How to restrict acm module level modifications from non-recovery (root) user?

[rakichinni]

We deployed netconf server having 2 users configured

1. recovery-user: root
2. operator

It is clear that, root user has permission to modify content in acm module. With the below acm config, operator user has permission to create, update, read and delete. Because of which modify operations to acm module content is also allowed which we want to disallow. Please let us know if there is any example to disallow edits to acm from operator user. (leaf: module-name)

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
  <enable-nacm>true</enable-nacm>
  <read-default>permit</read-default>
  <write-default>deny</write-default>
  <exec-default>permit</exec-default>
  <enable-external-groups>true</enable-external-groups>
  <!--denied-operations>0</denied-operations>
  <denied-data-writes>0</denied-data-writes>
  <denied-notifications>0</denied-notifications-->
  <groups>
    <group>
      <name>readwritegrp</name>
      <user-name>operator</user-name>
    </group>
  </groups>
  <rule-list>
    <name>readwrite</name>
    <group>readwritegrp</group>
    <rule>
      <name>rule1</name>
      <action>permit</action>
      <access-operations>create update read delete exec</access-operations>
      <comment>rule1 with create update read delete exec</comment>
    </rule>
  </rule-list>
</nacm>

[jktjkt]

The rule that you provided basically says "the operator group can do anything", while your question says "how do we prevent the operator group from doing something". Have you tried to add a rule which simply disallows write access to the ietf-netconf-acm module to your target group? The semantics of these rules is explained in RFC 8341; you have to read and understand these before you can produce useful configuration.

[michalvasko]

With the default configuration you have write-default deny so you actually do not have to modify any NACM rules for your use-case.

[rakichinni]

@michalvasko
Observation with write-default: deny and no rules or groups created for operator user,

• Edit operations to all ietf/3gpp standard modules including acm are failed.

There is an option to deny/permit operations to a specific module using a group and rule as mentioned in the example below:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
  <enable-nacm>true</enable-nacm>
  <read-default>permit</read-default>
  <write-default>deny</write-default>
  <exec-default>permit</exec-default>
  <enable-external-groups>false</enable-external-groups>
  <groups>
    <group>
      <name>readwritegrp</name>
      <user-name>operator</user-name>
    </group>
  </groups>
  <rule-list>
    <name>readwrite</name>
    <group>readwritegrp</group>
    <rule>
      <name>rule1</name>
      <action>deny</action>
      <module-name>endOfStartup</module-name>
      <access-operations>create update read delete exec</access-operations>
      <comment>exec  </comment>
    </rule>
  </rule-list>
</nacm>

n2cli dump: expected behavior because in above rule is deny

ERROR
        type:     protocol
        tag:      access-denied
        severity: error
        path:     /endOfStartup:endOfStartup/endOfStartup
        message:  Access to the data model "endOfStartup" is denied because "operator" NACM authorization failed.

edit operation allowed if we change < action > tag value to permit. (same validated for ietf-netconf-acm module as well)

We have close to ~50 private modules (doesn't include acm/netconf-server etc). Do we need to add rules for each module or is there anyway to allow modifications to ~50 private modules and disallow modification to acm module?

[michalvasko]

edit operation allowed if we change tag value to permit. (same validated for ietf-netconf-acm module as well)

That is not right, you are saying that if you have write-default permit and no other NACM rules, you can write (with user other than the recovery root) into ietf-netconf-acm? It uses its extension default-deny-all which should overwrite the configured defaults and deny access to all users unless they have an explicit permit rule.

[rakichinni]

The tag "action" was enclosed in braces is not shown in the preview.
Corrected format now.

edit operation allowed if we change < action > tag value to permit. (same validated for ietf-netconf-acm module as well)

[jktjkt]

The interpretation of these rules is explained in section 3.4.5 of the standard; it involves a non-trivial set of interactions between several mechanisms, and I'm afraid that any one-paragraph summary will be incomplete. There's no support for a single rule to match multiple modules as far as I can tell. What you could do instead is to rely on the module-level annotations (ietf-netconf-nacm:default-deny-*) and the write-default leaf, and (in case you would like to prevent writes to some other modules without the default-deny-* annotation), also an explicit set of deny rules.