Hi,
I am investigating RFC7317 (ietf-system). There are several rpcs defined (system-shutdown
, system-restart
,…) with nacm:default-deny-all
statement defined in section 3.6.
According to RFC6536 (nacm) definition, data node with nacm:default-deny-all
only can be touched in recovery session.
extension default-deny-all {
description
"Used to indicate that the data model node
controls a very sensitive security system parameter.
If present, and the NACM module is enabled (i.e.,
/nacm/enable-nacm object equals 'true'), the NETCONF server
will only allow the designated 'recovery session' to have
read, write, or execute access to the node. An explicit
access control rule is required for all other users.
The 'default-deny-all' extension MAY appear within a data
definition statement, 'rpc' statement, or 'notification'
statement. It is ignored otherwise.";
}
so I am trying to understand if the confd cli with parameter --noaaa
is equivalent to the concept of recovery session. and how to start an netconf session as a recovery one (bypass nacm as well as capable to perform nacm:default-deny-all
rpc).
thanks for helping on this.