One document matched: draft-bierman-netconf-access-control-02.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2865 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml'>
<!ENTITY rfc4252 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4252.xml'>
<!ENTITY rfc4253 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4253.xml'>
<!ENTITY rfc4741 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4741.xml'>
<!ENTITY rfc4742 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4742.xml'>
<!ENTITY rfc5277 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5277.xml'>
<!ENTITY rfc5607 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5607.xml'>
<!ENTITY xmlspec PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml2/reference.W3C.REC-xml.xml'>
<!ENTITY yangspec PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-netmod-yang.xml'>
<!ENTITY yangtypes PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-netmod-yang-types.xml'>
]>
<rfc category="std"
docName="draft-bierman-netconf-access-control-02"
ipr="pre5378Trust200902">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes"?>
<?rfc comments="no" ?>
<?rfc inline="no" ?>
<?rfc editing="no" ?>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="no" ?>
<?rfc compact="no"?>
<?rfc iprnotified="no"?>
<front>
<title abbrev="NACM">
Network Configuration Protocol Access Control Model
</title>
<author fullname="Andy Bierman"
initials="A.B."
surname="Bierman">
<organization>InterWorking Labs</organization>
<address>
<postal>
<street></street>
<city>Scotts Valley</city>
<region>CA</region>
<country>USA</country>
</postal>
<email>andyb@iwl.com</email>
</address>
</author>
<author fullname="Martin Bjorklund"
initials="M.B."
surname="Bjorklund">
<organization>Tail-f Systems</organization>
<address>
<email>mbj@tail-f.com</email>
</address>
</author>
<date />
<area>Management</area>
<workgroup>Internet Engineering Task Force</workgroup>
<keyword>NETCONF</keyword>
<keyword>YANG</keyword>
<keyword>XML</keyword>
<abstract>
<t>
The standardization of network configuration interfaces for use
with the NETCONF protocol requires a structured and secure
operating environment, which promotes human usability and
multi-vendor interoperability. There is a need for standard
mechanisms to restrict NETCONF protocol access for particular
users to a pre-configured subset of all available NETCONF
operations and content. This document discusses requirements
for a suitable access control model, and provides one solution
which meets these requirements.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The NETCONF protocol does not provide any standard mechanisms to
restrict the operations and content that each user is authorized
to use.
</t>
<t>
There is a need for inter-operable management of the
controlled access to operator selected portions of the
available NETCONF content within a particular server.
</t>
<t>
This document addresses NETCONF protocol authentication and
access control mechanisms for the Operation and Content layers,
as defined in <xref target="RFC4741"/>, and <xref
target="RFC5277"/>. It contains five main sections:
<list style="numbers">
<t>Authentication Requirements</t>
<t>Access Control Requirements</t>
<t>NETCONF Authentication and Authorization Model</t>
<t>NETCONF Access Control Model (NACM)</t>
<t>YANG Data Model (nacm.yang)</t>
</list>
</t>
<section title="Terminology">
<section title="Requirements Notation">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in <xref target="RFC2119"/>.
</t>
</section>
<section title="NETCONF Terms">
<t>
The following terms are defined in RFC 4741 and
are not redefined here:
<list style="symbols">
<t>client</t>
<t>operation</t>
<t>RPC operation</t>
<t>server</t>
<t>session</t>
<t>user</t>
</list>
</t>
</section>
<section title="NACM Terms">
<t>
The following terms are used throughout this documentation:
<list style="hanging">
<t hangText="access control:">
A security feature provided by the NETCONF server,
which allows an operator to restrict access to a
subset of all NETCONF protocol operations and data,
based on various criteria.
</t>
<t hangText="access control model (ACM):">
A conceptual model used to configure and monitor
the access control procedures desired by the operator
to enforce a particular access control policy.
</t>
<t hangText="access control rule:">
The conceptual criteria used to determine if a
particular NETCONF protocol operation should be
permitted or denied.
</t>
<t hangText="authentication:">
The process of verifying a user's identity.
</t>
<t hangText="superuser:">
The special administrative user account which is given
unlimited NETCONF access, and is exempt from all access
control enforcement.
</t>
</list>
</t>
</section>
</section>
</section>
<section title="Authentication Requirements">
<t>
The authentication mechanism must support password
authentication over RADIUS, to support deployment scenarios with
centralized authentication servers. Additionally, local users
must be supported, for scenarios when no centralized
authentication server exists, or for situations where the
centralized authentication server cannot be reached from the
device.
</t>
<t>
Since the mandatory transport protocol for NETCONF is SSH <xref
target="RFC4742">NETCONF Over SSH</xref>, the authentication
model must support SSH's "publickey" and "password"
authentication methods <xref target="RFC4252"/>
<!-- whatabout "hostbased" - is it used? is it recommended? -->
</t>
<t>
The model for authentication configuration should be flexible
enough to support authentication methods defined by other
standard documents or by vendors.
</t>
</section>
<section title="Access Control Requirements">
<section title="Protocol Control Points">
<t>
The NETCONF protocol allows new operations to be
added at any time, and the YANG data modeling language
supports this feature. It is not possible to
design an ACM for NETCONF which
only focuses on a static set of operations,
like some other protocols. Since few assumptions
can be made about an arbitrary protocol operation,
the NETCONF architectural server components must
be protected at several conceptual control points.
</t>
<t>
<figure anchor="control_points">
<artwork><![CDATA[
+-------------+ +-------------+
client | RPC | | prune | client
request --> | operation | | restricted | ---> reply
| allowed? | | <rpc-reply> |
+-------------+ | nodes? |
| +-------------+
| if any database or
| state data is accessed
| by the operation
V
+-------------+ +----------------+
| data node | | prune |
| access | | restricted |
| allowed? | | <notification> | ---> client
+-------------+ | event or data? | session
+----------------+
]]>
</artwork>
</figure>
</t>
<t>
The following access control points are defined:
<list style="hanging">
<t hangText="RPC operation:">
Configurable permission to invoke specific RPC operations
is required. Wildcard or multiple target mechanisms
to reduce configuration and effort are also required.
</t>
<t hangText="NETCONF database:">
Configurable permission to read and/or alter
specific data nodes within any conceptual database
is required. Wildcard or multiple target mechanisms
to reduce configuration and effort are also required.
</t>
<t hangText="RPC Reply Content:">
Configurable permission to read
specific data nodes within any conceptual RPC output
section is required. Unauthorized data is
silently omitted from the reply, instead of
dropping the reply or sending an 'access-denied' error.
</t>
<t hangText="Notification Content:">
Configurable permission to receive
specific notification event types
is required.
</t>
</list>
</t>
</section>
<section title="Simplicity">
<t>
Experience has shown that a complicated ACM will not
be widely deployed, because it is too hard to use.
The key factor that is ignored in such solutions
is the concept of 'localized cost'. It should
be easy to do simple things, and hard to do
complex things, instead of hard to do everything.
</t>
<t>
Configuration of the access control system must be simple to use.
Simple and common tasks should be easy to configure,
and require little expertise or domain-specific knowledge.
Complex tasks should be possible using additional mechanisms
which may require additional expertise.
</t>
<t>
A single set of access control rules should be able
to control all types of NETCONF RPC operation invocation,
all conceptual database access, and all NETCONF session output.
</t>
<t>
Default access control policy needs to be as secure as possible.
</t>
<t>
Protocol access should be defined with a small and familiar
set of permissions, while still allowing full control
of NETCONF database access.
</t>
<t>
Access control does not need to be applied to NETCONF <hello>
messages.
</t>
</section>
<section title="Procedural Interface">
<t>
The NETCONF protocol uses a procedural interface model,
and an extensible set of protocol operations.
Access control for any possible protocol operation is required.
</t>
<t>
It must be possible to configure the ACM to permit or
deny access to specific NETCONF operations.
</t>
<t>
YANG modules should be designed so that different access
levels for input parameters to RPC operations is not required.
</t>
</section>
<section title="Database Access">
<t>
It must be possible control access to specific nodes
and sub-trees within the conceptual NETCONF database.
</t>
<t>
In order for a user to obtain access to a particular
database node, the user must be authorized to have
the same requested access to the specified node,
and all of its ancestors.
</t>
<t>
The same access control rules apply to all conceptual
databases. For example, the candidate configuration
or the running configuration.
</t>
<t>
Only the standard NETCONF databases (candidate, running,
and startup) are controlled by the ACM. Local or remote
files or databases accessed via the <url>
parameter are optional to support.
</t>
<t>
The non-volatile startup configuration needs to be loaded
into the running configuration without applying any
access control rules.
</t>
<t>
Only a privileged user should be able to alter
the factory-default access control rules.
</t>
<section title="Access Rights">
<t>
A small set of hard-wired database access rights is needed
to control access to all possible NETCONF database operations,
including vendor extensions to the standard operation set.
</t>
<t>
The familiar 'CRUDX' model can support all NETCONF operations:
<list style="symbols">
<t>
Create: Allows the client to add a new data node
instance to a database.
</t>
<t>
Read: Allows the client to read a data node instance
from a database, or receive the notification event type.
</t>
<t>
Update: Allows the client to update an existing data
node instance in a database.
</t>
<t>
Delete: Allows the client to delete a data node
instance from a database.
</t>
<t>
eXec: Allows the client to execute the protocol operation.
</t>
</list>
</t>
</section>
<section title="<get> and <get-config> Operations">
<t>
Read operations for restricted configuration data,
either directly or via wildcard access, are silently
omitted from the <rpc-reply> message.
</t>
</section>
<section title="<edit-config> Operation">
<t>
The NACM access rights are not directly coupled to the
NETCONF operation attribute, although they are similar.
Instead, a NACM access right applies to all operations
which would result in a particular access operation to
the target database. This section describes how these
access rights apply to the specific database
operations supported by the <edit-config> operation.
</t>
<t>
If the effective operation is 'none'
(i.e., default-operation='none')
for a particular data node,
then no access control is applied to that data node.
</t>
<t>
A 'create', 'merge', or 'replace' operation on a database node
which would result in the creation of a new data node instance,
for which the user does not have 'create' access permission, is
rejected with an 'access-denied' error.
</t>
<t>
A 'merge' or 'replace' operation on a database node
which would result in the modification of an existing
data node instance,
for which the user does not have 'update' access permission, is
rejected with an 'access-denied' error.
</t>
<t>
A 'replace' or 'delete' operation on a database node
which would result in the deletion of an existing data node instance,
for which the user does not have 'delete' access permission, is
rejected with an 'access-denied' error.
</t>
<t>
A 'merge' operation may include data nodes which do not alter
portions of the existing database. For example, a
container or list nodes
may be present for naming purposes, which do not actually alter
the corresponding database node. These unaltered data nodes
within the
scope of a 'merge' operation are ignored by the server,
and do not require any access rights by the client.
</t>
<t>
A 'merge' operation may include data nodes, but not include
particular child data nodes that are present in the database.
These missing data nodes within the
scope of a 'merge' operation are ignored by the server,
and do not require any access rights by the client.
</t>
<t>
The contents of specific restricted database nodes must not
be exposed in any <rpc-error> elements
within the reply.
</t>
</section>
<section title="<copy-config> Operation">
<t>
Access control for the <copy-config> operation
requires special consideration because the operator
is replacing the entire target database. Write access to the entire
database is needed for this operation to succeed.
</t>
<t>
A client must have access to every database node, even ones that are
not present in the source configuration data.
</t>
<t>
For example, consider a common use-case such as a simple backup and
restore procedure.
The operator must have full read access to the database in order
to receive a complete copy of its contents. If not, the server will
simply omit these sub-trees from the reply. If that copy is later
used to restore the server database, the server will interpret
the missing nodes as a request to delete those nodes, and
return an error.
</t>
</section>
</section>
<section title="Users and Groups">
<t>
The server must obtain a user name from the
underlying NETCONF transport, such as an SSH
user name.
</t>
<t>
It must be possible to specify access control rules
for a single user or a configurable group of users.
</t>
<t>
A configurable superuser account is needed which bypasses all access
control rules. This is needed in case the access control
rules are mis-configured, and all access is denied.
</t>
<t>
The ACM must support the concept of administrative groups,
to support the well-established distinction between
a root account and other types of less-privileged
conceptual user accounts.
These groups must be configurable by the operator.
</t>
</section>
<section title="Maintenance">
<t>
It should be possible to disable part or all of the
access control model without deleting any configuration.
By default, only the 'superuser' should be able to perform
this task.
</t>
<t>
It should be possible to configure a 'superuser' account
so that all access control is disabled for just this
user. This allows the access control rules to always
be modified without completely disabling access control
for all users.
</t>
</section>
<section title="Configuration Capabilities">
<t>
Suitable control and monitoring mechanisms
are needed to allow an operator to easily manage all
aspects of the ACM behavior. A standard data model,
suitable for use with the <edit-config> operation
must be available for this purpose.
</t>
<t>
Access control rules to restrict operations on specific
sub-trees within the configuration database must
be supported. Existing mechanisms
should be used to identify the sub-tree(s) for this purpose.
</t>
</section>
<section title="Identifying Security Holes">
<t>
One of the most important aspects of the data model
documentation, and biggest concerns during deployment,
is the identification of security-sensitive content.
This applies to operations in NETCONF, not just data
and notifications.
</t>
<t>
It is customary for security-sensitive objects
to be documented in the Security Considerations
section of an RFC. This is nice, but it
is not good enough, for the following reasons:
<list style="symbols">
<t>
This documentation-only approach forces operators to
study the RFC and determine if there are any
potential security holes introduced by a new
YANG module.
</t>
<t>
If any security holes are identified, then
the operator must study some more RFC text,
and determine how to close the security hole(s).
</t>
<t>
The ACM on each server must be configured to
close the security holes, e.g., require
privileged access to read or write the
specific data identified in the Security
Considerations section.
</t>
<t>
If the ACM is not pre-configured, then there
will be a time window of vulnerability,
after the new module is loaded, and before
the new access control rules for that module
are configured, enabled, and debugged.
</t>
</list>
</t>
<t>
Often, the operator just wants to disable
default access to the secure content, so
no inadvertent or malicious changes can be made
to the server. This allows the default rules
to be more lenient, without significantly
increasing the security risk.
</t>
<t>
A data model designer should be able to
use machine-readable statements to identity
NETCONF content which should be protected by default.
This will allow client and server tools to automatically
close data-model specific security holes, by
denying access to sensitive data unless the user is
explicitly authorized to perform the requested operation.
</t>
</section>
<section title="Data Shadowing">
<t>
One of the more complicated security administration problems is
identifying data nodes which shadow or mirror the content of
another data node. An access control rule to prevent read
operations for a particular node may be insufficient
to prevent access to the data node with the copied value.
</t>
<t>
If the YANG leafref data type is used, then this data shadowing
can be detected by applications (and the server stack),
and prevented.
</t>
<t>
If the description statement, other documentation, or
no documentation exists to identify a data shadow problem,
then it may not be detected.
</t>
<t>
Since NETCONF allows any vendor operation to be added
to the protocol, there is no way to reliably identify
all of the operations that may expose copies of sensitive
data nodes in <rpc-reply> messages.
</t>
<t>
A NETCONF server must insure than unauthorized access to
its conceptual databases and non-configuration data nodes
is prevented.
</t>
<t>
It is beyond the
scope of this document to define access control enforcement
procedures for underlying device instrumentation that may
exist to support the NETCONF server operation. An operator
must identify each operation that the server provides,
and decide if it needs any access control applied to it.
</t>
<t>
Proprietary protocol operations should be properly documented by the vendor,
so it is clear to operators what data nodes (if any) are affected by
the operation, and what information (if any) is returned
in the <rpc-reply> message.
</t>
</section>
<section title="NETCONF Specific Requirements">
<t>
The server must be able to identify the specific protocol
access request at the 4 access control points defined above.
</t>
<t>
The server must be able to identify any database access
request, even for proprietary operations.
</t>
<t>
A session must always be authorized to
invoke the <close-session> operation,
defined in <xref target="RFC4741"/>.
</t>
<t>
A session must always be authorized to
receive the <replayComplete> and
<notificationComplete> notification events,
defined in <xref target="RFC5277"/>
</t>
<t>
The set of module name strings used within
one particular server must be unique.
</t>
<t>
Within a single server, the module namespace URI
associated with a specific module name string
must persist across a reboot, and never change, once assigned.
</t>
</section>
</section>
<section title="NETCONF Authentication and Authorization Model">
<t>
This document defines three authentication methods for use
with NETCONF:
<list style="empty">
<t>publickey for local users over SSH</t>
<?rfc compact="yes"?>
<t>password for local users over any transport</t>
<t>password for RADIUS users over any transport</t>
<?rfc compact="no"?>
</list>
Additional methods may be defined by other standard documents or
by vendors.
</t>
<t>
Conceptually, the NETCONF transport subsystem authenticates the
user, and passes the name of the authenticated user to the
NETCONF server. The NETCONF server authorizes the user by
mapping it to one or more groups. Access to specific operations
and content is then controlled by access control rules as
described in <xref target="acm"/>.
</t>
<t>
Some protocols, such as RADIUS, performs both authentication and
authorization, and has a mechanism to report authorization
attributes to the client. These attributes are made available
to the NETCONF server in an implementation specific manner.
</t>
<t>
This document defines two optional YANG features, 'local-users'
and 'radius', which the server advertises to indicate support
for configuring local users on the device, and for configuring
RADIUS access, respectively.
</t>
<section title="SSH Public Key Authentication">
<t>
If the NETCONF server advertises the 'local-users' feature,
configuration of local users and their SSH public keys is
supported in the /nacm/authentication/user list.
</t>
<t>
Public key authentication is requested by the SSH client. The
SSH server looks up the user name provided by the client in the
/nacm/authentication/user list, and verifies the key as described
in <xref target="RFC4253"/>.
</t>
<t>
If the 'local-users' feature is supported, then
when a NETCONF client starts an SSH session towards the
server, using the "publickey" authentication 'method name'
<xref target="RFC4252"/>, the SSH server looks up the user
name given in the SSH authentication request in the
/nacm/authentication/user list,
</t>
</section>
<section title="Local User Password Authentication">
<t>
If the NETCONF server advertises the 'local-users' feature,
configuration of local users and their passwords is supported
in the /nacm/authentication/user list.
</t>
<t>
For NETCONF transport protocols that support password
authentication, the leaf-list 'user-authentication-order'
is used to control if local user password authentication
should be used.
</t>
<t>
In SSH, password authentication is requested by the client.
Other NETCONF transport protocols may also support password
authentication.
</t>
<t>
When local user password authentication is requested, the
NETCONF transport looks up the user name provided by the
client in the /nacm/authentication/user list, and verifies the
password.
</t>
</section>
<section title="RADIUS Password Authentication and Service Authorization">
<t>
If the NETCONF server advertises the 'radius' feature, it
supports user authentication and service authorization with
RADIUS, as described in this section.
</t>
<t>
For NETCONF transport protocols that support password
authentication, the leaf-list 'user-authentication-order'
is used to control if RADIUS password authentication
should be used.
</t>
<t>
In SSH, password authentication is requested by the client.
Other NETCONF transport protocols may also support password
authentication.
</t>
<section title="Operation">
<t>
[Editor's Note: I prefer to keep this section short, and
just refer to the relevant rfcs which have detailed
information on radius usage, instead of duplicating this
info here...]
</t>
<t>
When RADIUS user authentication is requested, the NETCONF
transport subsystem acts as a RADIUS client. In the
Access-Request request <xref target="RFC2865"/>, the
following RADIUS attributes SHOULD be sent by the client
<xref target="RFC5607"/>:
<list style="symbols">
<t>
Service-Type with the value Framed-Management
</t>
<t>
Framed-Management-Protocol with the value NETCONF
</t>
<t>
Management-Transport-Protection with the value
Integrity-Confidentiality-Protection
</t>
</list>
</t>
<t>
As described in RFC 5607, if an Access-Accept message is
received which does not authorize the requested service,
access MUST be denied.
</t>
<t>
If any Management-Policy-Id attributes are present in the
Access-Accept message, they are treated as group names in
the access control procedure, as described in <xref
target="acm"/>.
</t>
<t>
The following RADIUS attributes MAY be sent by the RADIUS
server:
<list style="symbols">
<t>
Session-Timeout
</t>
<t>
Idle-Timeout
</t>
</list>
See <xref target="RFC2865"/> for a description of these
attributes. These timeout values MUST be enforced by the
NETCONF server.
</t>
</section>
</section>
</section>
<section title="NETCONF Access Control Model (NACM)"
anchor="acm">
<section title="Introduction">
<t>
This section provides a high-level overview of the
access control model structure. It describes the
NETCONF protocol message processing model, and the conceptual
access control requirements within that model.
</t>
<section title="Features">
<t>
The NACM data model provides the following features:
<list style="symbols">
<t>
Independent control of RPC, data, and notification
access.
</t>
<t>
Very simple access control rules configuration
data model which is easy to use.
</t>
<t>
The concept of a 'superuser' type of account
is supported, but configuration such an account
is beyond the scope of this document. The server
must be able to determine if a superuser account
is available, and if so, the actual user name
for this account. A session associated
with the superuser account
will bypass all access control enforcement.
</t>
<t>
A simple and familiar set of database permissions is
used.
</t>
<t>
Support for YANG security tagging (e.g.,
nacm:secure extension) allows default security
modes to automatically exclude sensitive data.
</t>
<t>
Separate default access modes for read, write, and
execute permissions.
</t>
<t>
Access control rules are applied to configurable groups
of users.
</t>
<t>
The entire ACM can be disabled during
operation, in order to debug operational problems.
</t>
<t>
Access control rules are simple to configure.
</t>
<t>
The number of denied RPC operation requests
and denied database write requests can be
monitored by the client.
</t>
<t>
Simple unconstrained YANG instance identifiers
are used to configure access control rules for
specific data nodes, or child nodes within
specific RPC input, RPC output, and notification
event type content.
</t>
<!--
FIXME: should we define any std debug mechansisms,
e.g. an operation which would report any non-reachable
rules? some way to log triggered rules?
-->
</list>
</t>
</section>
<section title="External Dependencies">
<t>
The <xref target="RFC4741">NETCONF</xref> protocol
is used for all management purposes within this document.
The server must support the features identified
by the 'NETCONF-base' capability.
It is expected that the mandatory transport mapping
<xref target="RFC4742">NETCONF Over SSH</xref> is
also supported by the server, and that the server has
access to the user name associated with each session.
</t>
<t>
The <xref target="I-D.ietf-netmod-yang">
YANG Data Modeling Language</xref>
is used to define the NETCONF data models
specified in this document. The YANG
instance-identifier data type can be used
to configure data-node-specific access control rules.
</t>
</section>
<section title="Message Processing Model">
<t>
The following diagram shows the NETCONF message
flow model, including the points at which access
control is applied, during NETCONF message processing.
</t>
<t>
<figure anchor="NACM_model">
<artwork>
<![CDATA[
+-------------------------+
| session |
| (username) |
+-------------------------+
| ^
V |
+--------------+ +---------------+
| message | | message |
| dispatcher | | generator |
+--------------+ +---------------+
| ^ ^
V | |
+===========+ +-------------+ +----------------+
| <rpc> |---> | <rpc-reply> | | <notification> |
| acc. ctl | | generator | | generator |
+===========+ +-------------+ +----------------+
| ^ ^ ^
V +------+ | |
+-----------+ | +=============+ +================+
| <rpc> | | | <rpc-reply> | | <notification> |
| processor |-+ | acc. ctl | | access ctl |
+-----------+ +=============+ +================+
| | ^ ^
V +----------------+ | |
+===========+ | | |
| data node | | | |
| acc. ctl | -----------+ | | |
+===========+ | | | |
| | | | |
V V V | |
+---------------+ +-----------------+
| configuration | ---> | server |
| database | | instrumentation |
| | <--- | |
+---------------+ +-----------------+
]]>
</artwork>
</figure>
</t>
<t>
The following high-level sequence of conceptual processing steps
is executed for each received <rpc> message,
if access control enforcement is enabled:
<list style="symbols">
<t>
Access control is applied to all <rpc> messages
(except <close-session>)
received by the server, individually, for each active session,
unless the user identity for the session is the 'superuser'.
</t>
<t>
If the session is authorized to execute the specified RPC
operation, then processing continues, otherwise
the request is rejected with an 'access-denied' error.
</t>
<t>
If the configuration database or conceptual state data
is accessed by the RPC operation,
then the configuration access must be authorized first.
If the session is authorized to perform the requested
operation on the requested data, then processing continues.
</t>
</list>
</t>
<t>
The following sequence of conceptual processing steps
is executed for each generated notification event,
if access control enforcement is enabled:
<list style="symbols">
<t>
Server instrumentation generates a conceptual notification,
for a particular subscription.
</t>
<t>
The notification access control enforcer checks the
notification event type, and if it is one which
the session is not authorized to read, then the
notification is dropped for that subscription.
</t>
</list>
</t>
</section>
</section>
<section title="Model Components">
<t>
This section defines the conceptual components
related to access control model.
</t>
<section title="Users">
<t>
A 'user' is the conceptual identity, which is associated
with the access permissions granted to a particular session.
A user is identified by a string which must be unique
within the server.
</t>
<t>
The user name string is usually derived from the
transport layer during session establishment.
A server is required to have an authenticated user name
for a session before <rpc> requests will be
accepted. Otherwise all write requests must be rejected
with an 'access-denied' error-tag value.
If a read operation is not authorized, then the
requested data is silently dropped from the reply.
</t>
<t>
The server MAY support a 'superuser' administrative user
account, which will bypass all access control enforcement.
This is useful for restricting initial access
and repairing a broken access control configuration.
This account may be configurable to use a specific user, or disabled
completely. Some systems have factory-selected superuser
account names. There is no need to standardize the exact
user name for the superuser account. If no such account exists,
then all NETCONF access will be controlled by NACM.
</t>
</section>
<section title="Groups">
<t>
Access to a specific NETCONF operation is granted to
a session, associated with a group, not a user.
</t>
<t>
A group is identified by its name. All group names must be
unique within the server.
</t>
<t>
A group member is identified by a user name string.
</t>
<t>
The same user may be configured in multiple groups.
</t>
<t>
The server should support the 3 default group identities
defined in this document (admin, monitor, guest),
however these roles are just unique identities,
provided for operator convenience.
There is no standard behavior defined for each group
identity. That is up to the operator who configures the
groups.
</t>
</section>
<section title="Sessions">
<t>
A session is simply a NETCONF session, which is the
entity which is granted access to specific NETCONF
operations.
</t>
<t>
A session is associated with a single user name for the
lifetime of the session.
</t>
</section>
<section title="Access Permissions">
<t>
The access permissions are the NETCONF protocol specific
set of permissions that have
been assigned to a particular session role or group.
</t>
<t>
The same access permissions MUST stay in effect for
the processing of a particular message.
</t>
<t>
The server MUST use the access control rules in effect
at the time the message is processed.
</t>
<t>
The access control model treats RPC operation execution
separately from configuration database access
and outgoing messages:
<list style="hanging">
<t hangText="create:">
Permission to create conceptual server data.
</t>
<t hangText="read:">
Read access to conceptual server data, <rpc-reply> and
<notification> content.
</t>
<t hangText="update:">
Permission to modify existing conceptual server data.
</t>
<t hangText="delete:">
Permission to delete existing conceptual server data.
</t>
<t hangText="exec:">
Permission to invoke an RPC operation.
</t>
</list>
</t>
</section>
<section title="Global Enforcement Controls">
<t>
A global on/off switch is provided to enable
or disable all access control enforcement.
</t>
<t>
An on/off switch is provided to
enable or disable default access
to invoke RPC operations.
</t>
<t>
An on/off switch is provided to
enable or disable default permission
to receive data in replies and notifications.
</t>
<t>
An on/off switch is provided to
enable or disable default access
to alter configuration data.
</t>
</section>
<section title="Access Control Rules">
<t>
There are 4 types of rules available in NACM:
<list style="hanging">
<t hangText="module rule:">
Controls access for definitions in
a specific module, identified by its
name.
</t>
<t hangText="RPC operation rule:">
Controls access for a
specific RPC operation, identified by its
module and name.
</t>
<t hangText="data node rule:">
Controls access for a
specific data node, identified by its
path location within the conceptual
XML document for the data node.
</t>
<t hangText="notification rule:">
Controls access for a
specific notification event type, identified by its
module and name.
</t>
</list>
</t>
</section>
</section>
<section title="Access Control Enforcement Procedures">
<t>
There are seven separate phases that must be addressed,
four of which are related to the NETCONF message processing model.
In addition, the initial start-up mode for a NETCONF server,
session establishment, and 'access-denied' error handling
procedures must also be considered.
</t>
<section title="Initial Operation">
<t>
Upon the very first start-up of the NETCONF server,
the access control configuration will probably
not be present. If not,
a server should not allow any write access to
any session role except 'superuser' type of
account in this state.
</t>
<t>
There is no requirement to enforce access control
rules before or while the non-volatile configuration
data is processed and loaded into the running
configuration.
</t>
</section>
<section title="Session Establishment">
<t>
The access control model applies specifically
to the well-formed XML content transferred between a client
and a server, after session establishment has been completed,
and after the <hello> exchange has been successfully
completed.
</t>
<t>
A server should not include any sensitive information
in any <capability> elements within the
<hello> exchange.
</t>
<t>
Once session establishment is completed, and a user identity
has been authenticated, a NETCONF server will
enforce the access control rules, based on the
supplied user identity and the configuration data stored
on the server.
</t>
</section>
<section title="'access-denied' Error Handling">
<t>
The 'access-denied' error-tag is generated when
the access control system denies access to either a
request to invoke an RPC operation or a request to
perform a particular operation on the configuration
database.
</t>
<t>
A server must not include any sensitive information
in any <error-info> elements within the
<rpc-error> response.
</t>
</section>
<section title="Incoming RPC Message Validation">
<t>
The diagram below shows the basic
conceptual structure of the access control processing model
for incoming NETCONF <rpc> messages, within a server.
</t>
<t>
<figure anchor="NACM_incoming">
<artwork>
<![CDATA[
NETCONF server
+------------+
| XML |
| message |
| dispatcher |
+------------+
|
|
V
+------------+
| NC-base NS |
| <rpc> |
+------------+
| | |
| | +-------------------------+
| +------------+ |
V V V
+-----------+ +---------------+ +------------+
| acme NS | | NC-base NS | | NC-base NS |
| <my-edit> | | <edit-config> | | <unlock> |
+-----------+ +---------------+ +------------+
| |
| |
V V
+----------------------+
| |
| configuration |
| database |
+----------------------+
]]>
</artwork>
</figure>
</t>
<t>
Access control begins with the message dispatcher.
Only well-formed XML messages should be processed
by the server.
</t>
<t>
After the server validates the <rpc> element,
and determines the namespace URI and the element
name of the RPC operation being requested, the RPC access
control enforcer verifies that the session is authorized
to invoke the RPC operation.
</t>
<t>
The RPC operation is authorized by following these steps:
<list style="numbers">
<t>
If the <enable-nacm> parameter is set to 'false',
then the RPC operation is permitted.
</t>
<t>
If the session is associated with the 'superuser'
account, then the RPC operation is permitted.
</t>
<t>
If the requested operation is the NETCONF
<close-session> operation, then
the RPC operation is permitted.
</t>
<t>
Check all the <group> entries
for ones that contain a <user-name>
entry that matches the user name for the
session making the request.
</t>
<t>
If no groups are found:
<list style="symbols">
<t>
If the requested RPC operation is
associated with a YANG module
advertised in the server capabilities,
and the rpc statement contains a
nacm:secure or nacm:very-secure extension,
then the RPC operation is denied.
</t>
<t>
If the <exec-default> parameter is
set to 'permit', then permit the RPC operation,
otherwise deny the request.
</t>
</list>
</t>
<t>
Check if there are any matching <rpc-rule> entries
for the requested RPC operation. Any matching rules
are processed in user-defined order, in case there
are multiple <rpc-rule> entries for the requested
RPC operation.
</t>
<t>
If an <rpc-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
The 'exec' bit MUST be present in the
<allowed-rights> bits field
for an <rpc-rule>, so it is
not used in this procedure.
</t>
<t>
If the <rpc-rule> entry is considered
a match, the the 'nacm-action' leaf is checked.
If is equal to 'permit', then the RPC operation
is permitted, otherwise it is denied.
</t>
<t>
Check if there are any matching <module-rule> entries
for the same module as the requested RPC operation.
Any matching rules are processed in user-defined order,
in case there are multiple <module-rule> entries
for the module containing the requested RPC operation.
</t>
<t>
If a <module-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
If the 'exec' bit is present in the
<allowed-rights> bits field
then the RPC rule is considered a match.
otherwise it is not considered to match the request.
</t>
<t>
If the <module-rule> entry is considered
a match, the the 'nacm-action' leaf is checked.
If is equal to 'permit', then the RPC operation
is permitted, otherwise it is denied.
</t>
<t>
If the requested operation is identified an
a nacm:secure or nacm:very-secure RPC operation,
then the RPC operation is denied.
</t>
<t>
If the <exec-default> parameter is
set to 'permit', then permit the RPC operation,
otherwise the RPC operation is denied.
</t>
</list>
</t>
<t>
If the session is not authorized to invoke the RPC operation
then an <rpc-error> is generated with the following
information:
<list style="hanging">
<t hangText="error-tag:">access-denied</t>
<t hangText="error-path:">
/rpc/method-QName, where
'method-QName' is a qualified name identifying the
actual RPC operation name. For example, '/rpc/edit-config'
represents the <edit-config> operation in the
NETCONF base namespace.
</t>
</list>
</t>
<t>
If the configuration database is accessed,
either directly or as a side effect of the
RPC operation, then the server
must intercept the operation
and make sure the session is authorized to
perform the requested operation on the specified data.
</t>
</section>
<section title="Data Node Access Validation">
<t>
If a data node within a configuration database
is accessed, or a conceptual non-configuration
node is accessed, then the server must ensure that
the client session is authorized to perform
the requested operation create, read, update,
or delete operation on the specified data node.
</t>
<t>
The data node access request is authorized by following
these steps:
<list style="numbers">
<t>
If the <enable-nacm> parameter is set to 'false',
then the data node access request is permitted.
</t>
<t>
If the session is associated with the 'superuser'
account, then the data node access request is permitted.
</t>
<t>
Check all the <group> entries
for ones that contain a <user-name>
entry that matches the user name for the
session making the request.
</t>
<t>
If no groups are found:
<list style="symbols">
<t>
If the requested data node is
associated with a YANG module
advertised in the server capabilities,
and the data definition statements
(or any of its ancestors)
contains a nacm:secure or nacm:very-secure extension,
then the data node access request is denied.
</t>
<t>
For a read request, if the <read-default> parameter is
set to 'permit', then permit the data node access request,
otherwise deny the request. For a read operation,
this means that the requested node is not included
in the rpc-reply.
</t>
<t>
For a write request, if the <write-default> parameter is
set to 'permit', then permit the data node access request,
otherwise deny the request.
</t>
</list>
</t>
<t>
Check if there are any matching <data-rule> entries
for the requested data node access request. Any matching rules
are processed in user-defined order, in case there
are multiple <data-rule> entries for the requested
data node.
</t>
<t>
If an <data-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
<list>
<t>
For a creation operation, if the 'create' bit is present in the
<allowed-rights> bits field
then the entry is considered to be a match.
</t>
<t>
For a read operation, if the 'read' bit is present in the
<allowed-rights> bits field, then the
entry is considered to be a match.
</t>
<t>
For an update (e.g., 'merge' or 'replace') operation,
if the 'update' bit is present in the
<allowed-rights> bits field
then the entry is considered to be a match.
</t>
<t>
For a deletion (e.g., 'delete') operation,
if the 'delete' bit is present in the
<allowed-rights> bits field
then the entry is considered to be a match.
</t>
</list>
</t>
<t>
If the <data-rule> entry is considered
a match, the the 'nacm-action' leaf is checked.
If it is equal to 'permit', then the data operation
is permitted, otherwise it is denied. For 'read'
operations, 'denied' means the requested data is not
returned in the reply.
</t>
<t>
Check if there are any matching <module-rule> entries
for the same module as the requested data node.
Any matching rules are processed in user-defined order,
in case there are multiple <module-rule> entries
for the module containing the requested data node.
</t>
<t>
If a <module-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
<list>
<t>
For a creation operation, if the 'create' bit is present in the
<allowed-rights> bits field
then the entry is considered to be a match.
</t>
<t>
For a read operation, if the 'read' bit is present in the
<allowed-rights> bits field, then the
entry is considered to be a match.
</t>
<t>
For an update (e.g., 'merge' or 'replace') operation,
if the 'update' bit is present in the
<allowed-rights> bits field
then the entry is considered to be a match.
</t>
<t>
For a deletion (e.g., 'delete') operation,
if the 'delete' bit is present in the
<allowed-rights> bits field
then the entry is considered to be a match.
</t>
</list>
</t>
<t>
If the <module-rule> entry is considered
a match, the the 'nacm-action' leaf is checked.
If it is equal to 'permit', then the data operation
is permitted, otherwise it is denied. For 'read'
operations, 'denied' means the requested data is not
returned in the reply.
</t>
<t>
For a read request, if the requested data node is identified an
a nacm:very-secure definition,
then the requested data node is not included in the
reply.
</t>
<t>
For a write request, if the requested data node is identified an
a nacm:secure or nacm:very-secure definition,
then the data node access request is denied.
</t>
<t>
For a read request, if the <read-default> parameter is
set to 'permit', then include the requested data in the reply,
otherwise do not inlcude the requested data in the reply.
</t>
<t>
For a write request, if the <write-default> parameter is
set to 'permit', then permit the data node access request,
otherwise deny the request.
</t>
</list>
</t>
</section>
<section title="Outgoing <rpc-reply> Authorization">
<t>
The <rpc-reply> message should be checked by the server
to make sure no unauthorized data is contained within
it. If so, the restricted data must be removed
from the message before it is sent to the client.
</t>
<t>
For RPC operations which do not access any data nodes,
then any client authorized to invoke the RPC operation
is also authorized to receive the <rpc-reply>
for that RPC operation.
</t>
</section>
<section title="Outgoing <notification> Authorization">
<t>
The <notification> message should be checked by the server
to make sure no unauthorized data is contained within
it. If so, the restricted data must be removed
from the message before it is sent to the client.
</t>
<t>
Configuration of access control rules specifically
for descendent nodes of the notification event type
element are outside the scope of this document.
If the session is authorized to receive the
notification event type, then it is also
authorized to receive any data it contains.
</t>
<t>
The following figure shows the conceptual message processing
model for outgoing <notification> messages.
</t>
<t>
<figure anchor="NACM_outgoing_notification">
<artwork>
<![CDATA[
NETCONF server
+------------+
| XML |
| message |
| generator |
+------------+
^
|
+----------------+
| <notification> |
| generator |
+----------------+
^
|
+=================+
| <notification> |
| access control |
| <eventType> |
+=================+
^
|
+------------------------+
| server instrumentation |
+------------------------+
| ^
V |
+----------------------+
| configuration |
| database |
+----------------------+
]]>
</artwork>
</figure>
</t>
<t>
The generation of a notification event for
a specific subscription is authorized by following
these steps:
<list style="numbers">
<t>
If the <enable-nacm> parameter is set to 'false',
then the notification event is permitted.
</t>
<t>
If the session is associated with the 'superuser'
account, then the notification event is permitted.
</t>
<t>
If the requested operation is the NETCONF
<replayComplete> or <notificationComplete>
event type, then
the notification event is permitted.
</t>
<t>
Check all the <group> entries
for ones that contain a <user-name>
entry that matches the user name for the
session that started the notification subscription.
</t>
<t>
If no groups are found:
<list style="symbols">
<t>
If the requested notification is
associated with a YANG module
advertised in the server capabilities,
and the notification statement contains a
nacm:secure or nacm:very-secure extension,
then the notification event is dropped
for the associated subscription.
</t>
<t>
If the <read-default> parameter is
set to 'permit', then permit the notification
event, otherwise drop this event type
for the associated subscription.
</t>
</list>
</t>
<t>
Check if there are any matching <notification-rule> entries
for the specific notification event type being delivered
to the subscription. Any matching rules
are processed in user-defined order, in case there
are multiple <notification-rule> entries for the
requested notification event type.
</t>
<t>
If a <notification-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
If the 'read' bit is present in the
<allowed-rights> bits field
then the notification event type is permitted,
otherwise it is dropped for the associated subscription.
</t>
<t>
Check if there are any matching <module-rule> entries
for the same module as the notification event type.
Any matching rules are processed in user-defined order,
in case there are multiple <module-rule> entries
for the module containing the notification event type.
</t>
<t>
If a <module-rule> entry is found, then
check the <allowed-rights> bits field
for the entry, otherwise continue.
If the 'read' bit is present in the
<allowed-rights> bits field
then the notification event type is permitted,
otherwise it is dropped for the associated subscription.
</t>
<t>
If the requested event type is identified an
a nacm:very-secure notification definition,
then the notification event type is denied.
</t>
<t>
If the <read-default> parameter is
set to 'permit', then permit the notification
event type, otherwise it is dropped for
the associated subscription.
</t>
</list>
</t>
</section>
</section>
<section title="Data Model Definitions" anchor="DM">
<t>
This section defines the semantics of the
conceptual data structures found in the data model
in <xref target="DM"/>.
</t>
<section title="High Level Procedures">
<t>
There are some high level management procedures that
an administrator needs to consider before using this
access control model:
<list style="numbers">
<t>
Configure the global settings.
</t>
<t>
Configure one or more user groups.
</t>
<t>
Configure zero or more access control rules for
specific modules.
</t>
<t>
Configure zero or more access control rules for
specific RPC operations.
</t>
<t>
Configure zero or more access control rules for
data node access.
</t>
<t>
Configure zero or more access control rules for
notification event type access.
</t>
</list>
</t>
</section>
<section title="Data Organization">
<t>
The top-level element is called <nacm>, and it
is defined in the 'nacm' module namespace.
</t>
<t>
There are several data structures defined as child nodes
of the <nacm> element:
<list style="hanging">
<t hangText="leaf <enable-nacm>:">
On/off boolean switch to enable or disable
access control enforcement.
</t>
<t hangText="container <authentication>:">
Configuration of the NETCONF server user
authentication mechanisms.
</t>
<t hangText="leaf <read-default>:">
Enumeration to permit or deny
default read access requests.
</t>
<t hangText="leaf <write-default>:">
Enumeration to permit or deny
default write access requests.
</t>
<t hangText="leaf <exec-default>:">
Enumeration to permit or deny
default RPC operation execution requests.
</t>
<t hangText="leaf <denied-rpcs>:">
Read-only counter of the number of
times the server has denied an RPC
operation request, since the last reboot
of the server.
</t>
<t hangText="leaf <denied-data-writes>:">
Read-only counter of the number of
times the server has denied a
data node write request, since the last reboot
of the server.
</t>
<t hangText="container <groups>:">
Configures the groups used within the access
control system.
<list style="hanging">
<t hangText="list <group>:">
A list of user names belonging to the
same administrative group.
</t>
</list>
</t>
<t hangText="container <rules>:">
Configures the access control rules used
within the server.
<list style="hanging">
<t hangText="list <module-rule>:">
Configures the access control rules for
a specific module.
</t>
<t hangText="list <rpc-rule>:">
Configures the access control rules for
RPC operation invocation.
</t>
<t hangText="list <data-rule>:">
Configures the access control rules
for configuration database access.
</t>
<t hangText="list <notification-rule>:">
Configures the access control rules for controlling
delivery of <notification> events.
</t>
</list>
</t>
</list>
</t>
</section>
<section title="YANG Module">
<t>
The following YANG module is provided to specify
the normative NETCONF content that must
by supported by the server.
</t>
<t>
<figure anchor="YANG_module">
<artwork><![CDATA[
<CODE BEGINS> file="nacm@2010-06-29.yang"
m4_include(nacm.yang)
<CODE ENDS>
]]></artwork>
</figure>
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
There are two actions that are requested of IANA:
<list style="numbers">
<t>register data model schema namespace URI (TBD)</t>
<t>register data model name ('nacm')</t>
</list>
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
This entire document discusses access control
requirements and mechanisms for restricting
NETCONF protocol behavior within a given session.
</t>
<t>
Configuration of the access control system is
highly sensitive to system security. A server may
choose not to allow any user configuration to
some portions of it, such as the global security level,
or the groups which allowed access to system resources.
</t>
<t>
This document incorporates the optional use of a 'superuser'
account, which can be used to bypass access control
enforcement. It is suggested that the 'root' account not be
used for NETCONF over SSH servers, because 'root' SSH logins
should be disabled in the SSH server.
</t>
<t>
If the server chooses to allow user configuration of
the access control system, then only sessions using
the 'superuser' administrative user should be allowed to
have write access to the data model.
</t>
<t>
If the server chooses to allow user retrieval of
the access control system configuration, then only sessions using
the 'superuser' administrative user should be allowed to
have read access to the data model.
</t>
<t>
There is a risk that invocation of
non-standard RPC operations will have undocumented side effects.
An administrator should construct access control rules
such that the configuration database is protected
from such side effects. Also, such RPC operations
should never be invoked by a session using the 'superuser'
administrative user.
</t>
<t>
There is a risk that non-standard RPC operations, or
even the standard <get> operation, may
return data which 'aliases' or 'copies' sensitive data
from a different data object.
In this case, the namespace and/or the element name
will not match the values for the sensitive data,
which is then fully or partially copied into a different
namespace and/or element. An administrator should
avoid using data models which use this practice.
</t>
<t>
An administrator should restrict write access to all
configurable objects within this data model. It is suggested
that only sessions using the 'superuser' administrative role
be permitted to configure the data model defined in this document.
</t>
<t>
If write access is allowed for configuration of
access control rules, then care must be taken
not to disrupt the access control enforcement.
</t>
<t>
An administrator should restrict read access to the
following objects within this data model, which reveal
access control configuration which could be considered
sensitive.
<list style="symbols">
<t>enable-nacm</t>
<t>read-default</t>
<t>write-default</t>
<t>exec-default</t>
<t>groups</t>
<t>rules</t>
</list>
</t>
</section>
</section>
</middle>
<!-- ***** BACK MATTER ***** -->
<back>
<references title="Normative References">
&rfc2119;
&rfc2865;
&rfc4252;
&rfc4253;
&rfc4741;
&rfc4742;
&rfc5277;
&rfc5607;
&xmlspec;
&yangspec;
&yangtypes;
</references>
<section title="Usage Examples">
<t>
The following XML snippets are provided as examples only,
to demonstrate how NACM can be configured to perform
some access control tasks.
</t>
<section title="<groups> Example">
<t>
There must be at least one <group> entry
in order for any of the access control rules
to be useful.
</t>
<t>
The following XML shows arbitrary groups,
and is not intended to represent any particular
use-case.
</t>
<t>
<figure>
<artwork><![CDATA[
m4_include(ex1.xml)
]]>
</artwork>
</figure>
</t>
<t>
This example shows 3 groups:
<list style="numbers">
<t>
The nacm:admin group contains 2 users named 'admin' and 'andy'.
</t>
<t>
The nacm:monitor group contains 2 users named
'wilma' and 'bam-bam'.
</t>
<t>
The nacm:guest group contains 2 users named
'guest' and 'guest@example.com'.
</t>
</list>
</t>
</section>
<section title="<module-rule> Example">
<t>
Module rules are used to control access to
all the content defined in a specific module.
These rules are checked after none of
the specific
rules (i.e., rpc-rule, data-rule, or
notification-rule) matched the current access request.
</t>
<t>
<figure>
<artwork><![CDATA[
m4_include(ex2.xml)
]]>
</artwork>
</figure>
</t>
<t>
This example shows 4 module rules:
<list style="hanging">
<t hangText="mod-1:">
This rule prevents the guest group from
reading any monitoring information in
the ietf-netconf-monitoring YANG module.
</t>
<t hangText="mod-2:">
This rule allows the monitor group to read the
ietf-netconf-monitoring YANG module.
</t>
<t hangText="mod-3:">
This rule allows the monitor group to invoke any
RPC operation supported by the server.
</t>
<t hangText="mod-4:">
This rule allows the admin group complete access
to all content in the server. No subsequent rule
will match for the admin group, because of this
module rule.
</t>
</list>
</t>
</section>
<section title="<rpc-rule> Example">
<t>
RPC rules are used to control access to
a specific RPC operation.
</t>
<t>
<figure>
<artwork><![CDATA[
m4_include(ex3.xml)
]]>
</artwork>
</figure>
</t>
<t>
This example shows 3 RPC operation rules:
<list style="hanging">
<t hangText="rpc-1:">
This rule prevents the monitor or guest groups
from invoking the NETCONF
<kill-session> RPC operation.
</t>
<t hangText="rpc-2:">
This rule prevents the monitor or guest groups
from invoking the NETCONF
<delete-config> RPC operation.
</t>
<t hangText="rpc-3:">
This rule allows the monitor group
to invoke the NETCONF
<edit-config> RPC operation.
This rule will have no real affect
unless the 'exec-default' leaf is set to 'deny'.
</t>
</list>
</t>
</section>
<section title="<data-rule> Example">
<t>
Data rules are used to control access to
specific (config and non-config) data nodes
within the NETCONF content provided by the server.
</t>
<t>
<figure>
<artwork><![CDATA[
m4_include(ex4.xml)
]]>
</artwork>
</figure>
</t>
<t>
This example shows 4 data rules:
<list style="hanging">
<t hangText="data-1:">
This rule denies the guest group
any access to the <nacm> sub-tree.
Note that the default namespace is only
applicable because this sub-tree is defined
in the same namespace as the <data-rule>
element.
</t>
<t hangText="data-acme-config:">
This rule gives the monitor group
read-write access to the acme <config-parameters>.
</t>
<t hangText="dummy-itf:">
This rule gives the monitor and guest groups
read-update access to the acme <interface>.
entry named 'dummy'. This entry cannot be created or
deleted by these groups, just altered.
</t>
<t hangText="admin-itf:">
This rule gives the admin group
read-write access to all acme <interface>.
entries. This is an example of an unreachable rule
because the 'mod-3' rule already gives the admin
group full access to this data.
</t>
</list>
</t>
</section>
<section title="<notification-rule> Example">
<t>
Notification rules are used to control access to
a specific notification event type.
</t>
<t>
<figure>
<artwork><![CDATA[
m4_include(ex5.xml)
]]>
</artwork>
</figure>
</t>
<t>
This example shows 1 notification rule:
<list style="hanging">
<t hangText="notif-1:">
This rule prevents the monitor or guest groups
from receiving the
acme <sys-config-change> event type.
</t>
</list>
</t>
</section>
</section>
<section title="Open Issues">
<t>
<list style="numbers">
<t>
Do modules need to be identified by their
XML namespace URI, or is the module name
good enough?
</t>
<t>
Are any more wildcard mechanisms needed to
specify the scope of an access control rule?
</t>
<t>
Should regular expressions (module='foo-*') be
allowed in schema-instance-identifier strings?
</t>
<t>
Should XPath be allowed for specifying
access control rules for data nodes?
</t>
<t>
Are any 'access-denied' notifications needed?
</t>
<t>
Should data rules support nodes that would
not be eligible for retrieval with the <get>
operation? If so, should schema nodes such
as rpc 'input' or 'output' be in the path
expression? How would notification content
be identified?
</t>
<t>
Do any external access control models need
to be supported somehow? For example, should
the <groups> configuration be optionally
read-only, so it can just mirror the internal
(external or proprietary) group configuration?
</t>
<t>
Should the nacm:secure and nacm:very-secure
extensions be optional to support, via a
YANG feature?
</t>
<t>
Should the default access levels (e.g., read-default)
be more restrictive by default? Shiuld these defaults
be a vendor decision? An operator decision?
It is important that the server be able to install
a factory default <nacm> container if needed.
</t>
</list>
</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 15:31:41 |