I am verifying disable some internal Netconf RPCs for a specific user group with the example code in …/examples.confd/misc/aaa_eth0, and find it doesn’t work as expected.
In …/examples.confd/misc/aaa_eth0, change context from “netconf” to “*” as below:
change atm0/mtu=1200, and then commit, it succeeds. Please see below:
oper@localhost% set system interfaces interface atm0 mtu 1200
[ok][2021-05-25 11:12:27]
[edit]
oper@localhost% comm
Commit complete.
[ok][2021-05-25 11:12:29]
Why it doesn’t fail the operation of “edit-config”? Can somebody help with this? Thanks.
The above rule that you have modified only applies NETCONF as it is specific to NETCONF’s RPC command. Expanding the context to wildcard won’t make it be applicable to other northbound interfaces including CLI.
If you would like to disallow all modification requests of the system module via all northbound interfaces to the oper group, you can add the following rule to the oper rule-list:
Thanks Waitai for the suggested solution. I didn’t make myself clear.
Now I am trying to disable some intrinsic RPC operations like “partial-lock/unlock” for all users and disable “lock/unlock” some of them in our real project. When I put the following rules in aaa_init.xml and found that
It don’t block the Netconf lock/partial-lock xml request. So I turn to the example and take the “edit-config” as an example and fount that it’s same result.
Now I add the rules to block RPC “lock” and “delete-config”