Netconf recovery session

JamesZhang · January 6, 2017, 4:13am

Hi,
I am investigating RFC7317 (ietf-system). There are several rpcs defined (system-shutdown, system-restart,…) with nacm:default-deny-all statement defined in section 3.6.
According to RFC6536 (nacm) definition, data node with nacm:default-deny-all only can be touched in recovery session.

extension default-deny-all {
       description
         "Used to indicate that the data model node
          controls a very sensitive security system parameter.

          If present, and the NACM module is enabled (i.e.,
          /nacm/enable-nacm object equals 'true'), the NETCONF server
          will only allow the designated 'recovery session' to have
          read, write, or execute access to the node.  An explicit
          access control rule is required for all other users.

          The 'default-deny-all' extension MAY appear within a data
          definition statement, 'rpc' statement, or 'notification'
          statement.  It is ignored otherwise.";
     }

so I am trying to understand if the confd cli with parameter --noaaa is equivalent to the concept of recovery session. and how to start an netconf session as a recovery one (bypass nacm as well as capable to perform nacm:default-deny-all rpc).
thanks for helping on this.

per · January 6, 2017, 10:52am

No, this is just the default - as the ‘description’ says: “An explicit access control rule is required for all other users”. I.e. once you create NACM rules that allow access to these rpcs, they can be invoked as usual by the users authorized by those rules.

Yes, that’s pretty much it for out-of-the-box NB interfaces. Alternatively you can of course use MAAPI with context “system”, either directly or via confd_cmd(1), for such a “session”.

This is not possible, and I can’t think of a way it could be done without completely losing all access control (note that the concept of a recovery session is only a MAY in RFC 6536). The ‘confd_cli --noaaa’ and MAAPI alternatives don’t have this problem, since they can only be used if you have access to the IPC port.

JamesZhang · January 9, 2017, 2:00am

thanks for reply,
Sure, I can add an explicit rule to allow the access in nacm configuration.and now I know that there is no netconf recovery session for now.