Comments (6)
The rule that you provided basically says "the operator
group can do anything", while your question says "how do we prevent the operator
group from doing something". Have you tried to add a rule which simply disallows write access to the ietf-netconf-acm
module to your target group? The semantics of these rules is explained in RFC 8341; you have to read and understand these before you can produce useful configuration.
from netopeer2.
With the default configuration you have write-default
deny
so you actually do not have to modify any NACM rules for your use-case.
from netopeer2.
@michalvasko
Observation with write-default: deny and no rules or groups created for operator user,
- Edit operations to all ietf/3gpp standard modules including acm are failed.
There is an option to deny/permit operations to a specific module using a group and rule as mentioned in the example below:
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<enable-nacm>true</enable-nacm>
<read-default>permit</read-default>
<write-default>deny</write-default>
<exec-default>permit</exec-default>
<enable-external-groups>false</enable-external-groups>
<groups>
<group>
<name>readwritegrp</name>
<user-name>operator</user-name>
</group>
</groups>
<rule-list>
<name>readwrite</name>
<group>readwritegrp</group>
<rule>
<name>rule1</name>
<action>deny</action>
<module-name>endOfStartup</module-name>
<access-operations>create update read delete exec</access-operations>
<comment>exec </comment>
</rule>
</rule-list>
</nacm>
n2cli dump: expected behavior because in above rule is deny
ERROR
type: protocol
tag: access-denied
severity: error
path: /endOfStartup:endOfStartup/endOfStartup
message: Access to the data model "endOfStartup" is denied because "operator" NACM authorization failed.
edit operation allowed if we change < action > tag value to permit. (same validated for ietf-netconf-acm module as well)
We have close to ~50 private modules (doesn't include acm/netconf-server etc). Do we need to add rules for each module or is there anyway to allow modifications to ~50 private modules and disallow modification to acm module?
from netopeer2.
edit operation allowed if we change tag value to permit. (same validated for ietf-netconf-acm module as well)
That is not right, you are saying that if you have write-default
permit
and no other NACM rules, you can write (with user other than the recovery root
) into ietf-netconf-acm
? It uses its extension default-deny-all
which should overwrite the configured defaults and deny access to all users unless they have an explicit permit rule.
from netopeer2.
The tag "action" was enclosed in braces is not shown in the preview.
Corrected format now.
edit operation allowed if we change < action > tag value to permit. (same validated for ietf-netconf-acm module as well)
from netopeer2.
The interpretation of these rules is explained in section 3.4.5 of the standard; it involves a non-trivial set of interactions between several mechanisms, and I'm afraid that any one-paragraph summary will be incomplete. There's no support for a single rule to match multiple modules as far as I can tell. What you could do instead is to rely on the module-level annotations (ietf-netconf-nacm:default-deny-*
) and the write-default
leaf, and (in case you would like to prevent writes to some other modules without the default-deny-*
annotation), also an explicit set of deny
rules.
from netopeer2.
Related Issues (20)
- [Query] SSH callhome max attempts status check HOT 1
- v2.2.13 : Client authentication in TLS HOT 2
- [query]: is there any api to get number of session active (connected) to netopeer-server? HOT 1
- server is not running HOT 6
- still server is not running HOT 1
- "/notif:notification" not found error on connecting HOT 5
- Security impact of URL support for <source> and <target> parameters HOT 10
- How netopeer2 triggers the sending of SSH_MSG_GLOBAL_REQUEST ? HOT 9
- config static-route failed Error "Node "static-routes" not found as a child of "protocol" node" HOT 1
- Not able to install netopeer2: make: *** [Makefile:100: install] Error 1 HOT 1
- NACM access denied HOT 5
- Issue generating notification for custom yang model with latest stable release HOT 1
- Dockerfile for Netopeer2 HOT 1
- Unable to connect to netopeer2-server from netopeer2-cli HOT 3
- Getting error during netopeer2 build HOT 1
- Can't import ssh_callhome.xml to sysrepo HOT 2
- How to generate netconf-confirmed-commit notification HOT 3
- coredump: SIGSEGV HOT 5
- will work If we make netopeer2 as a thread HOT 21
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from netopeer2.