ConfD User Community

"Invalid value" in "path" element when parsing ietf-netconf-acm data


#1

We are getting libyang error when parsing/populating data for ietf-netconf-acm.yang model.
Steps to reproduce:

Create XML file aaa.xml with this payload, which was obtained from confd server:

<aaa xmlns="http://tail-f.com/ns/aaa/1.1">
  <authentication>
    <users>
      <user>
        <name>admin</name>
        <uid>9000</uid>
        <gid>100</gid>
        <password>$1$.nOrqJx1$ZKtb19kkKIO6L3B24.6zt1</password>
        <ssh_keydir>/var/confd/homes/admin/.ssh</ssh_keydir>
        <homedir>/var/confd/homes/admin</homedir>
      </user>
   </users>
  </authentication>
</aaa>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
  <groups>
    <group>
      <name>admin</name>
      <user-name>admin</user-name>
      <user-name>private</user-name>
    </group>
  </groups>
  <rule-list>
    <name>any-group</name>
    <group>*</group>
    <rule>
      <name>tailf-aaa-authentication</name>
      <module-name>tailf-aaa</module-name>
      <path>/aaa/authentication/users/user[name='admin']</path>
      <access-operations>read update</access-operations>
      <action>permit</action>
    </rule>
  </rule-list>
</nacm>

Validate data with yanglint:

yan@ubuntu-yan: ~/$ yanglint

searchpath /home/yan/.ydk/127.0.0.1_12022

add /home/yan/.ydk/127.0.0.1_12022/ietf-netconf-acm.yang

data /home/yan/aaa.xml

libyang[0]: Invalid value “/aaa/authentication/users/user[name=‘admin’]”
in “path” element. (path:
/ietf-netconf-acm:nacm/rule-list[name=‘any-group’]/rule[name=‘tailf-aaa-authentication’]/path)

Failed to parse data.

We have consulted libyang team, which sent us the following response:

The Yang model specifies that this path fully conforms to the instance-identifier paths which means that prefixes are required for all the nodes in the path. That is the problem.

Is this known confd issue?


#2

You are pointing to a basic example XML configuration that comes with ConfD for running the examples in the ConfD example set. You don’t want to ship your product with an example authentication and authorization configuration. If you want the paths in that example configuration to not assume anything and then for example use your tool to check the config for correctness, feel free to add something like:

$ diff -u aaa_init.xml.bak aaa_init.xml
--- aaa_init.xml.bak
+++ aaa_init.xml
@@ -79,7 +79,8 @@
     </ios>
   </aaa>
 
-  <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
+  <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"
+        xmlns:aaa="http://tail-f.com/ns/aaa/1.1">
     <write-default>permit</write-default>
     <groups>
       <group>
@@ -107,7 +108,7 @@
       <rule>
         <name>tailf-aaa-authentication</name>
         <module-name>tailf-aaa</module-name>
-        <path>/aaa/authentication/users/user[name='$USER']</path>
+        <path>/aaa:aaa/aaa:authentication/aaa:users/aaa:user[aaa:name='$USER']</path>
         <access-operations>read update</access-operations>
         <action>permit</action>
       </rule>

Then to verify:

$ cat my-nacm-subtree.xml 
<get-config>
  <source>
    <running/>
  </source>
  <filter type="subtree" xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
    <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
      <rule-list>
        <name>any-group</name>
        <rule>
          <name>tailf-aaa-authentication</name>
        </rule>
      </rule-list>
    </nacm>
  </filter>
</get-config>

$ netconf-console --rpc=my-nacm-subtree.xml
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <data>
    <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
      <rule-list>
        <name xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">any-group</name>
        <rule>
          <name xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">tailf-aaa-authentication</name>
          <module-name>tailf-aaa</module-name>
          <path>/aaa:aaa/aaa:authentication/aaa:users/aaa:user[aaa:name='$USER']</path>
          <access-operations>read update</access-operations>
          <action>permit</action>
        </rule>
      </rule-list>
    </nacm>
  </data>
</rpc-reply>

#3

Actually for the libyang it is enough to have prefix for the first token, example:

/aaa:aaa/authentication/users/user[name=’$USER’]

Unfortunately I am facing another issue: the netconf does not return multiple name space tokens. I tried to add the namespace identifier directly to ‘path’ tag, but netconf response from RPC request still does not return the namespace.

It could be known issue, which is already fixed. Here is the confd version installed on my Ubuntu:

yan@ubuntu-yan:~/confd$ cat VERSION
ConfD Basic version 6.4 for linux on x86_64.
Revision: 92834 (SVN)
Date: Wed Mar 22 12:01:45 CET 2017
Erlang/OTP version: 18.3.4.5
DOCUMENTATION_PACKAGE=confd-basic-6.4.doc.tar.gz
EXAMPLE_PACKAGE=confd-basic-6.4.examples.tar.gz
yan@ubuntu-yan:~/confd$

I appreciate your advise.


#4

Will check with the experts on this and get back to you asap.