I already asked this question in PyEZ mailing list
, but perhaps this forum is a more appropriate for this issue as it's related to Junos itself and not the PyEZ library.
I have a very restricted local user account named "inventory" for a script using PyEZ library in all my Juniper devices ranging from QFX series switches to MX series routers. This user belongs to class named "inventory" and this class has an "allow-commands" statement with value "show chassis hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show cli authorization" and "deny-commands" statement with value ".*":
inventory@srx> show cli authorization
Current user: 'inventory ' class 'inventory'
view -- Can view current values and statistics
Individual command authorization:
Allow regular expression: show chassis hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show cli authorization
Deny regular expression: .*
Allow configuration regular expression: none
Deny configuration regular expression: none
Script calls the <get-chassis-inventory> and <close-session> RPCs, but under the hood "xml-mode netconf need-trailer" command(or its equivalent RPC) is executed when the NETCONF session is established and that's why the "allow-commands" statement takes this into account as well. However, in Junos version 18.4R3-S2 the "xml-mode netconf need-trailer" command is no longer authorized. Example:
$ # NETCONF session to "srx" firewall running Junos 18.4R3-S2
$ ssh -b 10.10.10.141 srx -l inventory -s netconf
error: unknown command: xml-mode
There is no such issue with various other Junos releases ranging from 15.x to 18.x. Has anyone else encountered this problem? Is it a bug? Is there a PR for this? If such change was intentional, then where is it documented in the release notes?