Hi all,
i have a requirement to deny default confd RPC commit, as the commit should be done only by an app using maapi APIs.
I have added a rule-list to aaa_init.xml as below to deny the commit RPC , but it is not working,
also i have tried below changes as well
Thanks
kamala
As you suspect, there is an implicit commit that does not trigger NACM rules if you are writing straight to the running DB with NETCONF. If want to continue to write straight to the running DB, you might just deny the edit-config and delete-config RPCs to never let the configuration get in.
If you want to observe the denial of commit messages, you can write changes to the candidate DB and then issue a commit that can be denied. The NACM configuration with the new ‘block-commits’ rule looks like:
rule-list admin {
group [ admin ];
rule block-commits {
rpc-name commit;
action deny;
context netconf;
}
rule any-access {
action permit;
}
}
And then as example, we can write a new user to the user table with an edit-config stored in a file.
edit-config-candidate.xml:
<edit-config>
<target>
<candidate/>
</target>
<config>
<user xmlns="http://tail-f.com/ns/aaa/1.1">
<name>testuser1</name>
<description>test user #1</description>
</user>
</config>
</edit-config>
and then send with
netconf-console --rpc edit-config-candidate.xml
This will put the configuration into the candidate DB. Then send a commit with:
netconf-console --commit
and you will see
$ netconf-console --commit
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<rpc-error>
<error-type>protocol</error-type>
<error-tag>access-denied</error-tag>
<error-severity>error</error-severity>
</rpc-error>
</rpc-reply>