How to disable validation on maapi?

lynn · March 23, 2016, 8:22am

I need to use maapi to write some configuration into a leaf X, and I add a validation point on it, the leaf X could be both configured by USER or daemon(maapi), when user configured it I have to validate the user input, but when I configure it through maapi, I don’t need to validate, so how to disable ?

cohult · March 23, 2016, 2:45pm

Hi Lynn,

See maapi_apply_trans() and maapi_validate_trans() in the confd_lib_maapi man page (also available as an appendix to the UG)

lynn · March 24, 2016, 6:24am

Hi, cohult, maybe I didn’t describe my question clearly.

examples.confd/validate/c this example shows the validation that a_number must large the b_number, so if we configure as follow:

localhost(config)# mtest a_number 15
localhost(config)# mtest b_number 65
localhost(config)# commit 
TRACE CALL  validate init(thandle=28)TRACE MAAPI_ATTACH  --> CONFD_OK
 --> CONFD_OK
TRACE CALL data validate(thandle=28, /mtest/a_number, 15)TRACE MAAPI_GET_ELEM /mtest/b_number --> CONFD_OK
TRACE MAAPI_GET_ELEM /mtest/a_number --> CONFD_OK
 --> CONFD_ERR
TRACE CALL validation stop(thandle=28)TRACE MAAPI_DETACH  --> CONFD_OK
 --> CONFD_OK
Aborted: 'mtest a_number': a_number is <= b_number

It Aborts as it should be.

My question is that I want to write a_number 15, b_number 65 through maapi, without triggering the validation. I mean the validation callpoint only triggered by CLI or NETCONF， but disabled with maapi.

I add the following code to write a_number and b_number just before the while loop of more_a_than_b.c

    {   
        pid_t pid;
        pid = fork();
        if (pid == 0)
        {   
            int th; 
            int sock;
            char *user = "admin";
            const char *groups[] = {"admin"};
            char *context = "maapi-write";
            struct confd_ip ip; 

            ip.af = AF_INET;
            inet_pton(AF_INET, "127.0.0.1", &ip.ip.v4); 

            printf("forked\n");
            OK(maapi_sock(&sock));
            printf("waiting phase2...\n");
            maapi_wait_start(sock, 2); 
            maapi_start_user_session(sock, user, context, groups, 1, &ip, CONFD_PROTO_TCP);
            th = maapi_start_trans(sock, CONFD_RUNNING, CONFD_READ_WRITE);
            // a must be large then b
            maapi_set_elem2(sock, th, "15", "/mtest/a_number");
            maapi_set_elem2(sock, th, "55", "/mtest/b_number");
            maapi_apply_trans(sock, th, 0); 
            maapi_finish_trans(sock, th);
            printf("exit fork\n");
            exit(0);
        }   
    }

You see, the maapi also trigger the validation:

forked
TRACE Connected (maapi) to ConfD
waiting phase2...
TRACE MAAPI_WAIT_START TRACE Close user sess 4
 --> CONFD_OK
 --> CONFD_OK
TRACE MAAPI_START_USER_SESSION ### * The more_a_than_b validation daemon now runs in the background
 --> CONFD_OK
TRACE MAAPI_START_TRANS ### * In one terminal window, run: tail -f ./confd.log
### * In another terminal window, run queries
 --> CONFD_OK
TRACE MAAPI_SET_ELEM2 /mtest/a_number --> CONFD_OK
TRACE MAAPI_SET_ELEM2 /mtest/b_number --> CONFD_OK
TRACE MAAPI_APPLY_TRANS ###   (try 'make query' for an example)
[root@localhost c]# TRACE New user session: 10 for user:system ctx:system
TRACE New user session: 11 for user:admin ctx:maapi-write --> CONFD_OK
TRACE CALL  validate init(thandle=6)TRACE MAAPI_ATTACH  --> CONFD_OK
 --> CONFD_OK
TRACE CALL data validate(thandle=6, /mtest/a_number, 15)TRACE MAAPI_GET_ELEM /mtest/b_number --> CONFD_OK
TRACE MAAPI_GET_ELEM /mtest/a_number --> CONFD_OK
 --> CONFD_ERR
TRACE CALL validation stop(thandle=6)TRACE MAAPI_DETACH  --> CONFD_OK
 --> CONFD_OK
DEBUG external error - /mtest:mtest/a_number: a_number is <= b_number 
 --> CONFD_ERR
TRACE MAAPI_STOP_TRANS  --> CONFD_OK
exit fork
TRACE Close user sess 11
 --> CONFD_OK

lynn · March 24, 2016, 6:34am

The UG says maapi_apply_trans() invokes the maapi_validate_trans() , maapi_prepare_trans() ,
maapi_commit_trans() (or maapi_abort_trans() ). in the right order.

So I try to call all the above functions but maapi_validate_trans(), but it doesn’t work

            maapi_set_elem2(sock, th, "15", "/mtest/a_number");
            maapi_set_elem2(sock, th, "55", "/mtest/b_number");
            //maapi_apply_trans(sock, th, 0);
            maapi_prepare_trans(sock, th);
            maapi_commit_trans(sock, th);
            maapi_finish_trans(sock, th);

TRACE MAAPI_PREPARE_TRANS DEBUG operation in wrong state -

lynn · March 24, 2016, 6:48am

Actually, my requirement is to configure a special interface list, the physical interface must be set through maapi by our daemon, so if user input the physical interface name the daemon must reject it, I need to add a validate point on the list. However when the validate point added, the maapi can not set the physical name too.

I know that use the transform callpoint could solve the problom, we define two lists, one list for user with validation point, and the other list for the actually interface list, when any user config on the user list, we transform it to the actually interface list, while our daemon directly write the interface list. That’s currently how we do.

waitai · March 24, 2016, 6:51pm

An alternative is to use ConfD’s AAA data rules to disallow all northbound interfaces from editing those list entries. You can refer to examples.confd/misc/aaa_eth0 for an illustration on the use of the data access rules on list entries.

It is not a good idea to skip validation in general as the configuration in the datastore should always be valid. If the only thing you are doing in your validation callpoint is to deny write access by certain users or through some northbound interfaces, you can use the maapi_get_my_user_session_id( ) and maapi_get_user_session( ) API calls to get the user session information and use that information to grant write access accordingly.

lynn · March 25, 2016, 1:44am

It’s a good idea to manage our access rules!

This is also we need to filter some special data.

Thank you very much.