Question about hierarchy

[temabeloglinski]

Hi team! I have a question about yang-model hierarchy and clixon navigation function up/top.

How can a user login to a cli at a certain level of the yang-model hierarchy?

I can only do this by running a specific cli with the edit command. But with the commands up/top I can go to an unwanted level higher.

Example: This is the required level of nesting Achieved by the commands - clixon_cli edit context 1

admin@cli context=1/> set ? description interface system vlan admin@cli context=1/> set

But at the same time, using the top command, I can go to a higher level

admin@cli context=1/> top admin@cli/> set? context nacm system admin@cli/> set

What method can be used to eliminate this behavior?

[olofhagsand]

This is an auto-CLI question, ie the generated clispec. It also seems specific to the example code. For the example code, you can just remove the top/up command. If you want a more strict method you should use the NACM support.

[temabeloglinski]

@olofhagsand Olof thanks for the answer. I would like to clarify what method in nacm can be used to prohibit moving to a higher level in cli?

[khromenokroman]

@olofhagsand

Hello everyone, I have the same problem, tell me how to solve it?

[olofhagsand]

For NACM, I was thinking to only have read access to the designated config level. However, I dont think that would actually hinder you from doing "up", you just would not be able to access any other sub-tree. I think this requires a new feature: to restrict the autocli to a sub-tree of a configuration. Some extension of the autocli configuration https://clixon-docs.readthedocs.io/en/latest/cli.html#config-file

[temabeloglinski]

@olofhagsand Hi Olof! Thanks for the solution Could you show an example of how to use rules for autocli to make it impossible to move to a higher level?

[olofhagsand]

There is not an existing solution. One would have to add a new mechanism to hinder the autocli to access a higher level of the hierarchy. There is presently no such rule. It would had to be proposed as a new feature as a seprate item in this issue list. Note that you may want to combine a "hard" NACM solution to deny access to parts of the tree with a "soft" hindering the autocli to see those parts of the tree. I say "soft" meaning that you could still try to access a hidden tree eg via NETCONF but NACM would deny you the access right.