How to deny one of netconf protocol operations to an user by using NACM?

[444magic]

Hi,

I tried to configure a nacm-module for an user not to use protocol operation.

So, by referring RFC 8341 document, I instanced the data nodes of nacm module like bellow:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
  <groups>
    <group>
      <name>guest</name>
      <user-name>test</user-name>
    </group>
  </groups>
  
  <rule-list>
    <name>guest_limited_copy_config</name>
    <group>guest</group>
    <rule>
		<name>deny_copy_conig</name>
		<module-name>ietf-netconf</module-name>
		<rpc-name>copy-config</rpc-name>
		<access-operations>exec</access-operations>
		<action>deny</action>
		<comment>
			Don't allow the ’guest’ group to execute "copy-config".
		</comment>
    </rule>
  </rule-list>

</nacm>

It's not work properly, "test" client can use operation.

but, "test" client cannot use the when I config bellow:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
  <groups>
    <group>
      <name>guest</name>
      <user-name>test</user-name>
    </group>
  </groups>
  
  <rule-list>
    <name>guest_limited_copy_config</name>
    <group>guest</group>
    <rule>
		<name>deny_copy_conig</name>
		<module-name>ietf-netconf</module-name>
		<rpc-name>*</rpc-name>
		<access-operations>exec</access-operations>
		<action>deny</action>
		<comment>
			Don't allow the ’guest’ group to execute "copy-config".
		</comment>
    </rule>
  </rule-list>

</nacm>

I only changed "copy-config" into "*" that doesn't allows an user to use all protocol operations.

Do i configure wrong or has netopeer2 issue??

Please help me

[michalvasko]

Hi,
it was a netopeer2 issue, so please try again with the latest devel, should work correctly.

Regards,
Michal

[444magic]

Hi michalvasko,

Thanks for quick response and fixing the issue.

It works correctly now~!