Protect or Unprotect a Configuration Object Using the Junos XML Protocol
The protect attribute prevents changes to selected configuration
hierarchies and statements. You cannot alter a protected element either manually
through the CLI or automatically using commit scripts or remote procedure calls. If
you attempt to make configuration changes to a protected statement or within a
protected hierarchy, the device issues a warning, and the configuration change
fails.
If a configuration hierarchy or statement is protected, users cannot perform the following activities:
-
Delete or modify the hierarchy or a statement or identifier within the protected hierarchy (Deletion of an unprotected hierarchy that contains protected elements deletes all unprotected child elements and preserves all protected child elements.)
-
Insert a new configuration statement or an identifier within the protected hierarchy
-
Rename the protected statement or a statement or identifier within the protected hierarchy
-
Copy a configuration into the protected hierarchy
-
Activate or deactivate the protected statements or statements within the protected hierarchy
-
Annotate the protected statement or hierarchy, or statements within the protected hierarchy
If you protect a configuration statement or hierarchy that does not exist, the device first creates the configuration element and then protects it. If you unprotect a statement or element that is not protected, no action is taken.
You can identify protected elements when you display the configuration. Table 1 describes how you identify protected elements for configuration data in different formats.
| Format | Identifier |
|---|---|
|
Configuration mode commands |
The |
|
JSON |
Protected hierarchies and statements include the
|
|
Text |
Protected elements are preceded by |
|
XML |
The opening tag of the protected element contains the
|
A user or client application must have permission to modify the configuration in order to protect or unprotect configuration objects.
In a NETCONF or Junos XML protocol session with a Junos device, to protect a configuration element from changes or to unprotect a previously protected element, a client application first includes the tag elements described in Creating, Modifying, or Deleting Configuration Elements Using the Junos XML Protocol.
XML
When using Junos XML tag elements to represent the configuration, the client
application includes the protect="protect" or
unprotect="unprotect" attribute in the object’s opening tag.
The application includes any necessary identifier tag element. In the following
sample RPC, the identifier tag element is called <name>:
<configuration>
<!-- opening tag for each parent of the object -->
<object (protect="protect" | unprotect="unprotect")>
<name>identifier</name>
</object>
<!-- closing tag for each parent of the object -->
</configuration>In a YANG-compliant NETCONF session, you can protect or unprotect a configuration
element in XML data by including the
xmlns:jcmd="http://yang.juniper.net/junos/jcmd" and
jcmd:protect="(true | false)" attributes in the tag
element. For more information, see YANG Metadata Annotations for Junos Devices.
Text
When using formatted ASCII text to protect or unprotect an object, the application
precedes the element with the protect: or
unprotect: operator as appropriate. If you are protecting a
hierarchy level and no additional child elements under that hierarchy, add a
semicolon after the element statement.
<configuration-text>
/* statements for parent levels */
/* For an object with an identifier */
(protect: | unprotect:)
object identifier {
/* Child configuration statements */
}
/* For a hierarchy level or object without an identifier */
(protect: | unprotect:)
element {
/* Child configuration statements */
}
/* closing braces for parent levels */
</configuration-text>Configuration Mode (Set) Commands
When using configuration mode commands to protect an object, the application
specifies the protect or unprotect command
equivalent to the CLI configuration mode command. You can protect both hierarchies
and individual statements.
<configuration-set>
(protect | unprotect) statement-path-to-hierarchy
(protect | unprotect) statement-path-to-object object identifier
</configuration-set>JSON
When using JSON configuration data to represent the configuration, the client
application protects or unprotects an object by including the appropriate attribute
in the attribute list of the object. The client includes the
"protect" : true attribute to protect the object and includes
either the "protect" : false or "unprotect" : true
attribute to unprotect the object. To protect or unprotect an object that has an
identifier, the client also includes the identifier for the object.
The following generic JSON configuration indicates the placement of the attribute when protecting a hierarchy, an object that has an identifier, and a leaf statement.
<configuration-json>
{
"configuration" : {
/* JSON objects for parent hierarchies */
"hierarchy" : {
"@" : {
"comment" : "/* protect a hierarchy */" ,
"protect" : true
},
"object" : [
{
"@" : {
"comment" : "/* protect an object with an identifier */" ,
"protect" : true
},
"name" : "identifier",
"@statement-name" : {
"comment" : "/* protect a statement */" ,
"protect" : true
}
}
]
}
/* closing braces for parent hierarchies */
}
}
</configuration-json>
In Junos OS configuration data that is represented using JSON, the value for the
"protect" and "unprotect" attribute is
type Boolean, which is expressed in lowercase and is not enclosed in quotes.
In a YANG-compliant NETCONF session, you can protect or unprotect a configuration
object in JSON data by including the
"junos-configuration-metadata:protect" : (true | false)
annotation in the statement's metadata object. For more information, see YANG Metadata Annotations for Junos Devices.
The following example protects the [edit access] hierarchy level of
the configuration using Junos XML tag elements:
<rpc>
<load-configuration>
<configuration>
<access protect="protect"/>
</configuration>
</load-configuration>
</rpc>Once protected, any attempt to modify the [edit access] hierarchy
level produces a warning. The following RPC attempts to delete the [edit
access] hierarchy level. Because that hierarchy level is protected, the
server returns a warning that the hierarchy is protected, and the configuration
change fails.
<rpc>
<load-configuration>
<configuration>
<access delete="delete"/>
</configuration>
</load-configuration>
</rpc>
<xnm:warning xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<message>
[access] is protected, 'access' cannot be deleted
</message>
</xnm:warning>