The usage of wildcard for “group” is specified in ietf-netconf-acm.yang (NACM RFC 6536) as follows:
leaf-list group {
type union {
type matchall-string-type;
type group-name-type;
}
description
"List of administrative groups that will be
assigned the associated access rights
defined by the 'rule' list.
The string '*' indicates that all groups apply to the
entry.";
}
The data type for “path” is also defined in the same YANG module in which node-instance-identifier is a typedef for yang:xpath1.0 as specified in the YANG RFC 6020.
leaf path {
type node-instance-identifier;
mandatory true;
description
"Data Node Instance Identifier associated with the
data node controlled by this rule.
Configuration data or state data instance
identifiers start with a top-level data node. A
complete instance identifier is required for this
type of path value.
The special value '/' refers to all possible
datastore contents.";
}
Right, but I guess it’s worth mentioning that it’s not an “identity” typedef - in particular, the description (description text is “normative” in a YANG module) has:
o The set of variable bindings contains one variable,
'USER', which contains the name of the user of the current
session.
And of course there is discussion about this in “14.6 Authorization” in the User Guide, but it doesn’t repeat all the text in the RFC… (which is referenced in “14.2. Structure - data models”).
according to the leaf-list group definition, the meaning of ‘’ apply to the all groups only, I guess the behavior of confd has extension to apply rule-list for group '’ to all users of all groups plus user out of any group.
‘$USER’ could be an environment variable in confd context, I would like to know if there are other environment variables in confd context.
It wouldn’t make sense if “*” assigned to leaf-list group doesn’t include users without an assigned group as that would imply that no rules will apply to such users. Rules as defined in NACM are role or group based and not user based. You can define a default group for users without any assigned groups with the /confdConfig/aaa/defaultGroup setting in confd.conf.
It looks like you must have not seen Per’s response before this question. $USER isn’t an environment variable. It is defined in the ietf-netconf-acm module with its description listed by Per in his previous response.