of the "<close-session>" RPC fails.