We have a usecase where backup, reset & restore is done from admin group using maapi_load_config. We have defined Nacm rules to restrict access like create/update/delete for some configurations. Is there any way these restrictions are not applicable when maapi_load_config is used and applicable when admin user tries to modify from cli/restconf?
I could see cmdrule for cli/webui. Does this works for restconf as well?
First use ordinary RFC 8341 data “rules” and use the “context” to make the rule apply to specific northbound interfaces such as CLI/RESTCONF/MAAPI etc.
“cmdrules” are for CLI/WebUI commands as they are displayed over those interfaces. The ordinary RFC 8341 data “rules” apply to YANG models. So you have ordinary data “rules” that restrict access to parts of the YANG model(s). Then you may need to complement that with special “cmdrules” that apply to the CLI and/or WebUI. But your primary way of restricting access should be through ordinary data “rules”.
From the ConfD UG chapter “command authorization”:
In general, we do not recommend using command rules to protect the configuration. Use rules for data access as described in the next section to control access to different parts of the data. Command rules should be used only for CLI commands and Web UI operations that cannot be expressed as data rules.
<rule>
<name>system-interfaces-config</name>
<module-name>system-intefaces</module-name>
<access-operations>create update delete</access-operations>
<action>deny</action>
<context xmlns="http://tail-f.com/yang/acm">cli</context> <== restrict access only for cli
<path>/system/interfaces</path>
</rule>
So in this case only cli will not have access, but still maapi_load_config has permissions to write & delete.
Do we need to define multiple rules for each interface or in single rule we can add like below <context xmlns="http://tail-f.com/yang/acm">cli restconf</context>
i tried the way you suggested. Configured rule same as updated in above comment.
I see it is working for cli, but still it is failing in case of maapi_load_config. I am expecting it to pass in case of maapi load. <DEBUG> 25-Aug-2021::13:13:17.797 switch-1 confd[92]: devel-aaa User: admin[admin] rejected data access path /oc-sys:system/intefaces op write due to rule "admin/system-interfaces-config"
Either you pass a context that is allowed by your NACM rules when you call maapi_start_user_session() or you use “system” as the context.
From the confd_lib_maapi(3) man page on using “system” context:
Using the string "system" for context has special significance:
• The session is exempt from all maxSessions limits in confd.conf.
• There will be no authorization checks done by the AAA system.
• The session is not logged in the audit log.
• The session is not shown in 'show users' in CLI etc.
• The session may be started already in ConfD start phase 0. (However read-write transactions can not be started until phase 1, i.e. transactions started in phase 0 must use parameter readwrite == CONFD_READ).
Thus this can be useful e.g. when we need to create the user session for an "internal" transaction done by an application, without relation to a session from a northbound agent. Of course the implications of the above need to be carefully considered in each case.