Deny Commit RPC

Hi all,

i have a requirement to deny default confd RPC commit, as the commit should be done only by an app using maapi APIs.
I have added a rule-list to aaa_init.xml as below to deny the commit RPC , but it is not working,

also i have tried below changes as well

true permit permit deny admin admin radisys oper oper public any-group * edit-config edit-config netconf exec permit delete-config delete-config netconf exec permit commit commit netconf exec deny but with this edit-config/get-config/delet-config nothing is working. is the isse is due to i am trying to deny an default RPC? kindly let know what is missed thing here.


As you suspect, there is an implicit commit that does not trigger NACM rules if you are writing straight to the running DB with NETCONF. If want to continue to write straight to the running DB, you might just deny the edit-config and delete-config RPCs to never let the configuration get in.

If you want to observe the denial of commit messages, you can write changes to the candidate DB and then issue a commit that can be denied. The NACM configuration with the new ‘block-commits’ rule looks like:

rule-list admin {
    group [ admin ];
    rule block-commits {
        rpc-name commit;
        action   deny;
        context  netconf;
    rule any-access {
        action permit;

And then as example, we can write a new user to the user table with an edit-config stored in a file.


      <user xmlns="">
        <description>test user #1</description>

and then send with

netconf-console --rpc edit-config-candidate.xml

This will put the configuration into the candidate DB. Then send a commit with:

netconf-console --commit

and you will see

$ netconf-console --commit
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">