Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Support for 'validate' RPC #1193

Open
TheMysteriousX opened this issue Jul 21, 2022 · 0 comments
Open

[RFE] Support for 'validate' RPC #1193

TheMysteriousX opened this issue Jul 21, 2022 · 0 comments
Labels
Status: Review Needed Type: Enhancement

Comments

@TheMysteriousX
Copy link

Is it possible to get support added for the 'validate' RPC?

https://www.juniper.net/documentation/us/en/software/junos/netconf/topics/task/netconf-configuration-verifying.html

Use case / background

I'm trying to implement secure candidate configuration checking in merge requests from our CI using ansible.

I found that there is no way to only grant a user with netconf access rights to run commit check only, and not commit.
Regardless of the permissions/allow-commands, a user with permissions to run commit check and use netconf can commit the configuration using a hidden command:

{primary:node0}
ansible-check@srx4600> internal-invoke junoscript-operation commit-configuration
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

Due to the way allow-commands works, it's not possible to exclusively authorise internal-invoke junoscript-operation commit-configuration check on its own which would also fix the problem.
To allow an unprivileged CI user to verify merge request changes, I'd like to extend the ansible collection to support running the validate RPC - this requires PyEZ support first though.

I've cobbled together support in Ansible using the RPC module - it's a bit fragile but it works (I needed to fix a few bugs in ansible-junos-stdlib for this to work):

- name: Check configuration for errors
  juniper.device.rpc:
    user: "{{ junos_user }}"
    rpc:
      - "lock-configuration"
      - "load-configuration"
      - "validate"
      - "unlock-configuration"
    attrs:
      - {}
      - action: 'override'
        format: 'text'
      - {}
      - {}
    kwargs:
      - {}
      - configuration_text: '{{ cnf }}'
      - source:
          candidate: true
      - {}
  register: response
  when: compare or check
  vars:
    cnf: "{{ lookup('ansible.builtin.file', candidate_config ) }}"

Adding support in PyEz would mean all of that ^ could just become this:

juniper.device.config:
  ...
  validate: true
  check: false
  commit: false
  ...
@TheMysteriousX TheMysteriousX changed the title [REF] Support for 'validate' RPC [RFE] Support for 'validate' RPC Jul 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Review Needed Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheMysteriousX @chidanandpujar