libnetconf
0.10.0-146_trunk
NETCONF Library
|
NACM is a transparent subsystem of libnetconf. It is activated using NC_INIT_NACM flag in the nc_init() function. No other action is required to use NACM in libnetconf. All NACM rules and settings are controlled via standard NETCONF operations since NACM subsystem provides implicit datastore accessible with the ncds_apply_rpc2all() function.
libnetconf supports usage of the system groups (/etc/group) in the access control rule-lists. To disable this feature, <enable-external-groups> value must be set to false:
Recovery session serves for setting up initial access rules or to repair a broken access control configuration. If a session is recognized as recovery, NACM subsystem is completely bypassed.
By default, libnetconf considers all sessions of the user with the system UID equal zero as recovery. To change this default value to a UID of any user, use configure's --with-nacm-recovery-uid option.
According to RFC 6536, libnetconf's NACM subsystem is initially set to allow reading (permitted read-default), refuse writing (denied write-default) and allow operation execution (permitted exec-default).
To change this initial settings, user has to access NACM datastore via a recovery session (since any write operation is denied) and set required access control rules.
For example, to change default write rule from deny to permit, use edit-config operation to create (merge) the following configuration data:
To guarantee all access rights to a specific users group, use edit-config operation to create (merge) the following rule:
More examples can be found in the Appendix A. of RFC 6536.