Access tail hidden leaf from maapi js

Jean · February 17, 2021, 2:13pm

I have leaf node which is hidden not using group as below

list peer
{
leaf ip-add
{
tailf:hidden ip-add;
type string;
}
}

I need to access the hidden leaf in web UI using Maapi.request(“get_values”)

If i add the leaf in hidden group “full” i can access using the Maapi unhide_schema but this requires to enter the group name and password as clear text in the js file.

Is there a way to access the hidden leaf in webUI without using the Maapi unhide_schema

mvf · February 19, 2021, 11:12am

There are several options, but keep in mind that the purpose of tailf:hidden is not to hide the data from a malicious user, it is more something like a note to the user that this element should not be touched unless the user really knows what she is doing. From this point of view, there is nothing wrong in having the hide-group password plaintext in your JS code. If the aim is to protect the data from read or write access by a group of users, NACM rules are probably a better way to go.

The options, some of them may or may not be applicable to your use case:

employ NACM instead, as written above;
let the user write the hide group password - if the user is expected to have access to the element, she should know the password;
if the aim is to store data that would be used later by e.g. a CDB subscriber, you may want to have a look at transaction hooks or set-hooks.

Jean · February 19, 2021, 11:28am

@mvf thank you for the reply

My aim is to use the store data which will be used later and using transaction hook the leaf is updated.

I need to keep this leaf hidden as i don’t want the user to change the value from GUI or CLI. But need to show the user the same in GUI

The only option i found was to use Maapi unhide_schema but didn’t want to provide the password as plain text in JS file.

mvf · February 19, 2021, 3:57pm

Then NACM might actually work for you - you can configure a rule that says that your users have read-only access to that leaf, it might look somewhat like this:

  <rule-list>
    <name>nouser</name>
    <group>*</group>
    <rule>
      <name>no-peer-ip</name>
      <module-name>my-module</module-name>
      <path>/peer/ip-add</path>
      <access-operations>create update delete</access-operations>
      <action>deny</action>
    </rule>
  </rule-list>

This way no user can modify the leaf, but it is still accessible for reading. Hooks are not affected by NACM rules, they still have full access to the leaf.

mvf · February 19, 2021, 4:03pm

Or maybe this leaf is not supposed to be really configurable, i.e. you can declare the leaf as config false and either implement a data provider for it, or declare it also tailf:cdb-oper with tailf:persistent true and your hook can update the leaf in the operational CDB. That may be actually better approach, depending on how other components of your system are supposed to treat this leaf.

Jean · February 23, 2021, 10:28am

Thank you Will check this solution