This worked with a user whose login class only had "configure", and allow-configuration"policy-options prefix-list AUTO-*".
policy-options { replace: prefix-list AUTO-SOMETHING { 10.0.0.0/24; } } -Chris On Fri, Feb 26, 2016 at 8:44 AM, Chuck Anderson <c...@wpi.edu> wrote: > Can you please provide an example of what you are saying should work > (in text format even)? > > This is what I was trying in XML (from perl) and it doesn't work with > the permissions restricted to "policy-options prefix-list AUTO-.*", > but it does work with the permissions widened to "policy-options .*": > > $jnx->load_configuration( > format => "xml", > action => "replace", > configuration => $replace); > > Where the contents of the $replace variable is: > > <configuration> > <policy-options> > <prefix-list replace="replace"> > <name>AUTO-FOO</name> > <prefix-list-item> > <name>1.1.1.1/32</name> > </prefix-list-item> > </prefix-list> > </policy-options> > </configuration> > > I believe I also tried applying the "replace" attribute on the <name> > tag like this: <name replace="replace">AUTO-FOO</name>, but that isn't > accepted as valid syntax. > > I ended up using a configuration group at Phil's suggestion. That way > I can restrict the permissions to "groups AUTO-PREFIX-LIST > policy-options .*" to allow the replace operation to work but prevent > the script from mucking with objects it isn't supposed to touch. > > Thanks. > > On Thu, Feb 25, 2016 at 12:05:36PM -0500, Chris Spears wrote: > > Can you add a replace attribute in the container for the prefix-lists > > matching /AUTO-*/, and see if the permissions work? The equivalent > > replace: tag in the text format works with a restricted login class when > > using netconf. > > > > > http://www.juniper.net/documentation/en_US/junos14.2/topics/reference/tag-summary/junos-xml-protocol-replace-attribute.html > > > > > > > > > > On Mon, Feb 22, 2016 at 9:46 PM, Chuck Anderson <c...@wpi.edu> wrote: > > > > > On Mon, Feb 22, 2016 at 09:08:04PM -0500, Jared Mauch wrote: > > > > > 1. "load replace" config with the new prefix list contents > > > > > 2. commit > > > > > > > > > > > > Try ‘load update’ first. > > > > > > > > That should be much faster than load replace. > > > > > > Yes, I see it is fast, but I can't figure out the right XML to do the > > > equivalent of "load update relative" in the CLI. If I leave off the > > > "relative", then the entire configuration is replaced (deleted), not > > > just the prefix-list. > > > > > > "show | compare | display xml" exists in 15.1, but not in 14.2 :-( > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp