alext
June 8, 2015, 10:52pm
1
I am trying to deny update of one of the fields on my Yang model. I added the following sections in to aaa_init.xml
<rule>
<Name>ltm</name>
<module-name>ltm</module-name>
<path>/ltm/node</path>
<access-operations>create update read delete</access-operations>
<action>permit</action>
</rule>
<rule>
<name>node</name>
<module-name>node</module-name>
<path>/ltm/node/address</path>
<access-operations>update</access-operations>
<action>deny</action>
</rule>
But that is not working.
It works only in case I apply no update on entire “node” and not specific field of the node (with write-default set to deny)
<rule>
<Name>ltm</name>
<module-name>ltm</module-name>
<path>/ltm/node</path>
<access-operations>create read delete</access-operations>
<action>permit</action>
</rule>
nabil
June 8, 2015, 11:54pm
2
You might want to switch the order of the rules you have.
In the example you specified, the rule Ltm will trump any other specific rule below it, meaning any operation on any field under /Ltm/node/*
alext
June 9, 2015, 2:33pm
3
I changed the order, but got same result.
You should use the path /ltm/node/address so that the rule match all address elements for all nodes.
But note that when you login using the confd_cli -u my-username the nacm rule won’t apply since you may not belong to the user group you defined in the rule.
Try logging in using NETCONF or SSH when you test your nacm rule. For example:
Demo of difference between confd_cli and SSH:
$ confd_cli -u oper
# id
user = oper(501), gid=20, groups=oper,staff,access_bpf,everyone,localaccounts,_appserverusr,admin,_appserveradm,_lpadmin,_appstore,_lpoperator,_developer,com.apple.access_screensharing,com.apple.access_ssh, gids=12,20,33,61,79,80,81,98,100,204,398,399,503
# exit
$ ssh -l oper 127.0.0.1 -p 2024
oper@127.0.0.1's password:
# id
user = oper(9000), gid=20, groups=oper, gids=
#
alext
June 9, 2015, 7:27pm
5
I am testing using “make cli-c”, I assume above comment regarding username is not valid.
My previous comment is then valid since “make cli-c” in the ConfD examples is actually running confd_cli.
But, in here the confd_cli flag for groups is specified, so if your rule applies to the group “admin” then the rule should trigger.
From a Makefile in one of the examples:
cli-c:
$(CONFD_DIR)/bin/confd_cli --user=admin --groups=admin \
--interactive --host $(CONFD_HOST) -C || echo Exit
alext
June 9, 2015, 8:31pm
7
My Makefile includes the line you mentioned above.
<rule-list>
<name>any-group</name>
<group>*</group>
Can you post the result of a show of your NACM configuration when loaded into ConfD?
E.g.
$ make cli-c
# show running-config nacm rule-list
I suspect that you have a rule-list for the admin group above (i.e. with higher priority) your rule-list for “any-group”?
alext
June 9, 2015, 10:50pm
9
hype# show running-config nacm rule-list
Only thing related to AAA on configuration is:
aaa authentication users user admin
cohult
June 9, 2015, 11:28pm
10
Looks like the admin rule-list from the NACM configuration in the default aaa_init.xml is missing?
I.e. this part:
<rule-list>
<name>admin</name>
<group>admin</group>
<rule>
<name>any-access</name>
<action>permit</action>
</rule>
</rule-list>
alext
June 9, 2015, 11:58pm
11
Now it does show NACM section in running config, buts still does not function properly (allow to update address field)
hype# show running-config nacm rule-list
cohult
June 10, 2015, 12:31am
12
With the rule-lists setup that you have right now, if you login as the ‘oper’ user which belongs to the ‘oper’ group, you will see the ‘node’ rule kick in.
If you want the ‘admin’ user which belongs to the ‘admin’ group be affected by the ‘node’ rule, you must move the ‘nacm rule-list admin’ below / after the ‘nacm rule-list any-group’ in your aaa_init.xml or using the ‘move’ command in the CLI.
alext
June 10, 2015, 2:12pm
13
My running-config nacm looks like this:
hype# show running-config nacm
User admin still can modify the address field.
cli-c:
Still same result, “oper” also can modify the address field.
cohult
June 10, 2015, 4:40pm
14
That should work. Maybe you did a ‘create’ of a list entry, i.e. the list entry did not exist when you set the address field, and not an ‘update’, i.e. the list entry existed when you set the address field?
Here is a working example where I first only deny ‘update’ and then add to the rule to deny ‘create’ too so that you can compare with your project:
$ more example.yang
module example {
namespace "http://tail-f.com/ns/example/config";
prefix example;
container Ltm {
list node {
key name;
leaf name {
type string;
}
leaf address {
type uint32;
}
}
}
}
$ make cli-c
/tailf/releases/confd-basic-5.4.darwin.x86_64/../../confd-basic-5.4/bin/confd_cli --user=admin --groups=admin \
--interactive --host 127.0.0.1 -C || echo Exit
Welcome to ConfD Basic
127.0.0.1# id
user = admin(501), gid=20, groups=admin, gids=12,20,33,61,79,80,81,98,100,204,398,399,503
127.0.0.1# config
Entering configuration mode terminal
admin(config)# show full-configuration nacm
nacm enable-nacm true
nacm read-default permit
nacm write-default permit
nacm exec-default permit
nacm enable-external-groups true
nacm cmd-read-default permit
nacm cmd-exec-default permit
nacm groups group admin
user-name [ admin private ]
!
nacm groups group oper
user-name [ oper public ]
!
nacm rule-list any-group
group [ * ]
rule test-rule
module-name *
path /Ltm/node/address
access-operations update
action deny
context *
!
rule tailf-aaa-authentication
module-name tailf-aaa
path /aaa/authentication/users/user[name='$USER']
access-operations read,update
action permit
context *
!
rule tailf-aaa-user
module-name tailf-aaa
path /user[name='$USER']
access-operations create,read,update,delete
action permit
context *
!
rule tailf-webui-user
module-name tailf-webui
path /webui/data-stores/user-profile[username='$USER']
access-operations create,read,update,delete
action permit
context *
!
!
nacm rule-list admin
group [ admin ]
rule any-access
module-name *
access-operations *
action permit
context *
!
!
admin(config)# show full-configuration Ltm
% No entries found.
admin(config)# Ltm node test1 address 99
admin(config-node-test1)# commit
Commit complete.
admin(config-node-test1)# exit
admin(config)# show full-configuration Ltm
Ltm node test1
address 99
!
admin(config)# Ltm node test1 address 100
Error: access denied
admin(config-node-test1)# exit
admin(config)# nacm rule-list any-group rule test-rule access-operations create,update
admin(config-rule-test-rule)# commit
Commit complete.
admin(config-rule-test-rule)# exit
admin(config-rule-list-any-group)# exit
admin(config)# exit
127.0.0.1# exit
$ make cli-c
/Users/conny/tailf/releases/confd-basic-5.4.darwin.x86_64/../../confd-basic-5.4/bin/confd_cli --user=admin --groups=admin \
--interactive --host 127.0.0.1 -C || echo Exit
Welcome to ConfD Basic
127.0.0.1# config
Entering configuration mode terminal
admin(config)# Ltm node test2 address 199
Error: access denied
admin(config-node-test2)# commit
Commit complete.
admin(config-node-test2)# exit
admin(config)# show full-configuration Ltm
Ltm node test1
address 99
!
Ltm node test2
!
admin(config)# Ltm node test1 address 100
Error: access denied
admin(config-node-test1)# exit
admin(config)# show full-configuration Ltm
Ltm node test1
address 99
!
Ltm node test2
!
admin(config)#