Question about cStrictAAA

Core Engine and APIs
1

About cStrictAAA, Here is the document in ConfD User Guide:

/confdConfig/cli/cStrictAAA (boolean) [false]
cStrictAAA is either 'true' or 'false'. If set to 'true' then the CLI will match all auto-rendered C-style
commands (eg. C-style config commands and C-style actions) against AAA data-rules and all other
C-Style commands will be matched against AAA command-rules. If set to 'false', the CLI will match
all commands against both AAA data-rules and AAA command-rules.

When it is false, the CLI will match all commands against both AAA data-rules and AAA command-rules. My question is that will the config command match the cmdrule first? If there is no cmdrule provided in NACM data, and the /nacm:nacm:cmd-read-default and cmd-exec-default are both deny, the config command will be rejected, even there is a matching rule found in one of the “rule” lists in one “rule-list” entry that matches the user’s groups?

For example, here is the following yang module name test-module.yang:

container test {
  leaf number {
    type uint32;
  }
}

And there is a rule as below but no cmdrule defined:

{
   "ietf-netconf-acm:nacm" : {
      "rule-list" : [
         {
            "group" : [
               "system-admin"
            ],
            "name" : "system-admin",
            "rule" : [
               {
                  "module-name" : "test-module",
                  "access-operations" : "*",
                  "action" : "permit",
                  "name" : "test-module-admin",
                  "tailf-acm:context" : "*"
               },

The operator belong to group “system-admin” now is in the configuration mode of the c-style CLI, the config command “test” will be rejected, since there is no cmdrule defined? Is this the designed behavior?

Thank you.

2

Right, so if you have set cmd-read/exec-default to “deny” you likely want to set /confdConfig/cli/cStrictAAA to “true” to control authorization for YANG model rendered nodes from data rules only.

1 Like
3

Hi cohult,
Thank you for your reply. As your suggested, we have set cmd-read/exec-defautlt to “deny” and also set /confdConfig/cli/cStrictAAA to “true”. The cli commands work normally.
Since cStrictAAA is defined under cli, does this configuration also works for netconf commands?
BRs
Michael

4

No, and that would not make sense since command rules only control access to CLI commands and Web UI functions. I.e. not NETCONF.
By the way, The NETCONF protocol operations are realized as remote procedure calls (RPCs). RFC 6241 - Network Configuration Protocol (NETCONF)

1 Like