cli-to-semp is not working for adding access-level-exception.

techrahul95

I'm trying to use a SEMP v1 command to change the access level exception for a user in a specific message VPN, but I'm encountering a schema validation error.

Here is the command I used:

I tried cli-to-semp command but it's giving me the following error :
Unexpected parameter(s): access-level-exception at /usr/sw/loads/currentload/scripts/cli-to-semp line 82.

Could someone help me understand why this command is not valid or how I could correct it to comply with the SEMP v1 schema? Any guidance or examples would be greatly appreciated.

Thank you in advance!

Aaron

Hi @techrahul95 . Ok… couple things:

There isn't an exact 1-to-1 mapping between CLI and SEMPv1… for example, there's no XML tag called "configure" in the SEMPv1 RPC schema. You can find the schema inside the broker directory /usr/sw/loads/currentload/schema/ But it's kind of hard to read at first.

cli-to-semp utility is great for "show" commands, and easy one-liners. It's harder for configuration commands because sometimes you need to use multiple RPC POSTs to configure an object. For what you're trying to do, you actually need two SEMPv1 commands: one to create the VPN exception, and then one to define/specify it. Here, I have an existing CLI user called aaron-ro that's a global read-only user, and I'm going to add a exception for VPN gw with "read-write" permissions:

<rpc>
  <username>
    <name>aaron-ro</name>
    <message-vpn>
      <create>
        <access-level-exception>
          <vpn-name>gw</vpn-name>
        </access-level-exception>
      </create>
    </message-vpn>
  </username>
</rpc>

<rpc>
  <username>
    <name>aaron-ro</name>
    <message-vpn>
      <access-level-exception>
        <vpn-name>gw</vpn-name>
        <access-level>
          <access-level>read-write</access-level>
        </access-level>
      </access-level-exception>
    </message-vpn>
  </username>
</rpc>

Hope that helps! Let me know.