ConfD User Community

Disable interfaces to specific groups

sotiria 2017-08-30 12:34:21 UTC #1

Hello,

I have created 3 groups in confd. I want each of this to have access to one specific interface, As an example, group1 to have access to netconf, 2nd to cli etc.
Tll now I have not managed to achieve this.
I create seperate rule-list for each one group (one rule-list for admin, other rule-list for group1, another group-list for group 2).

Any ideas how can I resolve this?

Thanks a lot.

Sotiria.

waitai 2017-08-30 20:38:09 UTC #2

The following modified rules for two new users from our standard aaa_init.xml as used in the example collection should work for you:

$ diff aaa_init.xml ../1-2-3-start-query-model/confd-cdb/aaa_init.xml 
15,30d14
<           <name>cli_user</name>
<           <uid>9000</uid>
<           <gid>20</gid>
<           <password>$0$cli_user</password>
<           <ssh_keydir>/var/confd/homes/cli_user/.ssh</ssh_keydir>
<           <homedir>/var/confd/homes/cli_user</homedir>
<         </user>
<         <user>
<           <name>netconf_user</name>
<           <uid>9000</uid>
<           <gid>20</gid>
<           <password>$0$netconf_user</password>
<           <ssh_keydir>/var/confd/homes/netconf_user/.ssh</ssh_keydir>
<           <homedir>/var/confd/homes/netconf_user</homedir>
<         </user>
<         <user>
107,114d90
<         <name>cli_user</name>
<         <user-name>cli_user</user-name>
<       </group>
<       <group>
<         <name>netconf_user</name>
<         <user-name>netconf_user</user-name>
<       </group>
<       <group>
129,156d104
<       <name>cli_user</name>
<       <group>cli_user</group>
<       <rule>
<         <name>cli-access</name>
<         <context xmlns="http://tail-f.com/yang/acm">cli</context>
<         <action>permit</action>
<       </rule>
<       <rule>
<         <name>no-non-cli-access</name>
<         <context xmlns="http://tail-f.com/yang/acm">*</context>
<         <action>deny</action>
<       </rule>
<     </rule-list>
<     <rule-list>
<       <name>netconf_user</name>
<       <group>netconf_user</group>
<       <rule>
<         <name>netconf-access</name>
<         <context xmlns="http://tail-f.com/yang/acm">netconf</context>
<         <action>permit</action>
<       </rule>
<       <rule>
<         <name>no-non-netconf-access</name>
<         <context xmlns="http://tail-f.com/yang/acm">*</context>
<         <action>deny</action>
<       </rule>
<     </rule-list>
<     <rule-list>

sotiria 2017-08-31 06:42:13 UTC #3

It works!
Thank you very much for your response!

sotiria 2017-08-31 09:48:00 UTC #4

One more question.
Trying to allow rest and netconf interfaces, cli interface is not disabled.
Should I follow something similar to the bove example?

Thanks!

waitai 2017-08-31 23:17:20 UTC #5

Yes, you can follow something similar to my example as one way to do it. To allow more northbound interfaces to be accessible by a particular group, you can add more rules, one for each type of northbound interfaces to be permitted, before the deny rule.

sotiria 2017-09-04 06:32:11 UTC #6

In the same rule-list I have two types of rules. One as above which allows/denies access on interfaces and the second type which allows the access in specific leafs of yang tree model.
However, both rules do not work at the same time. I think that is the order of the rules. Is there a specific order for the rules so as all of them to be applied?

waitai 2017-09-05 21:09:00 UTC #7

As defined in ietf-netconf-acm.yang, the rules in a rule-list are processed as follows:

list rule {
  key "name";
    ordered-by user;
    description
       "One access control rule.
         Rules are processed in user-defined order until a match is
         found. A rule matches if 'module-name', 'rule-type', and
         'access-operations' match the request. If a rule
         matches, the 'action' leaf determines if access is granted
         or not.";

Continuing from the example aaa_init.xml as described in my previous posting, you should define the data access rules for a particular context before denying access to other contexts.