Try to disable edit-config for a user with AAA but not working

Hello, Team

I am verifying disable some internal Netconf RPCs for a specific user group with the example code in …/examples.confd/misc/aaa_eth0, and find it doesn’t work as expected.

  1. In …/examples.confd/misc/aaa_eth0, change context from “netconf” to “*” as below:

  2. make clean; make all start

  3. then login with “confd_cli -u oper”

  4. change atm0/mtu=1200, and then commit, it succeeds. Please see below:
    oper@localhost% set system interfaces interface atm0 mtu 1200
    [ok][2021-05-25 11:12:27]

oper@localhost% comm
Commit complete.
[ok][2021-05-25 11:12:29]

Why it doesn’t fail the operation of “edit-config”? Can somebody help with this? Thanks.

The above rule that you have modified only applies NETCONF as it is specific to NETCONF’s RPC command. Expanding the context to wildcard won’t make it be applicable to other northbound interfaces including CLI.

If you would like to disallow all modification requests of the system module via all northbound interfaces to the oper group, you can add the following rule to the oper rule-list:

    <access-operations>create update delete</access-operations>

Thanks Waitai for the suggested solution. I didn’t make myself clear.

Now I am trying to disable some intrinsic RPC operations like “partial-lock/unlock” for all users and disable “lock/unlock” some of them in our real project. When I put the following rules in aaa_init.xml and found that
It don’t block the Netconf lock/partial-lock xml request. So I turn to the example and take the “edit-config” as an example and fount that it’s same result.

  1. Now I add the rules to block RPC “lock” and “delete-config”

  2. Now I send request xml with ssh, and issue the request twice. The 1st time accepted and rejected on the 2nd time.

  3. the XML content:

It didn’t work, did I do something wrong?

Here’s a working session:

    aaa_eth0 % make clean all start
    rm -rf \
>     		*.o *.a *.xso *.fxs *.xsd *.ccl \
>     		*_proto.h \
>     		./confd-cdb *.db aaa_cdb.* \
>     		rollback*/rollback{0..999} rollback{0..999} \
>     		cli-history \
>     		host.key host.cert ssh-keydir \
>     		*.log confderr.log.* \
>     		etc *.access \
>     		running.invalid _tmp*
    rm -rf *log *trace cli-history 2> /dev/null || true
    $CONFD_DIR/bin/confdc --fail-on-warnings  -c -o system.fxs  system.yang
    mkdir -p ./confd-cdb 2>/dev/null || true
    cp ./aaa_init.xml system.xml ./confd-cdb
    ln -s $CONFD_DIR/etc/confd/ssh ssh-keydir
    Build complete
    ### Killing any confd daemon
    $CONFD_DIR/bin/confd --stop    || true
    $CONFD_DIR/bin/confd -c ./confd.conf  --addloadpath $CONFD_DIR/etc/confd
    aaa_eth0 % grep lock -5 confd-cdb/aaa_init.xml 
>             <context xmlns="">netconf</context>
>             <access-operations>exec</access-operations>
>             <action>permit</action>
>           </rule>
>           <rule>
>             <name>lock</name>
>             <rpc-name>lock</rpc-name>
>             <context xmlns="">netconf</context>
>             <access-operations>exec</access-operations>
>             <action>deny</action>
>           </rule>
>           <rule>
    aaa_eth0 % cat cmd-lock.xml
>     <?xml version="1.0" encoding="UTF-8"?>
>     <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
>       <capabilities>
>         <capability>urn:ietf:params:netconf:base:1.0</capability>
>       </capabilities>
>     </hello>
>     ]]>]]>
>     <?xml version="1.0" encoding="UTF-8"?>
>     <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"  message-id="1">
>       <lock>
>         <target>
>           <running/>
>         </target>
>       </lock>
>     </rpc>
>     ]]>]]>
>     <?xml version="1.0" encoding="UTF-8"?>
>     <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"  message-id="2">
>       <unlock>
>         <target>
>           <running/>
>         </target>
>       </unlock>
>     </rpc>
>     ]]>]]>
>     <?xml version="1.0" encoding="UTF-8"?>
>     <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
>       <close-session/>
>     </rpc>
>     ]]>]]>
    aaa_eth0 % netconf-console -u oper -p oper cmd-lock.xml
>     <?xml version="1.0" encoding="UTF-8"?>
>     <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
>       <rpc-error>
>         <error-type>protocol</error-type>
>         <error-tag>access-denied</error-tag>
>         <error-severity>error</error-severity>
>       </rpc-error>
>     </rpc-reply>
    aaa_eth0 %

Thanks, Waitai, I will try it again.