Hi again,
I can reproduce this issue by running example dp/find_next.
The rule-list in dp/find_next/confd-cdb/aaa_init.xml:
<rule-list>
<name>admin</name>
<group>admin</group>
<rule>
<name>any-access</name>
<action>deny</action>
</rule>
</rule-list>
<rule-list>
<name>any-group</name>
<group>*</group>
<rule>
<name>any-access</name>
<action>deny</action>
</rule>
</rule-list>
I ran command “netconf-console cmd-get-all.xml”. The xml file is as below:
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
</capabilities>
</hello>
]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<get/>
</rpc>
]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
<close-session/>
</rpc>
Here is the netconf log:
<INFO> 5-Jul-2022::16:19:01.393 CN-00006605 confd[2484]: netconf id=14 new ssh session for user "admin" from 127.0.0.1
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 got rpc: {urn:ietf:params:xml:ns:netconf:base:1.0}get attrs: message-id="1"
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 access-denied
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 sending rpc-reply, attrs: message-id="1"
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: netconf id=14 close-session attrs: message-id="2"
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: netconf id=14 sending rpc-reply, attrs: message-id="2"
Here is the audit log:
<INFO> 5-Jul-2022::16:19:01.367 CN-00006605 confd[2484]: audit user: admin/0 local authentication succeeded via netconf from 127.0.0.1:36408 with ssh, member of groups: admin
<INFO> 5-Jul-2022::16:19:01.367 CN-00006605 confd[2484]: audit user: admin/0 logged in via netconf from 127.0.0.1:36408 with ssh using local authentication
<INFO> 5-Jul-2022::16:19:01.392 CN-00006605 confd[2484]: audit user: admin/14 assigned to groups: admin
<INFO> 5-Jul-2022::16:19:01.392 CN-00006605 confd[2484]: audit user: admin/14 created new session via netconf from 127.0.0.1:36408 with ssh
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: audit user: admin/14 terminated session (reason: normal)
<INFO> 5-Jul-2022::16:19:06.455 CN-00006605 confd[2484]: audit user: admin/0 logged out <local> user
You can see the rpc “close-session” is permitted.
BRs
Michael