8-89
Cisco CRS-1 Series Carrier Routing System XML API Guide
OL-4596-01
Chapter 8 Cisco CRS-1 Series XML Security
Task Names
• <Get>, <GetNext>, and <GetVersionInfo> operations require AAA “read” privileges.
• <Set> and <Delete> operations require AAA “write” privileges.
The “configuration services” operations through configuration manager will also require the appropriate
predefined task privileges.
Task Names
Each object (that is, data item, table, and so on) exposed through the Cisco CRS-1 Series XML interface
and accessible to the client application will have one or more task names associated with it. The task
names are published in the XML schema documents as <appinfo> annotations.
For example, the complex type definition for the top-level element in the Border Gateway Protocol
(BGP) configuration schema contains the following annotation:
<xsd:appinfo>
<MajorVersion>1</MajorVersion>
<MinorVersion>0</MinorVersion>
<TaskIdInfo TaskGrouping="Single">
<TaskName>bgp</TaskName>
</TaskIdInfo>
</xsd:appinfo>
Here is another example from a different component schema. This annotation includes a list of task
names.
<xsd:appinfo>
<MajorVersion>1</MajorVersion>
<MinorVersion>0</MinorVersion>
<TaskIdInfo TaskGrouping="And">
<TaskName>ouni</TaskName>
<TaskName>mpls-te</TaskName>
</TaskIdInfo>
</xsd:appinfo>
The task names indicate what permissions are required to access the data below the object. In this
example, the task names “ouni” and “mpls-te” have been specified for the object. These task names apply
to this object and are inherited by all of the object’s descendents in the schema, unless a descendant has
a task names of its own, in which case the descendant (and all of its descendants) assumes the more
specific task name (that is, overriding the task name of the ancestor). Essentially, the rule for a particular
object is that it will assume the task name of the closest ancestor for which there is a task name specified
in the schema.
The TaskGrouping attribute is used to specify the logical relationship between the task names when
multiple task names are specified for an object. For example, for a client application to issue a <Get>
request for the object containing the annotation shown in the example above, the corresponding AAA
user credentials must have “read” permissions set for both the “ouni” and “mpls-te” tasks. The possible
values for the TaskGrouping attribute are And, Or, and Single. Single is used when there is only a single
task name specified for the object.
Authorization Failure
If an operation requested by a client application fails authorization, an appropriate <Error> element will
be returned in the response sent to the client. For “native data” operations, the <Error> element will
associated with the specific element/object(s) for which the authorization error occurred.
To Next Page
Loading...
Need help?
General
