Create and authorize users in runtime using dyncfg

ashik · April 17, 2023, 7:33am

Hi,

I have below rule list for Admin and Config

I would like to have a group upon which users can be added dynamically and assigned to either Admin or Config

I would like to assign them with CLI permission if the users group is Admin and deny CLI permission if the group is Config.

I am also making use of dyncfg to make deny/allow CLI in runtime.

I got the below from user guide that is suitable


<rule-list>
<name>admin</name>
<group>admin</group>
<rule>
<name>aaa</name>
<path>/</path>
<context xmlns="http://tail-f.com/yang/acm">cli</context>
<access-operations>read create update delete</access-operations>
<action>permit</action>
</rule>
</rule-list>
<rule-list>
<name>oper</name>
<group>oper</group>
<rule>
<name>aaa</name>
<path>/</path>
<context xmlns="http://tail-f.com/yang/acm">cli</context>
<access-operations>read create update delete</access-operations>
<action>deny</action>
</rule>
</rule-list>

The users are created from external application.
The dyncfg doesn’t have option to add users dynamically to confd when created externally and have them assigned to a group. (I couldn’t see option to add user in runtime in dyncfg, maybe i am wrong or missed something)

Basically i would like to create users as and when i wish and assign them to a group. All this in runtime.

Kindly provide suggestions

Regards,
Ash

mvf · April 17, 2023, 4:07pm

ConfD uses tailf-aaa module that contains this, among others:

 module: tailf-aaa
   +--rw aaa
      +--rw authentication
         +--rw users
            +--rw user* [name]
               +--rw name          string
               +--rw uid           int32
               +--rw gid           int32
               +--rw password      passwdStr
               +--rw ssh_keydir    string
               +--rw homedir       string

In the standard standard authentication setup, “create a user” means adding a user entry here and its username to corresponding instances of /nacm/groups/group/user-name. You can read more details in the chapter “The AAA infrastructure” in the user guide.

ashik · April 17, 2023, 6:42pm

Hi,
Thanks.
I have included both tailf-aaa and ietf-netconf-acm

So every time we add an user entry and add user entry to the group, shouldn’t we restart confD or will confD take care of itself to reflect the user entry and group association(/nacm/groups/group/user-name) in run time?

Will authorization(rule-lists) work dynamically or should we restart ConfD to reflect the changes?

Regards,
Ash

mvf · April 18, 2023, 8:30am

There is definitely no need to restart ConfD, and in the standard setup there is no need to do anything else - your application changes AAA and/or NACM configuration, commits, and ConfD immediately starts using that for new user sessions.

ashik · April 25, 2023, 4:30pm

Hi ,

I tried the below rule list for user ‘abc’ to allow CLI but restrict NETCONF. But this doesn’t seem to work.
I shouldn’t be able to connect to netconf but I could with the below rule-list.

Kindly let know if I am missing something here.

> <config xmlns="http://tail-f.com/ns/config/1.0">
>   <aaa xmlns="http://tail-f.com/ns/aaa/1.1">
>     <authentication>
>       <users>
>         <user>
>           <name>abc</name>
>           <uid>1000</uid>
>           <gid>20</gid>
>           <password>1234</password>
>           <ssh_keydir>/var/confd/homes/abc/.ssh</ssh_keydir>
>           <homedir>/var/confd/homes/abc</homedir>
>         </user>
>       </users>
>     </authentication>
>   <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
>     <enable-nacm>true</enable-nacm>
>     <read-default>permit</read-default>
>     <write-default>permit</write-default>
>     <exec-default>permit</exec-default>
>     <groups>
>       <group>
>         <name>Config</name>
>         <user-name>abc</user-name>
>       </group>
>     </groups>
>     <rule-list>
>       <name>Config</name>
>       <group>Config</group>
>       <cmdrule xmlns="http://tail-f.com/yang/acm">
>         <name>netconf-deny</name>
>         <context xmlns="http://tail-f.com/yang/acm">netconf</context>
>         <command>*</command>
>         <access-operations>exec</access-operations>
>         <action>deny</action>
>       </cmdrule>
>     </rule-list>
>     <rule-list>
>       <name>Config</name>
>       <group>Config</group>
>       <cmdrule xmlns="http://tail-f.com/yang/acm">
>         <name>cli-allow</name>
>         <context>cli</context>
>         <command>*</command>
>         <access-operations>exec</access-operations>
>         <action>permit</action>
>       </cmdrule>
>     </rule-list>
>   </nacm>
> </config>

cohult · April 26, 2023, 1:16pm

Hi,

From the ConfD UG chapter “Command Authorization” and the tailf-acm.yang model:

Command rules control access to CLI commands and Web UI functions.

I.e. command rules does not work with NETCONF, only with CLI and JSON-RPC (WebUI).
See ConfD UG chapter “Rpc, notification, and data authorization” and the RFC has some additional examples for different types of rules RFC 8341: Network Configuration Access Control Model.

ashik · April 26, 2023, 6:50pm

Hi Cohult,

Thanks for the clarification.

With rule lists and rules authorization, i am able to permit and restrict for various rpc-names in netconf.

But i do not want the netconf client to be connected at all for users of a specific group.

With the below rule, none of the modules gets loaded as expected but it still gets connected to the netconf server.

But i do not want it to get connected to the netconf server at all for a specific group.

> 
>       <rule-list>
>         <name>rule-group</name>
>         <group>group123</group>
>         <rule>
>           <name>deny-access</name>
>           <module-name>*</module-name>
>           <rpc-name>*</rpc-name>
>           <context xmlns="http://tail-f.com/yang/acm">netconf</context>
>           <access-operations>exec</access-operations>
>           <action>deny</action>
>         </rule>
>       </rule-list>
>

cohult · April 27, 2023, 3:26pm

Hi,

NACM handles authorization, not authentication. You would need to write some code to handle your use case. See the confd_dp_lib(3) section “AUTHENTICATION CALLBACK”. The protocol information is located in the struct confd_user_info *uinfo.

ashik · April 29, 2023, 11:51am

Hi Cohult,

I could try out user creation and group association from aaa_init.xml and it works.

But i couldnt read or create new users in run time. Whatever is created from aaa_init.xml works fine including the rules and rule lists.

  <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
    <enable-nacm>true</enable-nacm>
    <read-default>permit</read-default>
    <write-default>permit</write-default>
    <exec-default>permit</exec-default>
    <groups>
      <group>
        <name>ADMIN</name>
        <user-name>Admin</user-name>
      </group>
    <rule-list>
    <rule-list>
      <name>Admin-group</name>
      <group>ADMIN</group>
      <rule>
        <name>Admin-any-access</name>
        <rpc-name>*</rpc-name>
        <action>permit</action>
      </rule>
      <cmdrule xmlns="http://tail-f.com/yang/acm">
        <name>Admin-permit</name>
        <context>*</context>
        <command>*</command>
        <access-operations>*</access-operations>
        <action>permit</action>
      </cmdrule>
    </rule-list>
  </nacm>
type or paste code here

So whenever i tried to read or write, i get the below error

29-Apr-2023::15:33:43.830 saber2 confd[<0.11748.0>]: devel-aaa User: Admin[ADMIN] rejected data access path /nacm:nacm op write due to no rule matched and node has nacm:default-deny-all

When i perform get-config on nacm or aaa, i get empty results. And if i do edit-config on nacm, it throws above error.

Kindly let know if i am missing something here. I would like to create users and groups in run time.

Regards,
Ash

cohult · April 30, 2023, 11:29am

I believe the above configuration was not set, or all users would have been allowed to do read, write, exec since there are no deny rules in your NACM configuration.