py-junos-eznc
py-junos-eznc copied to clipboard
Juniper
[RFE] Support for 'validate' RPC
Is it possible to get support added for the 'validate' RPC?
https://www.juniper.net/documentation/us/en/software/junos/netconf/topics/task/netconf-configuration-verifying.html
Use case / background
I'm trying to implement secure candidate configuration checking in merge requests from our CI using ansible.
I found that there is no way to only grant a user with netconf access rights to run commit check only, and not commit.
Regardless of the permissions/allow-commands, a user with permissions to run commit check and use netconf can commit the configuration using a hidden command:
{primary:node0}
ansible-check@srx4600> internal-invoke junoscript-operation commit-configuration
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete
Due to the way allow-commands works, it's not possible to exclusively authorise internal-invoke junoscript-operation commit-configuration check on its own which would also fix the problem.
To allow an unprivileged CI user to verify merge request changes, I'd like to extend the ansible collection to support running the validate RPC - this requires PyEZ support first though.
I've cobbled together support in Ansible using the RPC module - it's a bit fragile but it works (I needed to fix a few bugs in ansible-junos-stdlib for this to work):
- name: Check configuration for errors
juniper.device.rpc:
user: "{{ junos_user }}"
rpc:
- "lock-configuration"
- "load-configuration"
- "validate"
- "unlock-configuration"
attrs:
- {}
- action: 'override'
format: 'text'
- {}
- {}
kwargs:
- {}
- configuration_text: '{{ cnf }}'
- source:
candidate: true
- {}
register: response
when: compare or check
vars:
cnf: "{{ lookup('ansible.builtin.file', candidate_config ) }}"
Adding support in PyEz would mean all of that ^ could just become this:
juniper.device.config:
...
validate: true
check: false
commit: false
...
