One document matched: draft-bierman-netconf-access-control-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc4741 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4741.xml'>
<!ENTITY rfc4742 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4742.xml'>
<!ENTITY rfc5277 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5277.xml'>
<!ENTITY xmlspec PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml2/reference.W3C.REC-xml.xml'>
<!ENTITY yangspec PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-netmod-yang.xml'>
<!ENTITY yangtypes PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-netmod-yang-types.xml'>
]>
<rfc category="std"
docName="draft-bierman-netconf-access-control-00"
ipr="trust200811">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes"?>
<?rfc comments="no" ?>
<?rfc inline="no" ?>
<?rfc editing="no" ?>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="no" ?>
<?rfc compact="no"?>
<?rfc iprnotified="no"?>
<front>
<title abbrev="NACM">
Network Configuration Protocol Access Control Model
</title>
<author fullname="Andy Bierman"
initials="A.B."
surname="Bierman">
<organization>InterWorking Labs</organization>
<address>
<postal>
<street>303 Potrero Street, Suite 52</street>
<city>Santa Cruz</city>
<region>CA</region>
<code>95060-2760</code>
<country>USA</country>
</postal>
<phone>+1 831 460 7010</phone>
<email>andyb@iwl.com</email>
</address>
</author>
<date />
<area>Management</area>
<workgroup>Internet Engineering Task Force</workgroup>
<keyword>NETCONF</keyword>
<keyword>YANG</keyword>
<keyword>XML</keyword>
<abstract>
<t>
The standardization of network configuration interfaces for use
with the NETCONF protocol requires a structured and secure
operating environment, which promotes human usability and
multi-vendor interoperability. There is a need for standard
mechanisms to restrict NETCONF protocol access for particular
users to a pre-configured subset of all available NETCONF
operations and content. This document discusses requirements
for a suitable access control model, and provides one solution
which meets these requirements.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The NETCONF protocol does not provide any standard mechanisms to
restrict the operations and content that each user is authorized
to use. Any user that is able to start a NETCONF session is
allowed to access every protocol operation, all database content, and
all notification content.
</t>
<t>
There is a need for the inter-operable management of the
controlled access to operator selected portions of the
available NETCONF content within a particular server.
</t>
<t>
This document addresses NETCONF protocol access control
mechanisms for the RPC, Operations, and Content layers, as defined
in <xref target="RFC4741"/>, and <xref target="RFC5277"/>.
It contains three main sections:
<list style="numbers">
<t>Access Control Requirements</t>
<t>NETCONF Access Control Model (NACM)</t>
<t>YANG Data Model (nacm.yang)</t>
</list>
</t>
<section title="Terminology">
<section title="Requirements Notation">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in <xref target="RFC2119"/>.
</t>
</section>
<section title="NETCONF Terms">
<t>
The following terms are defined in RFC 4741 and
are not redefined here:
<list style="symbols">
<t>client</t>
<t>operation</t>
<t>RPC operation</t>
<t>server</t>
<t>session</t>
<t>user</t>
</list>
</t>
</section>
<section title="NACM Terms">
<t>
The following terms are used throughout this documentation:
<list style="hanging">
<t hangText="access control:">
A security feature provided by the NETCONF server,
which allows an operator to restrict access to a
subset of all NETCONF protocol operations and data,
based on various criteria.
</t>
<t hangText="access control model (ACM):">
A conceptual model used to configure and monitor
the access control procedures desired by the operator
to enforce a particular access control policy.
</t>
<t hangText="access control rule:">
The conceptual criteria used to determine if a
particular NETCONF protocol operation should be
permitted or denied.
</t>
<t hangText="superuser:">
The special administrative user account which is given
unlimited NETCONF access, and is exempt from all access
control enforcement.
</t>
</list>
</t>
</section>
</section>
</section>
<section title="Access Control Requirements">
<section title="Protocol Control Points">
<t>
The NETCONF protocol allows new operations to be
added at any time, and the YANG data modeling language
supports this feature. It is not possible to
design an ACM for NETCONF which
only focuses on a static set of operations,
like some other protocols. Since few assumptions
can be made about an arbitrary protocol operation,
the NETCONF architectural server components must
be protected at several conceptual control points.
</t>
<t>
<figure anchor="control_points">
<artwork><![CDATA[
+-------------+ +-------------+
client | RPC | | prune | client
request --> | operation | | restricted | ---> reply
| allowed? | | <rpc-reply> |
+-------------+ | nodes? |
| +-------------+
| if any database or
| state data is accessed
| by the operation
V
+-------------+ +----------------+
| data node | | prune |
| access | | restricted |
| allowed? | | <notification> | ---> client
+-------------+ | event or data? | session
+----------------+
]]>
</artwork>
</figure>
</t>
<t>
The following access control points are defined:
<list style="hanging">
<t hangText="RPC operation:">
Configurable permission to invoke specific RPC operations
is required. Wildcard or multiple target mechanisms
to reduce configuration and effort are also required.
</t>
<t hangText="NETCONF database:">
Configurable permission to read and/or alter
specific data nodes within any conceptual database
is required. Wildcard or multiple target mechanisms
to reduce configuration and effort are also required.
</t>
<t hangText="RPC Reply Content:">
Configurable permission to read
specific data nodes within any conceptual RPC output
section is required. Unauthorized data is
silently omitted from the reply, instead of
dropping the reply or sending an 'access-denied' error.
</t>
<t hangText="Notification Content:">
Configurable permission to receive
specific notification event types
is required.
</t>
</list>
</t>
</section>
<section title="Simplicity">
<t>
Experience has shown that a complicated ACM will not
be widely deployed, because it is too hard to use.
The key factor that is ignored in such solutions
is the concept of 'localized cost'. It should
be easy to do simple things, and hard to do
complex things, instead of hard to do everything.
</t>
<t>
Configuration of the access control system must be simple to use.
Simple and common tasks should be easy to configure,
and require little expertise or domain-specific knowledge.
Complex tasks should be possible using additional mechanisms
which may require additional expertise.
</t>
<t>
A single set of access control rules should be able
to control all types of NETCONF RPC operation invocation,
all conceptual database access, and all NETCONF session output.
</t>
<t>
Protocol access should be defined with a small and familiar
set of permissions such as 'read', 'write', and 'execute'.
</t>
<t>
Default access control policy needs to be as secure as possible.
</t>
<t>
Access control does not need to be applied to NETCONF <hello>
messages.
</t>
</section>
<section title="Procedural Interface">
<t>
The NETCONF protocol uses a procedural interface model,
and an extensible set of protocol operations, including
vendor-specific 'actions'.
Access control for any possible protocol operation is required.
</t>
<t>
It must be possible to configure the ACM to permit or
deny access to specific NETCONF operations.
</t>
<t>
YANG modules should be designed so that different access
levels for input parameters to RPC operations is not required.
However, since this cannot always be avoided, then it should
be possible to control access to specific input parameters.
If a restricted parameter is used, then the request
is rejected with an 'access-denied' error.
</t>
</section>
<section title="Database Access">
<t>
It must be possible control access to specific nodes
and sub-trees within the conceptual NETCONF database.
</t>
<t>
In order for a user to obtain access to a particular
database node, the user must be authorized to have
the same requested access to the specified node,
and all of its ancestors.
</t>
<t>
The same access control rules apply to all conceptual
databases. For example, the candidate configuration
or the running configuration.
</t>
<t>
Only the standard NETCONF databases (candidate, running,
and startup) are controlled y the ACM. Local or remote
files or databases accessed via the <url>
parameter are optional to support.
</t>
<t>
The non-volatile startup configuration needs to be loaded
into the running configuration without applying any
access control rules. This operation is conceptually
performed by the superuser account.
</t>
<t>
Only the superuser should be able to alter
the factory-default access control rules.
</t>
<t>
Read operations for restricted configuration data,
either directly or via wildcard access, are silently
omitted from the <rpc-reply>.
</t>
<t>
Create, merge, replace, and delete operations
on a database node for which the user does
not have 'write' access permission is
rejected with an 'access-denied' error.
The specific restricted database nodes must not
be exposed in any <rpc-error> elements
within the reply.
</t>
</section>
<section title="Users and Groups">
<t>
The server must obtain a user name from the
underlying NETCONF transport, such as an SSH
user name.
</t>
<t>
It must be possible to specify access control rules
for a single user or a configurable group of users.
</t>
<t>
A configurable superuser account is needed which bypasses all access
control rules. This is needed in case the access control
rules are mis-configured, and all access is denied.
</t>
<t>
The ACM must support the concept of administrative groups,
to support the well-established distinction between
a root account and other types of less-privileged
conceptual user accounts.
These groups must be configurable by the operator.
</t>
</section>
<section title="Maintenance">
<t>
It should be possible to disable part or all of the
access control model without deleting any configuration.
By default, only the 'superuser' should be able to perform
this task.
</t>
<t>
It should be possible to configure a 'superuser' account
so that all access control is disabled for just this
user. This allows the access control rules to always
be modified without completely disabling access control
for all users.
</t>
</section>
<section title="Configuration Capabilities">
<t>
Suitable control and monitoring mechanisms
are needed to allow an operator to easily manage all
aspects of the ACM behavior. A standard XML data model,
suitable for use with the <edit-config> operation
must be available for this purpose.
</t>
<t>
All standard access control parameters must persist
in non-volatile storage, and be used upon the next reboot.
</t>
<t>
Access control rules to restrict operations on specific
sub-trees within the configuration database must
be supported. Existing mechanisms
should be used to identify the sub-tree(s) for this purpose.
</t>
</section>
<section title="Identifying Security Holes">
<t>
One of the most important aspects of the data model
documentation, and biggest concerns during deployment,
is the identification of security-sensitive content.
This applies to commands in NETCONF, not just data
and notifications.
</t>
<t>
It is customary for security-sensitive objects
to be documented in the Security Considerations
section of an RFC. This is nice, but it
is not good enough, for the following reasons:
<list style="symbols">
<t>
This documentation-only forces operators to
study the RFC and determine if there are any
potential security holes introduced by a new
YANG module.
</t>
<t>
If any security holes are identified, then
the operator must study some more RFC text,
and determine out how to close the security hole(s).
</t>
<t>
The ACM on each server must be configured to
close the security holes, e.g., require
privileged access to read or write the
specific data identified in the Security
Considerations section.
</t>
<t>
If the ACM is not pre-configured, then there
will be a time window of vulnerability,
after the new module is loaded, and before
the new access control rules for that module
are configured, enabled, and debugged.
</t>
</list>
</t>
<t>
Often, the operator just wants to disable
default access to the secure content, so
no inadvertent or malicious changes can be made
to the server. This allows the default rules
to be more lenient, without significantly
increasing the security risk.
</t>
<t>
A data model designer should be able to
use machine-readable statements to identity
NETCONF content which should be protected by default.
This will allow client and server tools to automatically
close data-model specific security holes by
requiring 'superuser' access unless an access
control rule is explicitly configured to allow
the requested operation.
</t>
</section>
<section title="NETCONF Specific Requirements">
<t>
The server must be able to identify the specific protocol
access request at the 4 access control points defined above.
</t>
<t>
The server must be able to identify any database access
request, even for proprietary operations.
</t>
<t>
A session must always be authorized to
invoke the <close-session> operation,
defined in <xref target="RFC4741"/>.
</t>
<t>
A session must always be authorized to
receive the <replayComplete> and
<notificationComplete> notification events,
defined in <xref target="RFC5277"/>
</t>
<t>
The set of module name strings used within
one particular server must be unique.
</t>
<t>
Within a single server, the module namespace URI
associated with a specific module name string
must persist across a reboot, and never change, once assigned.
</t>
</section>
</section>
<section title="NETCONF Access Control Model (NACM)">
<section title="Introduction">
<t>
This section provides a high-level overview of the
access control model structure. It describes the
NETCONF protocol message processing model, and the conceptual
access control requirements within that model.
</t>
<section title="Features">
<t>
The NACM data model provides the following features:
<list style="symbols">
<t>
Independent control of RPC, data, and notification
access.
</t>
<t>
Very simple access control rules configuration
data model which is easy to use.
</t>
<t>
The concept of a 'superuser' type of account
is supported, but configuration of user accounts
is beyond the scope of this document. The server
must be able to determine if a superuser account
is available, and if so, the actual user name
for this account. A session associated
with the superuser account
will bypass all access control enforcement.
</t>
<t>
A simple and familiar set of permissions is
used:
<list style="hanging">
<t hangText="read:">
If granted, then the session is authorized
to receive the associated data within
an <rpc-reply> or <notification>
message.
</t>
<t hangText="write:">
If granted, then the session is authorized
to alter the associated data node.
</t>
<t hangText="exec:">
If granted, then the session is authorized
to invoke the associated RPC operation.
</t>
</list>
</t>
<t>
Support for YANG security tagging (e.g.,
nacm:secure extension) allows default security
modes to automatically exclude sensitive data.
</t>
<t>
Separate default access modes for read, write, and
execute permissions.
</t>
<t>
Access control rules are applied to configurable groups
of users.
</t>
<t>
The entire ACM can be disabled or downgraded during
operation, in order to debug operational problems.
</t>
<t>
Access control rule are simple to configure.
</t>
<t>
The number of denied RPC operation requests
and denied database write requests can be
monitored by the client.
</t>
<t>
Simple unconstrained YANG instance identifiers
are used to configure access control rules for
specific data nodes, or child nodes within
specific RPC input, RPC output, and notification
event type content.
</t>
</list>
</t>
</section>
<section title="External Dependencies">
<t>
The <xref target="RFC4741">NETCONF</xref> protocol
is used for all management purposes within this document.
The server must support the features identified
by the 'NETCONF-base' capability.
It is expected that the mandatory transport mapping
<xref target="RFC4742">NETCONF Over SSH</xref> is
also supported by the server, and that the server has
access to the user name associated with each session.
</t>
<t>
The <xref target="I-D.ietf-netmod-yang">
YANG Data Modeling Language</xref>
is used to define the NETCONF data models
specified in this document. The YANG
instance-identifier data type can be used
to configure data-node-specific access control rules.
</t>
</section>
<section title="Message Processing Model">
<t>
The following diagram shows the NETCONF message
flow model, including the points at which access
control is applied, during NETCONF message processing.
</t>
<t>
<figure anchor="NACM_model">
<artwork>
<![CDATA[
+-------------------------+
| session |
| (username) |
+-------------------------+
| ^
V |
+--------------+ +---------------+
| message | | message |
| dispatcher | | generator |
+--------------+ +---------------+
| ^ ^
V | |
+===========+ +-------------+ +----------------+
| <rpc> |---> | <rpc-reply> | | <notification> |
| acc. ctl | | generator | | generator |
+===========+ +-------------+ +----------------+
| ^ ^ ^
V +------+ | |
+-----------+ | +=============+ +================+
| <rpc> | | | <rpc-reply> | | <notification> |
| processor |-+ | acc. ctl | | access ctl |
+-----------+ +=============+ +================+
| | ^ ^
V +----------------+ | |
+===========+ | | |
| data node | | | |
| acc. ctl | -----------+ | | |
+===========+ | | | |
| | | | |
V V V | |
+---------------+ +-----------------+
| configuration | ---> | server |
| database | | instrumentation |
| | <--- | |
+---------------+ +-----------------+
]]>
</artwork>
</figure>
</t>
<t>
The follow high-level sequence of conceptual processing steps
is executed for each received <rpc> message,
if access control enforcement is enabled:
<list style="symbols">
<t>
Access control is applied to all <rpc> messages
(except <close-session>)
received by the server, individually, for each active session,
unless the user identity for the session is the 'superuser'.
</t>
<t>
If the session is authorized to execute the specified RPC
operation, then processing continues, otherwise
the request is rejected with an 'access-denied' error.
</t>
<t>
If the configuration database or conceptual state data
is accessed by the RPC operation,
then the configuration access must be authorized first.
If the session is authorized to perform the requested
operation on the requested data, then processing continues.
</t>
</list>
</t>
<t>
The follow sequence of conceptual processing steps
is executed for each generated notification event,
if access control enforcement is enabled:
<list style="symbols">
<t>
Server instrumentation generates a conceptual notification,
for a particular subscription.
</t>
<t>
The notification access control enforcer checks the
notification event type, and if it is one which
the session is not authorized to read, then the
notification is dropped for that subscription.
</t>
</list>
</t>
</section>
</section>
<section title="Model Components">
<t>
This section defines the conceptual components
related to access control model.
</t>
<section title="Users">
<t>
A 'user' is the conceptual identity, which is associated
with the access permissions granted to a particular session.
A user is identified by a string which must be unique
within the server. Configuration of users is
beyond the scope of this document.
</t>
<t>
The user name string is usually derived from the
transport layer during session establishment.
A server is required to have an authenticated user name
for a session before <rpc> requests will be
accepted. Otherwise all requests must be rejected
with an 'access-denied' error-tag value.
</t>
<t>
The server should support a 'superuser' administrative user
account, which will bypass all access control enforcement.
This is useful for restricting initial access
and repairing a broken access control configuration.
This account may be configurable to use a specific user, or disabled
completely. Some systems have factory-selected superuser
account names. There is no need to standardize the exact
user name for the superuser account. If no such account,
then all NETCONF access will be controlled.
</t>
</section>
<section title="Groups">
<t>
Access to a specific NETCONF protocol mechanism is granted to
a session, associated with a group, not a user.
</t>
<t>
A group is identified by its YANG group identity,
which must use the 'nacm-groups' identity as its
base.
</t>
<t>
All group names must be unique within the server.
</t>
<t>
A group member is identified by a user name string.
</t>
<t>
The same user may be configured in multiple groups.
</t>
<t>
The server should support the 3 default group identities
defined in this document (admin, monitor, guest),
however these roles are just unique identities,
provided for operator convenience.
There is no standard behavior defined for each group
identity. That is up to the operator who configures the
groups.
</t>
</section>
<section title="Sessions">
<t>
A session is simply a NETCONF session, which is the
entity which is granted access to specific NETCONF
protocol mechanisms.
</t>
<t>
A session is associated with a single user name for the
lifetime of the session.
</t>
</section>
<section title="Access Permissions">
<t>
The access permissions are the NETCONF protocol specific
set of permissions that have
been assigned to a particular session role or group.
The same access permissions should stay in affect for
the lifetime of a session.
</t>
<t>
The access control model treats RPC operation execution
separately from configuration database access
and outgoing messages:
<list style="hanging">
<t hangText="read:">
Read access to conceptual server data, <rpc-reply> and
<notification> content.
</t>
<t hangText="write:">
Write access to any configuration database.
</t>
<t hangText="exec:">
Permission to invoke an RPC operation.
</t>
</list>
</t>
</section>
<section title="Global Enforcement Controls">
<t>
A global on/off switch is provided to enable
or disable all access control enforcement.
</t>
<t>
An on/off switch is provided to
enable or disable default access
to invoke RPC operations.
</t>
<t>
An on/off switch is provided to
enable or disable default permission
to receive data in replies and notifications.
</t>
<t>
An on/off switch is provided to
enable or disable default access
to alter configuration data.
</t>
</section>
<section title="Access Control Rules">
<t>
There are 4 types of rules available in NACM:
<list style="hanging">
<t hangText="module rule:">
Controls access for definitions in
a specific module, identified by its
name.
</t>
<t hangText="RPC operation rule:">
Controls access for a
specific RPC operation, identified by its
module and name.
</t>
<t hangText="data node rule:">
Controls access for a
specific data node, identified by its
path location within the conceptual
XML document for the data node.
</t>
<t hangText="notification rule:">
Controls access for a
specific notification event type, identified by its
module and name.
</t>
</list>
</t>
</section>
</section>
<section title="Access Control Enforcement Procedures">
<t>
There are seven separate phases that must be addressed,
four of which are related to the NETCONF message processing model.
In addition, the initial start-up mode for a NETCONF server,
session establishment, and 'access-denied' error handling
procedures must also be considered.
</t>
<section title="Initial Operation">
<t>
Upon the very first start-up of the NETCONF server,
the access control configuration will probably
not be present. If not,
a server should not allow any write access to
any session role except 'superuser' type of
account in this state.
</t>
<t>
There is no requirement to enforce access control
rules before or while the non-volatile configuration
data is processed and loaded into the running
configuration.
</t>
</section>
<section title="Session Establishment">
<t>
The access control model applies specifically
to the well-formed XML content transferred between a client
and a server, after session establishment has been completed,
and after the <hello> exchange has been successfully
completed.
</t>
<t>
A server should not include any sensitive information
in any <capability> elements within the
<hello> exchange.
</t>
<t>
Once session establishment is completed, and a user identity
has been authenticated, a NETCONF server will
enforce the access control rules, based on the
supplied user identity and the configuration data stored
on the server.
</t>
</section>
<section title="'access-denied' Error Handling">
<t>
The 'access-denied' error-tag is generated when
the access control system denies access to either a
request to invoke an RPC operation or a request to
perform a particular operation on the configuration
database.
</t>
<t>
A server must not include any sensitive information
in any <error-info> elements within the
<rpc-error> response.
</t>
</section>
<section title="Incoming RPC Message Validation">
<t>
The diagram below shows the basic
conceptual structure of the access control processing model
for incoming NETCONF <rpc> messages, within a server.
</t>
<t>
<figure anchor="NACM_incoming">
<artwork>
<![CDATA[
NETCONF server
+------------+
| XML |
| message |
| dispatcher |
+------------+
|
|
V
+------------+
| NC-base NS |
| <rpc> |
+------------+
| | |
| | +-------------------------+
| +------------+ |
V V V
+-----------+ +---------------+ +------------+
| acme NS | | NC-base NS | | NC-base NS |
| <my-edit> | | <edit-config> | | <unlock> |
+-----------+ +---------------+ +------------+
| |
| |
V V
+----------------------+
| |
| configuration |
| database |
+----------------------+
]]>
</artwork>
</figure>
</t>
<t>
Access control begins with the message dispatcher.
Only well-formed XML messages should be processed
by the server.
</t>
<t>
A server should not allow access to configuration
databases through any top level element except
the <rpc> element in the NETCONF-base namespace.
If it does, the server should still enforce access
control to configuration data, even if the access
is from some mechanism outside the standard protocol
operations.
</t>
<t>
After the server validates the <rpc> element,
and determines the namespace URI and the element
name of the RPC operation being requested, the RPC access
control enforcer verifies that the session is authorized
to invoke the RPC operation.
</t>
<t>
The RPC operation is authorized by following these steps:
<list style="numbers">
<t>
If the <enable-nacm> parameter is set to 'false',
then the RPC operation is permitted.
</t>
<t>
If the session is associated with the 'superuser'
account, then the RPC operation is permitted.
</t>
<t>
If the requested operation is the NETCONF
<close-session> operation, then
the RPC operation is permitted.
</t>
<t>
Check all the <group> entries
for ones that contain a <user-name>
entry that matches the user name for the
session making the request.
</t>
<t>
If no groups are found:
<list style="symbols">
<t>
If the requested RPC operation is
associated with a YANG module
advertised in the server capabilities,
and the rpc statement contains a
nacm:secure or nacm:very-secure extension,
then the RPC operation is denied.
</t>
<t>
If the <exec-default> parameter is
set to 'permit', then permit the RPC operation,
otherwise deny the request.
</t>
</list>
</t>
<t>
Check if there are any matching <rpc-rule> entries
for the requested RPC operation. Any matching rules
are processing in user-defined order, in case there
are multiple <rpc-rule> entries for the requested
RPC operation.
</t>
<t>
If an <rpc-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
If the 'exec' bit is present in the
<allowed-rights> bits field
then the RPC operation is permitted,
otherwise it is denied.
</t>
<t>
Check if there are any matching <module-rule> entries
for the same module as the requested RPC operation.
Any matching rules are processing in user-defined order,
in case there are multiple <module-rule> entries
for the module containing the requested RPC operation.
</t>
<t>
If a <module-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
If the 'exec' bit is present in the
<allowed-rights> bits field
then the RPC operation is permitted,
otherwise it is denied.
</t>
<t>
If the requested operation is identified an
a nacm:secure or nacm:very-secure RPC operation,
then the RPC operation is denied.
</t>
<t>
If the <exec-default> parameter is
set to 'permit', then permit the RPC operation,
otherwise deny the request.
</t>
</list>
</t>
<t>
If the session is not authorized to invoke the RPC operation
then an <rpc-error> is generated with the following
information:
<list style="hanging">
<t hangText="error-tag:">access-denied</t>
<t hangText="error-path:">
/rpc/method-QName, where
'method-QName' is a qualified name identifying the
actual RPC operation name. For example, '/rpc/edit-config'
represents the <edit-config> operation in the
NETCONF base namespace..
</t>
</list>
</t>
<t>
If the configuration database is accessed,
either directly or as a side effect of the
RPC operation, then the server
must intercept the operation
and make sure the session is authorized to
perform the requested operation on the specified data.
</t>
</section>
<section title="Data Node Access Validation">
<t>
If a data node within a configuration database
is accessed, or a conceptual non-configuration
node is accessed, then the server must ensure that
the client session is authorized to perform
the requested operation (read or write) on
the specified data node.
</t>
<t>
The data node access request is authorized by following
these steps:
<list style="numbers">
<t>
If the <enable-nacm> parameter is set to 'false',
then the data node access request is permitted.
</t>
<t>
If the session is associated with the 'superuser'
account, then the data node access request is permitted.
</t>
<t>
Check all the <group> entries
for ones that contain a <user-name>
entry that matches the user name for the
session making the request.
</t>
<t>
If no groups are found:
<list style="symbols">
<t>
If the requested data node is
associated with a YANG module
advertised in the server capabilities,
and the data definition statements
(or any of its ancestors)
contains a nacm:secure or nacm:very-secure extension,
then the data node access request is denied.
</t>
<t>
For a read request, if the <read-default> parameter is
set to 'permit', then permit the data node access request,
otherwise deny the request.
</t>
<t>
For a write request, if the <write-default> parameter is
set to 'permit', then permit the data node access request,
otherwise deny the request.
</t>
</list>
</t>
<t>
Check if there are any matching <data-rule> entries
for the requested data node access request. Any matching rules
are processing in user-defined order, in case there
are multiple <data-rule> entries for the requested
data node.
</t>
<t>
If an <data-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
<list>
<t>
For a read operation, if the 'read' bit is present in the
<allowed-rights> bits field
then the request is permitted, otherwise it is denied.
</t>
<t>
For a write operation, if the 'write' bit is present in the
<allowed-rights> bits field
then the request is permitted, otherwise it is denied.
</t>
</list>
</t>
<t>
Check if there are any matching <module-rule> entries
for the same module as the requested data node.
Any matching rules are processing in user-defined order,
in case there are multiple <module-rule> entries
for the module containing the requested data node.
</t>
<t>
If a <module-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
<list>
<t>
For a read operation, if the 'read' bit is present in the
<allowed-rights> bits field
then the request is permitted, otherwise it is denied.
</t>
<t>
For a write operation, if the 'write' bit is present in the
<allowed-rights> bits field
then the request is permitted, otherwise it is denied.
</t>
</list>
</t>
<t>
For a read request, if the requested data node is identified an
a nacm:very-secure definition,
then the data node access request is denied.
</t>
<t>
For a write request, if the requested data node is identified an
a nacm:secure or nacm:very-secure definition,
then the data node access request is denied.
</t>
<t>
For a read request, if the <read-default> parameter is
set to 'permit', then permit the data node access request,
otherwise deny the request.
</t>
<t>
For a write request, if the <write-default> parameter is
set to 'permit', then permit the data node access request,
otherwise deny the request.
</t>
</list>
</t>
</section>
<section title="Outgoing <rpc-reply> Authorization">
<t>
The <rpc-reply> message should be checked by the server
to make sure no unauthorized data is contained within
it. If so, the restricted data must be removed
from the message before it is sent to the client.
</t>
<t>
Configuration of access control rules exclusively
for the RPC output section, for an
<rpc-reply> message that does not return
data from a conceptual database or non-configuration
data suitable for retrieval with the <get>
operation is outside the scope of this document.
For RPC operations which do not access any data nodes,
then any client authorized to invoke the RPC operation
is also authorized to receive the <rpc-reply>
for that RPC operation.
</t>
</section>
<section title="Outgoing <notification> Authorization">
<t>
The <notification> message should be checked by the server
to make sure no unauthorized data is contained within
it. If so, the restricted data must be removed
from the message before it is sent to the client.
</t>
<t>
Configuration of access control rules specifically
for descendent nodes of the notification event type
element are outside the scope of this document.
If the session is authorized to receive the
notification event type, then it is also
authorized to receive any data it contains.
</t>
<t>
The following figure shows the conceptual message processing
model for outgoing <notification> messages.
</t>
<t>
<figure anchor="NACM_outgoing_notification">
<artwork>
<![CDATA[
NETCONF server
+------------+
| XML |
| message |
| generator |
+------------+
^
|
+----------------+
| <notification> |
| generator |
+----------------+
^
|
+=================+
| <notification> |
| access control |
| <eventType> |
+=================+
^
|
+------------------------+
| server instrumentation |
+------------------------+
| ^
V |
+----------------------+
| configuration |
| database |
+----------------------+
]]>
</artwork>
</figure>
</t>
<t>
The generation of a notification event for
a specific subscription is authorized by following
these steps:
<list style="numbers">
<t>
If the <enable-nacm> parameter is set to 'false',
then the notification event is permitted.
</t>
<t>
If the session is associated with the 'superuser'
account, then the notification event is permitted.
</t>
<t>
If the requested operation is the NETCONF
<replayComplete> or <notificationComplete>
event type, then
the notification event is permitted.
</t>
<t>
Check all the <group> entries
for ones that contain a <user-name>
entry that matches the user name for the
session that started the notification subscription.
</t>
<t>
If no groups are found:
<list style="symbols">
<t>
If the requested notification is
associated with a YANG module
advertised in the server capabilities,
and the notification statement contains a
nacm:secure or nacm:very-secure extension,
then the notification event is dropped
for the associated subscription.
</t>
<t>
If the <read-default> parameter is
set to 'permit', then permit the notification
event, otherwise drop this event type
for the associated subscription.
</t>
</list>
</t>
<t>
Check if there are any matching <notification-rule> entries
for the specific notification event type being delivered
to the subscription. Any matching rules
are processing in user-defined order, in case there
are multiple <notification-rule> entries for the
requested notification event type.
</t>
<t>
If a <notification-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
If the 'read' bit is present in the
<allowed-rights> bits field
then the notification event type is permitted,
otherwise it is dropped for the associated subscription.
</t>
<t>
Check if there are any matching <module-rule> entries
for the same module as the notification event type.
Any matching rules are processing in user-defined order,
in case there are multiple <module-rule> entries
for the module containing the notification event type.
</t>
<t>
If a <module-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
If the 'read' bit is present in the
<allowed-rights> bits field
then the notification event type is permitted,
otherwise it is dropped for the associated subscription.
</t>
<t>
If the requested event type is identified an
a nacm:very-secure notification definition,
then the notification event type is denied.
</t>
<t>
If the <read-default> parameter is
set to 'permit', then permit the notification
event type, otherwise it is dropped for
the associated subscription.`<
</t>
</list>
</t>
</section>
</section>
<section title="Data Model Definitions" anchor="DM">
<t>
This section defines the semantics of the
conceptual data structures found in the data model
in <xref target="DM"/>.
</t>
<section title="High Level Procedures">
<t>
There are some high level management procedures that
an administrator needs to consider before using this
access control model:
<list style="numbers">
<t>
Configure the global settings.
</t>
<t>
Configure one or more user groups.
</t>
<t>
Configure zero or more access control rules for
specific modules.
</t>
<t>
Configure zero or more access control rules for
specific RPC operations.
</t>
<t>
Configure zero or more access control rules for
data node access.
</t>
<t>
Configure zero or more access control rules for
notification event type access.
</t>
</list>
</t>
</section>
<section title="Data Organization">
<t>
The top-level element is called <nacm>, and it
is defined the 'nacm' module namespace.
</t>
<t>
There are several data structures defined as child nodes
of the <nacm> element:
<list style="hanging">
<t hangText="leaf <enable-nacm>:">
On/off boolean switch to enable or disable
access control enforcement.
</t>
<t hangText="leaf <read-default>:">
Enumeration to permit or deny
default read access requests.
</t>
<t hangText="leaf <write-default>:">
Enumeration to permit or deny
default write access requests.
</t>
<t hangText="leaf <exec-default>:">
Enumeration to permit or deny
default RPC operation execution requests.
</t>
<t hangText="leaf <denied-rpcs>:">
Read-only counter of the number of
times the server has denied an RPC
operation request, since the last reboot
of the server.
</t>
<t hangText="leaf <denied-data-writes>:">
Read-only counter of the number of
times the server has denied a
data node write request, since the last reboot
of the server.
</t>
<t hangText="container <groups>:">
Configures the groups used within the access
control system.
<list style="hanging">
<t hangText="list <group>:">
A list of user names belonging to the
same administrative group.
</t>
</list>
</t>
<t hangText="container <rules>:">
Configures the access control rules used
within the server.
<list style="hanging">
<t hangText="list <module-rule>:">
Configures the access control rules for
a specific module.
</t>
<t hangText="list <rpc-rule>:">
Configures the access control rules for
RPC operation invocation.
</t>
<t hangText="list <data-rule>:">
Configures the access control rules
for configuration database access.
</t>
<t hangText="list <notification-rule>:">
Configures the access control rules for controlling
delivery of <notification> events.
</t>
</list>
</t>
</list>
</t>
</section>
<section title="YANG Module">
<t>
The following YANG module is provided to specify
the normative NETCONF content that must
by supported by the server.
</t>
<t>
<figure anchor="YANG_module">
<artwork><![CDATA[
<CODE BEGINS> file="nacm.yang"
module nacm {
namespace "file://draft-bierman-netconf-access-control-00.txt";
prefix "nacm";
import ietf-yang-types { prefix yang; }
organization "Netconf Central, Inc.";
contact "Andy Bierman <andy@netconfcentral.org>.";
description
"NETCONF Server Access Control Model";
revision 2010-02-21 {
description
"Initial version (work-in-progress).";
}
typedef nacm-user-name {
description "General Purpose User Name string.";
type string {
length "1..64";
pattern '[a-z,A-Z,_][a-z,A-Z,0-9,\-,_,@,.]{0,63}';
}
}
typedef nacm-rights {
description
"NETCONF Access Rights";
type bits {
bit read {
description
"Read access allowed to all specified data.
Any protocol operation or notification that
returns data to an application is a read
operation.";
}
bit write {
description
"Write access allowed to all specified data.
Any protocol operation that alters a database
is a write operation.";
}
bit exec {
description
"Execution access to the specified RPC operation.
Any RPC operation invocation is an exec operation.";
}
}
}
typedef nacm-group {
description
"Type of administrative group that can be
assigned to the user, and specified in
an access control rule.
The identityref data type is used to allow as
many groups to be added as needed. There are
no standard semantics for each identity.
It simply represents a unique group name.";
type identityref {
base nacm-groups;
}
}
typedef nacm-action {
description
"Action taken by the server when a particular
rule matches.";
type enumeration {
enum permit {
description "Requested action is permitted.";
}
enum deny {
description "Requested action is denied.";
}
}
}
typedef schema-instance-identifier {
description
"Path expression used to represent a special
schema-instance identifier string.
A schema-instance-identifier value string is an
unrestricted YANG instance-identifier expression.
All the same rules as an instance-identifier apply
except predicates for keys are optional. If a key
predicate is missing, then the schema-instance-identifier
represents all possible server instances for that key.";
type string;
}
extension secure {
description
"Used to indicate that the data model node
represents a sensitive security system parameter.
If present, the NETCONF server will only allow
the designated 'superuser' to have write or execute
default nacm-rights for the node. An explicit access
control rule is required for all other users.
The 'secure' extension may appear within a data, rpc,
or notification node definition. It is ignored
otherwise.";
}
extension very-secure {
description
"Used to indicate that the data model node
controls a very sensitive security system parameter.
If present, the NETCONF server will only allow
the designated 'superuser' to have read, write, or execute
default nacm-rights for the node. An explicit access
control rule is required for all other users.
The 'very-secure' extension may appear within a data, rpc,
or notification node definition. It is ignored
otherwise.";
}
identity nacm-groups {
description
"Root of all NETCONF Administrative Groups";
}
identity admin {
description
"Example Administrator group.";
base nacm-groups;
}
identity monitor {
description
"Example Monitoring group.";
base nacm-groups;
}
identity guest {
description
"Example Guest group.";
base nacm-groups;
}
container nacm {
nacm:very-secure;
description
"Parameters for NETCONF Access Control Model.";
presence
"An empty nacm container indicates that the
NACM service is running, and possibly using
all default parameters.";
leaf enable-nacm {
description
"Enable or disable all NETCONF access control
enforcement. If 'true', then enforcement
is enabled. If 'false', then enforcement
is disabled.";
type boolean;
default true;
}
leaf read-default {
description
"Controls whether read access is granted if
no appropriate rule is found for a
particular read request.";
type nacm-action;
default "permit";
}
leaf write-default {
description
"Controls whether write access is granted if
no appropriate rule is found for a
particular write request.";
type nacm-action;
default "deny";
}
leaf exec-default {
description
"Controls whether exec access is granted if
no appropriate rule is found for a
particular RPC operation request.";
type nacm-action;
default "permit";
}
leaf denied-rpcs {
description
"Number of times an RPC operation request was denied";
type yang:zero-based-counter32;
config false;
}
leaf denied-data-writes {
description
"Number of times a request to alter a data node
was denied.";
type yang:zero-based-counter32;
config false;
}
container groups {
description
"NACM Group Table";
list group {
description "One NACM Group Entry";
key group-identity;
leaf group-identity {
description
"Group identity associated with this entry.";
type nacm-group;
}
leaf-list user-name {
description
"Each entry identifies the user name of
a member of the group associated with
this entry.";
type nacm-user-name;
}
}
}
container rules {
description
"NETCONF Access Control Rules.";
grouping common-rule-parms {
leaf rule-name {
description
"Arbitrary name assigned to the
access control rule.";
type string {
length "1..1023";
}
}
leaf allowed-rights {
description
"List of access rights granted to
specified administrative groups for the
content specified by the associated path.";
type nacm-rights;
mandatory true;
}
leaf-list allowed-group {
description
"List of administrative groups which will be
assigned the associated access rights
for the content specified by the associated
path.";
type nacm-group;
min-elements 1;
}
leaf comment {
description
"A textual description of the access rule.";
type string {
length "0..4095";
}
}
}
list module-rule {
description
"One Module Access Rule.
Rules are processed in user-defined order.
A module rule is considered a match if
the XML namespace for the specified module
name matches the XML namespace used within
a NETCONF PDU, and the administrative group
associated with the requesting session is
specified in the 'allowed-group' leaf-list.";
ordered-by user;
key "module-name rule-name";
leaf module-name {
description
"Name of the module associated with
this rule.";
type string {
length "1..max";
}
}
uses common-rule-parms;
}
list rpc-rule {
description
"One RPC Operation Access Rule.
Rules are processed in user-defined order.
An RPC rule is considered a match if
the module name of the requested RPC
operation matches 'rpc-module-name',
the requested RPC operation matches
'rpc-name', and an administrative group
associated with the session user
is listed in the 'allowed-group'
leaf-list";
ordered-by user;
key "rpc-module-name
rpc-name
rule-name";
leaf rpc-module-name {
description
"Name of the module defining this
RPC operation.";
type string {
length "1..max";
}
}
leaf rpc-name {
description
"Name of the RPC operation.";
type string {
length "1..max";
}
}
uses common-rule-parms;
}
list data-rule {
description
"One Data Access Control Rule.
Rules are processed in user-defined order.
A data rule is considered to match when
the path expression identifies
the same node that is being accessed
in the NETCONF database, and the administrative
group associated with the session is identified
in the 'allowed-group' leaf-list.";
key "rule-name";
ordered-by user;
leaf path {
description
"Schema Instance Identifier associated with
the data node controlled by this rule.
Configuration data or state data
instance identifiers start with
a top-level data node.
A complete instance identifier is
required for this type of path value.
The special value '/' refers to all
possible database contents.";
type schema-instance-identifier;
mandatory true;
}
uses common-rule-parms;
}
list notification-rule {
description
"One Notification Access Rule.
A notification is considered a match if
the module name of the requested
event type matches 'notification-module-name',
the requested event type matches the
'notification-name', and the administrative group
associated with the requesting session
is listed in the 'allowed-group' leaf-list.";
ordered-by user;
key "notification-module-name
notification-name
rule-name";
leaf notification-module-name {
description
"Name of the module defining this
notification event type.";
type string {
length "1..max";
}
}
leaf notification-name {
description
"Name of the notification event.";
type string {
length "1..max";
}
}
uses common-rule-parms;
}
}
}
}
<CODE ENDS>
]]></artwork>
</figure>
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
There are two actions that are requested of IANA:
<list style="numbers">
<t>register data model schema namespace URI (TBD)</t>
<t>register data model name ('nacm')</t>
</list>
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
This entire document discusses access control
requirements and mechanisms for restricting
NETCONF protocol behavior within a given session.
</t>
<t>
Configuration of the access control system is
highly sensitive to system security. A server may
choose not to allow any user configuration to
some portions of it, such as the global security level,
or the groups which allowed access to system resources.
</t>
<t>
This document incorporates the optional
use of a superuser account,
which can be used to bypass access control enforcement.
Configuration user accounts is outside the scope
of this document, however it is suggested that the
'root' account not be used for NETCONF over SSH servers,
because 'root' SSH logins should be disabled
in the SSH server.
</t>
<t>
If the server chooses to allow user configuration of
the access control system, then only sessions using
the 'superuser' administrative user should be allowed to
have write access to the data model.
</t>
<t>
If the server chooses to allow user retrieval of
the access control system configuration, then only sessions using
the 'superuser' administrative user should be allowed to
have read access to the data model.
</t>
<t>
There is a risk that invocation of
non-standard RPC operations will have undocumented side effects.
An administrator should construct access control rules
such that the configuration database is protected
from such side effects. Also, such RPC operations
should never be invoked by a session using the 'superuser'
administrative user.
</t>
<t>
There is a risk that non-standard RPC operations, or
even the standard <get> operation, may
return data which 'aliases' or 'copies' sensitive data
from a different data object.
In this case, the namespace and/or the element name
will not match the values for the sensitive data,
which is then fully or partially copied into a different
namespace and/or element. An administrator should
avoid using data models which use this practice.
</t>
<t>
An administrator should restrict write access to all
configurable objects within this data model. It is suggested
that only sessions using the 'superuser' administrative role
be permitted to configure the data model defined in this document.
</t>
<t>
If write access is allowed for configuration of
access control rules, then care must be taken
not to disrupt the access control enforcement.
</t>
<t>
An administrator should restrict read access to the
following objects within this data model, which reveal
access control configuration which could be considered
sensitive.
<list style="symbols">
<t>enable-nacm</t>
<t>read-default</t>
<t>write-default</t>
<t>exec-default</t>
<t>groups</t>
<t>rules</t>
</list>
</t>
</section>
</section>
</middle>
<!-- ***** BACK MATTER ***** -->
<back>
<references title="Normative References">
&rfc2119;
&rfc4741;
&rfc4742;
&rfc5277;
&xmlspec;
&yangspec;
&yangtypes;
</references>
<section title="Usage Examples">
<t>
The following XML snippets are provided as examples only,
to demonstrate how NACM can be configured to perform
some access control tasks.
</t>
<section title="<groups> Example">
<t>
There must be at least one <group> entry
in order for any of the access control rules
to be useful.
</t>
<t>
The following XML shows arbitrary groups,
and is not intended to represent any particular
use-case.
</t>
<t>
<figure>
<artwork><![CDATA[
<nc:config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<nacm:nacm
xmlns="file://draft-bierman-netconf-access-control-00.txt">
<nacm:groups>
<nacm:group>
<nacm:group-identity>nacm:admin</nacm:group-identity>
<nacm:user-name>admin</nacm:user-name>
<nacm:user-name>andy</nacm:user-name>
</nacm:group>
<nacm:group>
<nacm:group-identity>nacm:monitor</nacm:group-identity>
<nacm:user-name>wilma</nacm:user-name>
<nacm:user-name>bam-bam</nacm:user-name>
</nacm:group>
<nacm:group>
<nacm:group-identity>nacm:guest</nacm:group-identity>
<nacm:user-name>guest</nacm:user-name>
<nacm:user-name>guest@example.com</nacm:user-name>
</nacm:group>
</nacm:groups>
</nc:config>
</nacm:nacm>
]]>
</artwork>
</figure>
</t>
<t>
This example shows 3 groups:
<list style="numbers">
<t>
The nacm:admin group contains 2 users named 'admin' and 'andy'.
</t>
<t>
The nacm:monitor group contains 2 users named
'wilma' and 'bam-bam'.
</t>
<t>
The nacm:guest group contains 2 users named
'guest' and 'guest@example.com'.
</t>
</list>
</t>
</section>
<section title="<module-rule> Example">
<t>
Module rules are used to control access to
all the content defined in a specific module.
These rules are checked after none of
the specific
rules (i.e., rpc-rule, data-rule, or
notification-rule) matched the current access request.
</t>
<t>
<figure>
<artwork><![CDATA[
<nc:config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<nacm:nacm
xmlns="file://draft-bierman-netconf-access-control-00.txt">
<nacm:rules>
<nacm:module-rule>
<nacm:module-name>
ietf-netconf-monitoring
</nacm:module-name>
<nacm:rule-name>1</nacm:rule-name>
<nacm:allowed-rights>read</nacm:allowed-rights>
<nacm:allowed-group>nacm:admin</nacm:allowed-group>
<nacm:allowed-group>nacm:monitor</nacm:allowed-group>
<nacm:comment>
do not allow guests to read the netconf information
</nacm:comment>
</nacm:module-rule>
<nacm:module-rule>
<nacm:module-name>ietf-netconf</nacm:module-name>
<nacm:rule-name>1</nacm:rule-name>
<nacm:allowed-rights>read write exec</nacm:allowed-rights>
<nacm:allowed-group>nacm:admin</nacm:allowed-group>
<nacm:comment>
allow admin complete access to the standard operations
</nacm:comment>
</nacm:module-rule>
</nacm:rules>
</nc:config>
</nacm:nacm>
]]>
</artwork>
</figure>
</t>
<t>
This example shows 2 module rules:
<list style="numbers">
<t>
This rule allows the admin and monitor groups
(but not the guest group)
to read the <netconf-state> sub-tree, which
is defined in the ietf-netconf-monitoring YANG module.
</t>
<t>
This rule allows complete access to the ietf-netconf module
for the admin group.
</t>
</list>
</t>
</section>
<section title="<rpc-rule> Example">
<t>
RPC rules are used to control access to
a specific RPC operation.
</t>
<t>
<figure>
<artwork><![CDATA[
<nc:config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<nacm:nacm
xmlns="file://draft-bierman-netconf-access-control-00.txt">
<nacm:rules>
<nacm:rpc-rule>
<nacm:rpc-module-name>
ietf-netconf
</nacm:rpc-module-name>
<nacm:rpc-name>
kill-session
</nacm:rpc-name>
<nacm:rule-name>1</nacm:rule-name>
<nacm:allowed-rights/>
<nacm:allowed-group>nacm:monitor</nacm:allowed-group>
<nacm:allowed-group>nacm:guest</nacm:allowed-group>
<nacm:comment>
do not allow monitor or guest to kill another session
</nacm:comment>
</nacm:rpc-rule>
<nacm:rpc-rule>
<nacm:rpc-module-name>
ietf-netconf
</nacm:rpc-module-name>
<nacm:rpc-name>
delete-config
</nacm:rpc-name>
<nacm:rule-name>1</nacm:rule-name>
<nacm:allowed-rights/>
<nacm:allowed-group>nacm:monitor</nacm:allowed-group>
<nacm:allowed-group>nacm:guest</nacm:allowed-group>
<nacm:comment>
do not allow monitor or guest to delete any configs
</nacm:comment>
</nacm:rpc-rule>
</nacm:rules>
</nc:config>
</nacm:nacm>
]]>
</artwork>
</figure>
</t>
<t>
This example shows 2 RPC rules:
<list style="numbers">
<t>
This rule prevents the monitor or guest groups
(but not the admin group) from invoking the NETCONF
<kill-session> RPC operation.
</t>
<t>
This rule prevents the monitor or guest groups
(but not the admin group) from invoking the NETCONF
<delete-config> RPC operation.
</t>
</list>
</t>
</section>
<section title="<data-rule> Example">
<t>
Data rules are used to control access to
specific (config and non-config) data nodes
within the NETCONF content provided by the server.
</t>
<t>
<figure>
<artwork><![CDATA[
<nc:config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<nacm:nacm
xmlns="file://draft-bierman-netconf-access-control-00.txt">
<nacm:rules>
<nacm:data-rule>
<nacm:rule-name>data-1</nacm:rule-name>
<nacm:path>/nacm:nacm</nacm:path>
<nacm:allowed-rights>read write</nacm:allowed-rights>
<nacm:allowed-group>nacm:admin</nacm:allowed-group>
<nacm:comment>
allow admin access to /nacm
</nacm:comment>
</nacm:data-rule>
<nacm:data-rule>
<nacm:rule-name>data-acme-config</nacm:rule-name>
<nacm:path
xmlns:acme="http://example.com/ns/netconf">
/acme:acme-netconf/acme:config-parameters
</nacm:path>
<nacm:allowed-rights>read write</nacm:allowed-rights>
<nacm:allowed-group>nacm:admin</nacm:allowed-group>
<nacm:allowed-group>nacm:monitor</nacm:allowed-group>
<nacm:comment>
allow admin and monitor to access acme
netconf config parameters.
</nacm:comment>
</nacm:data-rule>
<nacm:data-rule>
<nacm:rule-name>dummy-itf</nacm:rule-name>
<nacm:path
xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface[acme:name='dummy']
</nacm:path>
<nacm:allowed-rights>read write</nacm:allowed-rights>
<nacm:allowed-group>nacm:monitor</nacm:allowed-group>
<nacm:allowed-group>nacm:guest</nacm:allowed-group>
<nacm:comment>
allow monitor and guest full access to acme
dummy interface
</nacm:comment>
</nacm:data-rule>
<nacm:data-rule>
<nacm:rule-name>admin-itf</nacm:rule-name>
<nacm:path
xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface
</nacm:path>
<nacm:allowed-rights>read write</nacm:allowed-rights>
<nacm:allowed-group>nacm:admin</nacm:allowed-group>
<nacm:comment>
allow admin full access to all acme interfaces
</nacm:comment>
</nacm:data-rule>
</nacm:rules>
</nc:config>
</nacm:nacm>
]]>
</artwork>
</figure>
</t>
<t>
This example shows 4 data rules:
<list style="hanging">
<t hangText="data-1:">
This rule gives the admin group
read-write access to the <nacm> sub-tree.
</t>
<t hangText="data-acme-config:">
This rule gives the admin and monitor groups
read-write access to the acme <config-parameters>.
</t>
<t hangText="dummy-itf:">
This rule gives the monitor and guest groups
read-write access to the acme <interface>.
entry named 'dummy'.
</t>
<t hangText="admin-itf:">
This rule gives the admin group
read-write access to all acme <interface>.
entries.
</t>
</list>
</t>
</section>
<section title="<notification-rule> Example">
<t>
Notification rules are used to control access to
a specific notification event type.
</t>
<t>
<figure>
<artwork><![CDATA[
<nc:config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<nacm:nacm
xmlns="file://draft-bierman-netconf-access-control-00.txt">
<nacm:rules>
<nacm:notification-rule>
<nacm:notification-module-name>
acme-system
</nacm:notification-module-name>
<nacm:notification-name>
sys-config-change
</nacm:notification-name>
<nacm:rule-name>1</nacm:rule-name>
<nacm:allowed-rights/>
<nacm:allowed-group>nacm:monitor</nacm:allowed-group>
<nacm:allowed-group>nacm:guest</nacm:allowed-group>
<nacm:comment>
only the admin group can receive config change events
</nacm:comment>
</nacm:notification-rule>
</nacm:rules>
</nc:config>
</nacm:nacm>
]]>
</artwork>
</figure>
</t>
<t>
This example shows 1 notification rule:
<list style="numbers">
<t>
This rule prevents the monitor or guest groups
(but not the admin group) from receiving the
acme <sys-config-change> event type.
</t>
</list>
</t>
</section>
</section>
<section title="Open Issues">
<t>
<list style="numbers">
<t>
Do modules need to be identified by their
XML namespace URI, or is the module name
good enough?
</t>
<t>
Are any more wildcard mechanisms needed to
specify the scope of an access control rule?
</t>
<t>
Should regular expressions (module='foo-*') be
allowed in schema-instance-identifier strings?
</t>
<t>
Should XPath be allowed for specifying
access control rules for data nodes?
</t>
<t>
Are any 'access-denied' notifications needed?
</t>
<t>
Should data rules support nodes that would
not be eligible for retrieval with the <get>
operation? If so, should schema nodes such
as rpc 'input' or 'output' be in the path
expression? How would notification content
be identified?
</t>
<t>
Do any external access control models need
to be supported somehow? For example, should
the <groups> configuration be optionally
read-only, so it can just mirror the internal
(external or proprietary) group configuration?
</t>
<t>
Should the nacm:secure and nacm:very-secure
extensions be optional to support, via a
YANG feature?
</t>
<t>
Should the default access levels (e.g., read-default)
be more restrictive by default? Shiuld these defaults
be a vendor decision? An operator decision?
It is important that the server be able to install
a factory default <nacm> container if needed.
</t>
</list>
</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 08:35:38 |