Try to disable edit-config for a user with AAA but not working

General
1

Hello, Team

I am verifying disable some internal Netconf RPCs for a specific user group with the example code in …/examples.confd/misc/aaa_eth0, and find it doesn’t work as expected.

  1. In …/examples.confd/misc/aaa_eth0, change context from “netconf” to “*” as below:

    image
    image1176×370 13.1 KB

  2. make clean; make all start

  3. then login with “confd_cli -u oper”

  4. change atm0/mtu=1200, and then commit, it succeeds. Please see below:
    oper@localhost% set system interfaces interface atm0 mtu 1200
    [ok][2021-05-25 11:12:27]

[edit]
oper@localhost% comm
Commit complete.
[ok][2021-05-25 11:12:29]

Why it doesn’t fail the operation of “edit-config”? Can somebody help with this? Thanks.

2

image
image1176×370 13.1 KB

The above rule that you have modified only applies NETCONF as it is specific to NETCONF’s RPC command. Expanding the context to wildcard won’t make it be applicable to other northbound interfaces including CLI.

If you would like to disallow all modification requests of the system module via all northbound interfaces to the oper group, you can add the following rule to the oper rule-list:

<rule>
    <name>system</name>
    <module-name>system</module-name>
    <path>/</path>
    <access-operations>create update delete</access-operations>
    <action>deny</action>
  </rule>
3

Thanks Waitai for the suggested solution. I didn’t make myself clear.

Now I am trying to disable some intrinsic RPC operations like “partial-lock/unlock” for all users and disable “lock/unlock” some of them in our real project. When I put the following rules in aaa_init.xml and found that
It don’t block the Netconf lock/partial-lock xml request. So I turn to the example and take the “edit-config” as an example and fount that it’s same result.

  1. Now I add the rules to block RPC “lock” and “delete-config”

    image
    image1028×512 114 KB

  2. Now I send request xml with ssh, and issue the request twice. The 1st time accepted and rejected on the 2nd time.

    image
    image1760×488 105 KB

  3. the XML content:

    image
    image1078×188 30.8 KB

It didn’t work, did I do something wrong?

4

Here’s a working session:

    aaa_eth0 % make clean all start
    rm -rf \
>     		*.o *.a *.xso *.fxs *.xsd *.ccl \
>     		*_proto.h \
>     		./confd-cdb *.db aaa_cdb.* \
>     		rollback*/rollback{0..999} rollback{0..999} \
>     		cli-history \
>     		host.key host.cert ssh-keydir \
>     		*.log confderr.log.* \
>     		etc *.access \
>     		running.invalid global.data _tmp* local.data
    rm -rf *log *trace cli-history 2> /dev/null || true
    $CONFD_DIR/bin/confdc --fail-on-warnings  -c -o system.fxs  system.yang
    mkdir -p ./confd-cdb 2>/dev/null || true
    cp ./aaa_init.xml system.xml ./confd-cdb
    ln -s $CONFD_DIR/etc/confd/ssh ssh-keydir
    Build complete
    ### Killing any confd daemon
    $CONFD_DIR/bin/confd --stop    || true
    $CONFD_DIR/bin/confd -c ./confd.conf  --addloadpath $CONFD_DIR/etc/confd

    aaa_eth0 % grep lock -5 confd-cdb/aaa_init.xml 
>             <context xmlns="http://tail-f.com/yang/acm">netconf</context>
>             <access-operations>exec</access-operations>
>             <action>permit</action>
>           </rule>
>           <rule>
>             <name>lock</name>
>             <rpc-name>lock</rpc-name>
>             <context xmlns="http://tail-f.com/yang/acm">netconf</context>
>             <access-operations>exec</access-operations>
>             <action>deny</action>
>           </rule>
>           <rule>

    aaa_eth0 % cat cmd-lock.xml
>     <?xml version="1.0" encoding="UTF-8"?>
>     <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
>       <capabilities>
>         <capability>urn:ietf:params:netconf:base:1.0</capability>
>       </capabilities>
>     </hello>
>     ]]>]]>
>     <?xml version="1.0" encoding="UTF-8"?>
>     <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"  message-id="1">
>       <lock>
>         <target>
>           <running/>
>         </target>
>       </lock>
>     </rpc>
>     ]]>]]>
>     <?xml version="1.0" encoding="UTF-8"?>
>     <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"  message-id="2">
>       <unlock>
>         <target>
>           <running/>
>         </target>
>       </unlock>
>     </rpc>
>     ]]>]]>
>     <?xml version="1.0" encoding="UTF-8"?>
>     <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
>       <close-session/>
>     </rpc>
>     ]]>]]>

    aaa_eth0 % netconf-console -u oper -p oper cmd-lock.xml
>     <?xml version="1.0" encoding="UTF-8"?>
>     <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
>       <rpc-error>
>         <error-type>protocol</error-type>
>         <error-tag>access-denied</error-tag>
>         <error-severity>error</error-severity>
>       </rpc-error>
>     </rpc-reply>
    aaa_eth0 %
5

Thanks, Waitai, I will try it again.