ConfD User Community

Hide some elements of the list and use "unhide" to show 'em

Dear Sirs!

I want to create a model with a list. And make only some of the list items visible by default. And use “unhide” to show the rest of the data. As I understand tailf:hidden could be applied only to a hole YANG scheme element, so I’m thinking to create some dedicated node with “tailf:hidden” annotation and programmatically check if the “unhide” have been called by the user.
Should I do that way?
Is there a more “confd-ness” way to do that?
Is the idea to hide/unhide elements of the list good or there is some better design decision?
(I need some of the items to be visible only to the advanced users/technicians)

Thank you for the response.

That does not sound like the ideal approach. Let me try to rephrase what are you trying to be sure I understand: you want to provide (or not provide) nodes based on a state of another node. That is needlessly complicated and perhaps even impossible, there are other options:

  • Note that the argument to tailf:hidden is a so called “hide group”, and an argument to the unhide command is again a hide group; so if you apply tailf:hidden with the same hide group to multiple nodes, unhiding the hide group works for all those nodes.

  • If your overall idea is that some users simply should not have access to a certain set of nodes, then you better have a look at access right management.

Thank you for your reply.

I want a part of the network interfaces to be visible only to the authorized (staff) users. And keep follow RFC (“urn:ietf:params:xml:ns:yang:ietf-interfaces”): to have /interfaces with known structure. I can create additional leaves for the hidden interfaces but in that case, they will not fit the scheme defined in the RFC.
What is a suggested approach?
As I’ve understood AAA has no option to hide some elements in the list.

If you want to add new nodes to a standard data model, then you are looking for the augment statement - there’s a paragraph dedicated to it in the YANG chapter of the ConfD user guide.

“Authorized users” - it really sounds like NACM authorization rules are what you need; have a look at the “AAA infrastructure” chapter in the user guide, in particular the section “Authorization”.

1 Like

I want to keep the exact RFC model but hide certain items (network interfaces) in the /interfaces list (for regular users)
I’ll re-read the user guide and will check, thank you. But if it isn’t possible I’ll augment the model, but I do not want to augment it because that could potentially break future compatibility with some third-party software which relies on RFC.

Just a point to augmenting: creating your custom module that augments a standard module is perfectly RFC-compliant. Note that the new elements belong to your namespace, and any RFC-compliant management software must ignore elements from unknown namespace.

The situation is obviously different if the communication protocol is, say, CLI, where there usually are no namespace declarations; but then again, CLI client can hardly be called RFC-compliant - there are no RFCs for this, as far as I know.

See the NACM RFC https://tools.ietf.org/html/rfc8341 and https://tools.ietf.org/html/rfc8341#appendix-A.4 for examples.

Example for your use case as you describe it:

$ cat test.xml 
<config xmlns="http://tail-f.com/ns/config/1.0">
  <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
    <interface>
      <name>world</name>
      <description>hello world</description>
    </interface>
    <interface>
      <name>dummy</name>
      <description>hello dummy</description>
    </interface>
  </interfaces>
  <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
     <rule-list>
       <name>oper-rule-list</name>
       <group>oper</group>
       <rule>
         <name>deny-dummy-interface</name>
         <path xmlns:if="urn:ietf:params:xml:ns:yang:ietf-interfaces">/if:interfaces/if:interface[if:name='dummy']</path>
         <access-operations>read update</access-operations>
         <action>deny</action>
         <comment>Deny the 'oper' group read and update access to the dummy interface.</comment>
       </rule>
     </rule-list>
  </nacm>
</config>

$ confd_load -m -l test.xml
$ netconf-console -u admin -p admin --get-config -x /interfaces
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <data>
    <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
      <interface>
        <name>dummy</name>
        <description>hello dummy</description>
      </interface>
      <interface>
        <name>world</name>
        <description>hello world</description>
      </interface>
    </interfaces>
  </data>
</rpc-reply>

$ netconf-console -u oper -p oper --get-config -x /interfaces
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <data>
    <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
      <interface>
        <name>world</name>
        <description>hello world</description>
      </interface>
    </interfaces>
  </data>
</rpc-reply>
$ confd_cli -u oper -g oper -C
oper connected from 127.0.0.1 
# show running-config interfaces 
interfaces interface world
 description "hello world"
!