Hello,
I have created 3 groups in confd. I want each of this to have access to one specific interface, As an example, group1 to have access to netconf, 2nd to cli etc.
Tll now I have not managed to achieve this.
I create seperate rule-list for each one group (one rule-list for admin, other rule-list for group1, another group-list for group 2).
Any ideas how can I resolve this?
Thanks a lot.
Sotiria.
The following modified rules for two new users from our standard aaa_init.xml as used in the example collection should work for you:
$ diff aaa_init.xml ../1-2-3-start-query-model/confd-cdb/aaa_init.xml
15,30d14
< <name>cli_user</name>
< <uid>9000</uid>
< <gid>20</gid>
< <password>$0$cli_user</password>
< <ssh_keydir>/var/confd/homes/cli_user/.ssh</ssh_keydir>
< <homedir>/var/confd/homes/cli_user</homedir>
< </user>
< <user>
< <name>netconf_user</name>
< <uid>9000</uid>
< <gid>20</gid>
< <password>$0$netconf_user</password>
< <ssh_keydir>/var/confd/homes/netconf_user/.ssh</ssh_keydir>
< <homedir>/var/confd/homes/netconf_user</homedir>
< </user>
< <user>
107,114d90
< <name>cli_user</name>
< <user-name>cli_user</user-name>
< </group>
< <group>
< <name>netconf_user</name>
< <user-name>netconf_user</user-name>
< </group>
< <group>
129,156d104
< <name>cli_user</name>
< <group>cli_user</group>
< <rule>
< <name>cli-access</name>
< <context xmlns="http://tail-f.com/yang/acm">cli</context>
< <action>permit</action>
< </rule>
< <rule>
< <name>no-non-cli-access</name>
< <context xmlns="http://tail-f.com/yang/acm">*</context>
< <action>deny</action>
< </rule>
< </rule-list>
< <rule-list>
< <name>netconf_user</name>
< <group>netconf_user</group>
< <rule>
< <name>netconf-access</name>
< <context xmlns="http://tail-f.com/yang/acm">netconf</context>
< <action>permit</action>
< </rule>
< <rule>
< <name>no-non-netconf-access</name>
< <context xmlns="http://tail-f.com/yang/acm">*</context>
< <action>deny</action>
< </rule>
< </rule-list>
< <rule-list>
It works!
Thank you very much for your response!
One more question.
Trying to allow rest and netconf interfaces, cli interface is not disabled.
Should I follow something similar to the bove example?
Thanks!
Yes, you can follow something similar to my example as one way to do it. To allow more northbound interfaces to be accessible by a particular group, you can add more rules, one for each type of northbound interfaces to be permitted, before the deny rule.
In the same rule-list I have two types of rules. One as above which allows/denies access on interfaces and the second type which allows the access in specific leafs of yang tree model.
However, both rules do not work at the same time. I think that is the order of the rules. Is there a specific order for the rules so as all of them to be applied?
As defined in ietf-netconf-acm.yang, the rules in a rule-list are processed as follows:
list rule {
key "name";
ordered-by user;
description
"One access control rule.
Rules are processed in user-defined order until a match is
found. A rule matches if 'module-name', 'rule-type', and
'access-operations' match the request. If a rule
matches, the 'action' leaf determines if access is granted
or not.";
Continuing from the example aaa_init.xml as described in my previous posting, you should define the data access rules for a particular context before denying access to other contexts.