ConfD User Community

Confd_load data suppression


#1

Hi,

I’m using confd_load to dump the operational database. Since there are parts of database that I don’t need I would like to know how to set group rules that would deny access to those parts of database. Then I would call confd_load with -g option and thus limit the dump range. So far I added at the top of aaa_force_init.xml:

<rule-list> <name>any-group</name> <group>*</group> <rule> <name>myname</name> <module-name>mymodule</module-name> <path>/path</path> <access-operations>read create update delete</access-operations> <action>deny</action> </rule> . . .
when i call “confd_load -oFc -p “/path” -d -d -d -g grr -u grt”
the response is:
TRACE Connected (maapi) to ConfD
starting user session ctxt=system user=grt groups=[grr]
TRACE MAAPI_START_USER_SESSION
29-Jul-2018::12:01:54.869 1609/b6f64010/3 SEND op=100 isrel=0 th=-1 {#Bin,{{127,0,0,1},0},system,1,false,[#Bin],{undefined,undefined,undefined,#Bin<confd_load.c:319>}}
–> CONFD_OK
TRACE MAAPI_START_TRANS
29-Jul-2018::12:01:54.914 1609/b6f64010/3 SEND op=140 isrel=0 th=-1 {2,1,0,0,0,{undefined,undefined,undefined,#Bin<confd_load.c:321>}}
29-Jul-2018::12:01:54.925 1609/b6f64010/3 GOT 50
–> CONFD_OK
TRACE MAAPI_SAVE_CONFIG
29-Jul-2018::12:01:54.925 1609/b6f64010/3 SEND op=234 isrel=0 th=50 {[path],132}
29-Jul-2018::12:01:54.943 1609/b6f64010/3 GOT 1
–> CONFD_OK
TRACE Connected (stream) to ConfD

the path gets dumped.
If i call confd_load -Fc -p “/nacm” the rule can be seen in the dump.
Please help
Br


#2

I got it to work by creating a user, group, adding user to group and rules for the group.
After I invoke: confd_load -oFc -u myuser -c cli
The rules are applied :slight_smile:


#3

It also works by only defining the group and the rules.
confd_load -oFc -g mygroup -c cli