libnetconf  0.10.0-146_trunk
NETCONF Library
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
NETCONF Access Control Module (NACM)

NACM is a transparent subsystem of libnetconf. It is activated using NC_INIT_NACM flag in the nc_init() function. No other action is required to use NACM in libnetconf. All NACM rules and settings are controlled via standard NETCONF operations since NACM subsystem provides implicit datastore accessible with the ncds_apply_rpc2all() function.

libnetconf supports usage of the system groups (/etc/group) in the access control rule-lists. To disable this feature, <enable-external-groups> value must be set to false:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<enable-external-groups>false</enable-external-groups>
</nacm>

Recovery Session

Recovery session serves for setting up initial access rules or to repair a broken access control configuration. If a session is recognized as recovery, NACM subsystem is completely bypassed.

By default, libnetconf considers all sessions of the user with the system UID equal zero as recovery. To change this default value to a UID of any user, use configure's --with-nacm-recovery-uid option.

Initial operation

According to RFC 6536, libnetconf's NACM subsystem is initially set to allow reading (permitted read-default), refuse writing (denied write-default) and allow operation execution (permitted exec-default).

Note
Some operations or data have their specific access control settings defined in their data models. These settings override the described default settings.

To change this initial settings, user has to access NACM datastore via a recovery session (since any write operation is denied) and set required access control rules.

For example, to change default write rule from deny to permit, use edit-config operation to create (merge) the following configuration data:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<write-default>permit</write-default>
</nacm>

To guarantee all access rights to a specific users group, use edit-config operation to create (merge) the following rule:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule>
<name>permit-all</name>
<module-name>*</module-name>
<access-operations>*</access-operations>
<action>permit</action>
</rule>
</rule-list>
</nacm>

More examples can be found in the Appendix A. of RFC 6536.