Internet Engineering Task Force (IETF) A. Bierman
Request for Comments: 8341 YumaWorks
STD: 91 M. Bjorklund
Obsoletes: 6536 Tail-f Systems
Category: Standards Track March 2018
ISSN: 2070-1721
Internet Engineering Task Force (IETF) A. Bierman
Request for Comments: 8341 YumaWorks
STD: 91 M. Bjorklund
Obsoletes: 6536 Tail-f Systems
Category: Standards Track March 2018
ISSN: 2070-1721
Network Configuration Access Control Model
网络配置访问控制模型
Abstract
摘要
The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model.
与网络配置协议(NETCONF)或RESTCONF协议一起使用的网络配置接口的标准化需要一个结构化和安全的操作环境,以促进人的可用性和多供应商互操作性。需要标准机制来限制特定用户对所有可用NETCONF或RESTCONF协议操作和内容的预配置子集的NETCONF或RESTCONF协议访问。本文档定义了这样一个访问控制模型。
This document obsoletes RFC 6536.
本文件淘汰RFC 6536。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8341.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8341.
Copyright Notice
版权公告
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2018 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................4
1.1. Terminology ................................................4
1.2. Changes since RFC 6536 .....................................6
2. Access Control Design Objectives ................................7
2.1. Access Control Points ......................................7
2.2. Simplicity .................................................8
2.3. Procedural Interface .......................................8
2.4. Datastore Access ...........................................8
2.5. Users and Groups ...........................................8
2.6. Maintenance ................................................9
2.7. Configuration Capabilities .................................9
2.8. Identifying Security-Sensitive Content .....................9
3. NETCONF Access Control Model (NACM) ............................10
3.1. Overview ..................................................10
3.1.1. Features ...........................................10
3.1.2. External Dependencies ..............................11
3.1.3. Message Processing Model ...........................11
3.2. Datastore Access ..........................................14
3.2.1. Mapping New Datastores to NACM .....................14
3.2.2. Access Rights ......................................14
3.2.3. RESTCONF Methods ...................................15
3.2.4. <get> and <get-config> Operations ..................16
3.2.5. <edit-config> Operation ............................16
3.2.6. <copy-config> Operation ............................18
3.2.7. <delete-config> Operation ..........................18
3.2.8. <commit> Operation .................................19
3.2.9. <discard-changes> Operation ........................19
3.2.10. <kill-session> Operation ..........................19
1. Introduction ....................................................4
1.1. Terminology ................................................4
1.2. Changes since RFC 6536 .....................................6
2. Access Control Design Objectives ................................7
2.1. Access Control Points ......................................7
2.2. Simplicity .................................................8
2.3. Procedural Interface .......................................8
2.4. Datastore Access ...........................................8
2.5. Users and Groups ...........................................8
2.6. Maintenance ................................................9
2.7. Configuration Capabilities .................................9
2.8. Identifying Security-Sensitive Content .....................9
3. NETCONF Access Control Model (NACM) ............................10
3.1. Overview ..................................................10
3.1.1. Features ...........................................10
3.1.2. External Dependencies ..............................11
3.1.3. Message Processing Model ...........................11
3.2. Datastore Access ..........................................14
3.2.1. Mapping New Datastores to NACM .....................14
3.2.2. Access Rights ......................................14
3.2.3. RESTCONF Methods ...................................15
3.2.4. <get> and <get-config> Operations ..................16
3.2.5. <edit-config> Operation ............................16
3.2.6. <copy-config> Operation ............................18
3.2.7. <delete-config> Operation ..........................18
3.2.8. <commit> Operation .................................19
3.2.9. <discard-changes> Operation ........................19
3.2.10. <kill-session> Operation ..........................19
3.3. Model Components ..........................................19
3.3.1. Users ..............................................19
3.3.2. Groups .............................................20
3.3.3. Emergency Recovery Session .........................20
3.3.4. Global Enforcement Controls ........................20
3.3.4.1. enable-nacm Switch ........................20
3.3.4.2. read-default Switch .......................20
3.3.4.3. write-default Switch ......................21
3.3.4.4. exec-default Switch .......................21
3.3.4.5. enable-external-groups Switch .............22
3.3.5. Access Control Rules ...............................22
3.4. Access Control Enforcement Procedures .....................22
3.4.1. Initial Operation ..................................23
3.4.2. Session Establishment ..............................23
3.4.3. "access-denied" Error Handling .....................23
3.4.4. Incoming RPC Message Validation ....................24
3.4.5. Data Node Access Validation ........................26
3.4.6. Outgoing <notification> Authorization ..............29
3.5. Data Model Definitions ....................................31
3.5.1. Data Organization ..................................31
3.5.2. YANG Module ........................................32
4. IANA Considerations ............................................42
5. Security Considerations ........................................42
5.1. NACM Configuration and Monitoring Considerations ..........43
5.2. General Configuration Issues ..............................45
5.3. Data Model Design Considerations ..........................47
6. References .....................................................47
6.1. Normative References ......................................47
6.2. Informative References ....................................49
Appendix A. Usage Examples ........................................50
A.1. <groups> Example ...........................................50
A.2. Module Rule Example ........................................51
A.3. Protocol Operation Rule Example ............................53
A.4. Data Node Rule Example .....................................55
A.5. Notification Rule Example ..................................57
Authors' Addresses ................................................58
3.3. Model Components ..........................................19
3.3.1. Users ..............................................19
3.3.2. Groups .............................................20
3.3.3. Emergency Recovery Session .........................20
3.3.4. Global Enforcement Controls ........................20
3.3.4.1. enable-nacm Switch ........................20
3.3.4.2. read-default Switch .......................20
3.3.4.3. write-default Switch ......................21
3.3.4.4. exec-default Switch .......................21
3.3.4.5. enable-external-groups Switch .............22
3.3.5. Access Control Rules ...............................22
3.4. Access Control Enforcement Procedures .....................22
3.4.1. Initial Operation ..................................23
3.4.2. Session Establishment ..............................23
3.4.3. "access-denied" Error Handling .....................23
3.4.4. Incoming RPC Message Validation ....................24
3.4.5. Data Node Access Validation ........................26
3.4.6. Outgoing <notification> Authorization ..............29
3.5. Data Model Definitions ....................................31
3.5.1. Data Organization ..................................31
3.5.2. YANG Module ........................................32
4. IANA Considerations ............................................42
5. Security Considerations ........................................42
5.1. NACM Configuration and Monitoring Considerations ..........43
5.2. General Configuration Issues ..............................45
5.3. Data Model Design Considerations ..........................47
6. References .....................................................47
6.1. Normative References ......................................47
6.2. Informative References ....................................49
Appendix A. Usage Examples ........................................50
A.1. <groups> Example ...........................................50
A.2. Module Rule Example ........................................51
A.3. Protocol Operation Rule Example ............................53
A.4. Data Node Rule Example .....................................55
A.5. Notification Rule Example ..................................57
Authors' Addresses ................................................58
The Network Configuration Protocol (NETCONF) and the RESTCONF protocol do not provide any standard mechanisms to restrict the protocol operations and content that each user is authorized to access.
网络配置协议(NETCONF)和RESTCONF协议没有提供任何标准机制来限制每个用户有权访问的协议操作和内容。
There is a need for interoperable management of the controlled access to administrator-selected portions of the available NETCONF or RESTCONF content within a particular server.
需要对特定服务器中可用NETCONF或RESTCONF内容的管理员选定部分的受控访问进行互操作管理。
This document addresses access control mechanisms for the Operations and Content layers of NETCONF, as defined in [RFC6241]; and RESTCONF, as defined in [RFC8040]. It contains three main sections:
本文件阐述了[RFC6241]中定义的NETCONF操作层和内容层的访问控制机制;以及[RFC8040]中定义的RESTCONF。它包括三个主要部分:
1. Access Control Design Objectives
1. 访问控制设计目标
2. NETCONF Access Control Model (NACM)
2. NETCONF访问控制模型(NACM)
3. YANG Data Model (ietf-netconf-acm.yang)
3. YANG数据模型(ietf netconf acm.YANG)
YANG version 1.1 [RFC7950] adds two new constructs that need special access control handling. The "action" statement is similar to the "rpc" statement, except that it is located within a data node. The "notification" statement can also be located within a data node.
YANG版本1.1[RFC7950]添加了两个需要特殊访问控制处理的新结构。“action”语句与“rpc”语句类似,只是它位于数据节点内。“通知”语句也可以位于数据节点内。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
The following terms are defined in [RFC8342] and are not redefined here:
[RFC8342]中定义了以下术语,此处未重新定义:
o datastore
o 数据存储
o configuration datastore
o 配置数据存储
o conventional configuration datastore
o 常规配置数据存储
o candidate configuration datastore
o 候选配置数据存储
o running configuration datastore
o 运行配置数据存储
o startup configuration datastore
o 启动配置数据存储
o operational state datastore
o 操作状态数据存储
o client
o 客户
o server
o 服务器
The following terms are defined in [RFC6241] and are not redefined here:
[RFC6241]中定义了以下术语,此处未重新定义:
o protocol operation
o 协议操作
o session
o 一场
o user
o 使用者
The following terms are defined in [RFC7950] and are not redefined here:
[RFC7950]中定义了以下术语,此处未重新定义:
o action
o 行动
o data node
o 数据节点
o data definition statement
o 数据定义语句
The following terms are defined in [RFC8040] and are not redefined here:
[RFC8040]中定义了以下术语,此处未重新定义:
o data resource
o 数据资源
o datastore resource
o 数据存储资源
o operation resource
o 运营资源
o target resource
o 目标资源
The following term is defined in [RFC7230] and is not redefined here:
[RFC7230]中定义了以下术语,此处未重新定义:
o request URI
o 请求URI
The following terms are used throughout this document:
本文件中使用了以下术语:
access control: A security feature provided by the server that allows an administrator to restrict access to a subset of all protocol operations and data, based on various criteria.
访问控制:服务器提供的一种安全功能,允许管理员根据各种标准限制对所有协议操作和数据子集的访问。
access control model (ACM): A conceptual model used to configure and monitor the access control procedures desired by the administrator to enforce a particular access control policy.
访问控制模型(ACM):一个概念模型,用于配置和监控管理员所需的访问控制过程,以实施特定的访问控制策略。
access control rule: The criterion used to determine if a particular access operation will be permitted or denied.
访问控制规则:用于确定是否允许或拒绝特定访问操作的标准。
access operation: How a request attempts to access a conceptual object. One of "none", "read", "create", "delete", "update", or "execute".
访问操作:请求如何尝试访问概念对象。“无”、“读取”、“创建”、“删除”、“更新”或“执行”中的一个。
data node hierarchy: The hierarchy of data nodes that identifies the specific "action" or "notification" node in the datastore.
数据节点层次结构:数据节点的层次结构,用于标识数据存储中的特定“操作”或“通知”节点。
recovery session: A special administrative session that is given unlimited NETCONF access and is exempt from all access control enforcement. The mechanism or mechanisms used by a server to control and identify whether or not a session is a recovery session are implementation specific and are outside the scope of this document.
恢复会话:一种特殊的管理会话,它被赋予无限的NETCONF访问权限,并且不受所有访问控制强制的约束。服务器用于控制和识别会话是否为恢复会话的一种或多种机制是特定于实现的,不在本文档的范围内。
write access: A shorthand for the "create", "delete", and "update" access operations.
写访问:“创建”、“删除”和“更新”访问操作的缩写。
The NACM procedures and data model have been updated to support new data modeling capabilities in version 1.1 of the YANG data modeling language. The "action" and "notification" statements can be used within data nodes to define data-model-specific operations and notifications.
NACM程序和数据模型已更新,以支持YANG数据建模语言1.1版中的新数据建模功能。“action”和“notification”语句可在数据节点内用于定义特定于数据模型的操作和通知。
An important use case for these new YANG statements is the increased access control granularity that can be achieved over top-level "rpc" and "notification" statements. The new "action" and "notification" statements are used within data nodes, and access to the action or notification can be restricted to specific instances of these data nodes.
这些新YANG语句的一个重要用例是可以通过顶级“rpc”和“通知”语句实现的更高的访问控制粒度。新的“action”和“notification”语句在数据节点中使用,对操作或通知的访问可以限制在这些数据节点的特定实例中。
Support for the RESTCONF protocol has been added. The RESTCONF operations are similar to the NETCONF operations, so a simple mapping to the existing NACM procedures and data model is possible.
添加了对RESTCONF协议的支持。RESTCONF操作类似于NETCONF操作,因此可以简单地映射到现有的NACM过程和数据模型。
The data node access behavior for path matches has been clarified to also include matching descendant nodes of the specified path.
已澄清路径匹配的数据节点访问行为,以包括指定路径的匹配子节点。
The <edit-config> operation access rights behavior has been clarified to indicate that write access is not required for data nodes that are implicitly modified through side effects (such as the evaluation of YANG when-stmts, or data nodes implicitly deleted when creating a data node under a different branch under a YANG choice-stmt).
已澄清<edit config>操作访问权限行为,以表明通过副作用隐式修改的数据节点不需要写访问权限(如stmt时对YANG的评估,或在YANG choice stmt下的不同分支下创建数据节点时隐式删除数据节点)。
The Security Considerations section has been updated to comply with the "YANG module security guidelines" [YANG-SEC]. Note that the YANG module in this document does not define any RPC operations.
安全注意事项部分已更新,以符合“YANG模块安全指南”[YANG-SEC]。请注意,本文档中的模块没有定义任何RPC操作。
This section documents the design objectives for the NETCONF access control model presented in Section 3.
本节记录了第3节中介绍的NETCONF访问控制模型的设计目标。
NETCONF allows server implementers to add new custom protocol operations, and the YANG data modeling language supports this feature. These operations can be defined in standard or proprietary YANG modules.
NETCONF允许服务器实现者添加新的自定义协议操作,YANG数据建模语言支持此功能。这些操作可以在标准或专有模块中定义。
It is not possible to design an ACM for NETCONF that only focuses on a static set of standard protocol operations defined by NETCONF itself, like some other protocols. Since few assumptions can be made about an arbitrary protocol operation, the NETCONF architectural server components need to be protected at three conceptual control points.
与其他一些协议一样,不可能为NETCONF设计只关注NETCONF本身定义的一组静态标准协议操作的ACM。由于对任意协议操作的假设很少,因此需要在三个概念控制点保护NETCONF架构服务器组件。
These access control points, described in Figure 1, are as follows:
图1中描述的这些访问控制点如下:
protocol operation: Permission to invoke specific protocol operations.
协议操作:调用特定协议操作的权限。
datastore: Permission to read and/or alter specific data nodes within any datastore.
数据存储:在任何数据存储中读取和/或更改特定数据节点的权限。
notification: Permission to receive specific notification event types.
通知:接收特定通知事件类型的权限。
+-------------+ +-------------+
client | protocol | | data node |
request --> | operation | -------------> | access |
| allowed? | datastore | allowed? |
+-------------+ or state +-------------+
data access
+-------------+ +-------------+
client | protocol | | data node |
request --> | operation | -------------> | access |
| allowed? | datastore | allowed? |
+-------------+ or state +-------------+
data access
+----------------+
| notification |
event --> | allowed? |
+----------------+
+----------------+
| notification |
event --> | allowed? |
+----------------+
Figure 1
图1
There is concern that a complicated ACM will not be widely deployed because it is too hard to use. Configuration of the access control system needs to be as simple as possible. Simple and common tasks need to be easy to configure and require little expertise or domain-specific knowledge. Complex tasks are possible using additional mechanisms that may require additional expertise.
有人担心复杂的ACM不会被广泛部署,因为它太难使用。访问控制系统的配置需要尽可能简单。简单和常见的任务需要易于配置,并且只需要很少的专业知识或特定领域的知识。复杂的任务可以使用可能需要额外专业知识的额外机制。
A single set of access control rules ought to be able to control all types of NETCONF protocol operation invocation, all datastore access, and all notification events.
一组访问控制规则应该能够控制所有类型的NETCONF协议操作调用、所有数据存储访问和所有通知事件。
Access control ought to be defined with a small and familiar set of permissions, while still allowing full control of datastore access.
访问控制应该使用一组熟悉的小权限来定义,同时仍然允许完全控制数据存储访问。
NETCONF uses a Remote Procedure Call (RPC) model and an extensible set of protocol operations. Access control for any possible protocol operation is necessary.
NETCONF使用远程过程调用(RPC)模型和一组可扩展的协议操作。任何可能的协议操作都需要访问控制。
It is necessary to control access to specific nodes and subtrees within the datastore, regardless of which protocol operation -- standard or proprietary -- was used to access the datastore.
有必要控制对数据存储中特定节点和子树的访问,无论使用哪种协议操作(标准或专有)访问数据存储。
It is necessary that access control rules for a single user or a configurable group of users can be configured.
有必要为单个用户或可配置的用户组配置访问控制规则。
The ACM needs to support the concept of administrative groups, to support the well-established distinction between a root account and other types of less-privileged conceptual user accounts. These groups need to be configurable by the administrator.
ACM需要支持管理组的概念,以支持根帐户和其他类型的特权较低的概念用户帐户之间的既定区别。管理员需要配置这些组。
It is necessary that the user-to-group mapping can be delegated to a central server, such as a RADIUS server [RFC2865] [RFC5607]. Since authentication is performed by the transport layer and RADIUS performs authentication and service authorization at the same time, the underlying transport protocol needs to be able to report a set of group names associated with the user to the server. It is necessary that the administrator can disable the usage of these group names within the ACM.
有必要将用户到组的映射委托给中央服务器,例如RADIUS服务器[RFC2865][RFC5607]。由于身份验证由传输层执行,RADIUS同时执行身份验证和服务授权,因此底层传输协议需要能够向服务器报告一组与用户关联的组名。管理员有必要在ACM中禁用这些组名的使用。
It ought to be possible to disable part or all of the access control model enforcement procedures without deleting any access control rules.
在不删除任何访问控制规则的情况下,应该可以禁用部分或全部访问控制模型实施过程。
Suitable configuration and monitoring mechanisms are needed to allow an administrator to easily manage all aspects of the ACM's behavior. A standard data model, suitable for use with the <edit-config> protocol operation, needs to be available for this purpose.
需要合适的配置和监视机制,以允许管理员轻松管理ACM行为的各个方面。为此,需要提供一个适用于<edit config>协议操作的标准数据模型。
Access control rules to restrict access operations on specific subtrees within the configuration datastore need to be supported.
需要支持访问控制规则,以限制对配置数据存储中特定子树的访问操作。
One of the most important aspects of the data model documentation, and one of the biggest concerns during deployment, is the identification of security-sensitive content. This applies to protocol operations in NETCONF, not just data and notifications.
数据模型文档最重要的方面之一,也是部署过程中最大的问题之一,是识别安全敏感内容。这适用于NETCONF中的协议操作,而不仅仅是数据和通知。
It is mandatory for security-sensitive objects to be documented in the Security Considerations section of an RFC. This is nice, but it is not good enough, for the following reasons:
必须在RFC的安全注意事项部分记录安全敏感对象。这很好,但还不够好,原因如下:
o This documentation-only approach forces administrators to study the RFC and determine if there are any potential security risks introduced by a new data model.
o 这种只提供文档的方法迫使管理员研究RFC,并确定新数据模型是否存在任何潜在的安全风险。
o If any security risks are identified, then the administrator must study some more RFC text and determine how to mitigate the security risk(s).
o 如果发现任何安全风险,则管理员必须研究更多RFC文本,并确定如何减轻安全风险。
o The ACM on each server must be configured to mitigate the security risks, e.g., require privileged access to read or write the specific data identified in the Security Considerations section.
o 必须对每台服务器上的ACM进行配置,以降低安全风险,例如,需要特权访问才能读取或写入安全注意事项部分中确定的特定数据。
o If the ACM is not preconfigured, then there will be a time window of vulnerability after the new data model is loaded and before the new access control rules for that data model are configured, enabled, and debugged.
o 如果ACM未预配置,则在加载新数据模型之后,以及在配置、启用和调试该数据模型的新访问控制规则之前,将有一个漏洞时间窗口。
Often, the administrator just wants to disable default access to the secure content so that no inadvertent or malicious changes can be made to the server. This allows the default rules to be more lenient, without significantly increasing the security risk.
通常,管理员只想禁用对安全内容的默认访问,以便不会对服务器进行无意或恶意更改。这使得默认规则更加宽松,而不会显著增加安全风险。
A data model designer needs to be able to use machine-readable statements to identify content that needs to be protected by default. This will allow client and server tools to automatically identify data-model-specific security risks, by denying access to sensitive data unless the user is explicitly authorized to perform the requested access operation.
数据模型设计器需要能够使用机器可读语句来标识默认情况下需要保护的内容。这将允许客户端和服务器工具通过拒绝访问敏感数据自动识别数据模型特定的安全风险,除非用户被明确授权执行请求的访问操作。
This section provides a high-level overview of the access control model structure. It describes the NETCONF protocol message processing model and the conceptual access control requirements within that model.
本节提供访问控制模型结构的高级概述。它描述了NETCONF协议消息处理模型以及该模型中的概念性访问控制需求。
The NACM data model provides the following features:
NACM数据模型提供以下功能:
o Independent control of RPC, action, data, and notification access is provided.
o 提供对RPC、操作、数据和通知访问的独立控制。
o The concept of an emergency recovery session is supported, but configuration of the server for this purpose is beyond the scope of this document. An emergency recovery session will bypass all access control enforcement, in order to allow it to initialize or repair the NACM configuration.
o 支持紧急恢复会话的概念,但为此目的配置服务器超出了本文档的范围。紧急恢复会话将绕过所有访问控制实施,以允许其初始化或修复NACM配置。
o A simple and familiar set of datastore permissions is used.
o 使用一组简单且熟悉的数据存储权限。
o Support for YANG security tagging (e.g., a "nacm:default-deny-write" statement) allows default security modes to automatically exclude sensitive data.
o 对安全标记的支持(例如,“nacm:default deny write”语句)允许默认安全模式自动排除敏感数据。
o Separate default access modes for read, write, and execute permissions are provided.
o 为读取、写入和执行权限提供了单独的默认访问模式。
o Access control rules are applied to configurable groups of users.
o 访问控制规则应用于可配置的用户组。
o The access control enforcement procedures can be disabled during operation, without deleting any access control rules, in order to debug operational problems.
o 可以在操作期间禁用访问控制实施过程,而无需删除任何访问控制规则,以便调试操作问题。
o The number of denied protocol operation requests and denied datastore write requests can be monitored by the client.
o 客户端可以监视被拒绝的协议操作请求和被拒绝的数据存储写入请求的数量。
o Simple unconstrained YANG instance-identifiers are used to configure access control rules for specific data nodes.
o 简单的无约束实例标识符用于为特定数据节点配置访问控制规则。
NETCONF [RFC6241] and RESTCONF [RFC8040] are used for network management purposes within this document.
NETCONF[RFC6241]和restcconf[RFC8040]用于本文档中的网络管理目的。
The YANG data modeling language [RFC7950] is used to define the data models for use with NETCONF or RESTCONF. YANG is also used to define the data model in this document.
YANG数据建模语言[RFC7950]用于定义与NETCONF或RESTCONF一起使用的数据模型。YANG还用于定义本文档中的数据模型。
The following diagram shows the conceptual message flow model, including the points at which access control is applied during NETCONF message processing.
下图显示了概念性的消息流模型,包括在NETCONF消息处理期间应用访问控制的点。
RESTCONF operations are mapped to the access control model based on the HTTP method and resource class used in the operation. For example, a POST method on a data resource is considered "write data node" access, but a POST method on an operation resource is considered "operation" access.
RESTCONF操作根据操作中使用的HTTP方法和资源类映射到访问控制模型。例如,数据资源上的POST方法被视为“写入数据节点”访问,而操作资源上的POST方法被视为“操作”访问。
The new "pre-read data node acc. ctl" boxes in the diagram below refer to group read access as it relates to data node ancestors of an action or notification. As an example, if an action is defined as /interfaces/interface/reset-interface, the group must be authorized to (1) read /interfaces and /interfaces/interface and (2) execute on /interfaces/interface/reset-interface.
下图中新的“预读数据节点acc.ctl”框指的是组读访问,因为它与操作或通知的数据节点祖先相关。例如,如果操作定义为/interfaces/interface/reset interface,则必须授权组(1)读取/interfaces和/interfaces/interface,以及(2)在/interfaces/interface/reset interface上执行。
+-------------------------+
| session |
| (username) |
+-------------------------+
| ^
V |
+--------------+ +---------------+
| message | | message |
| dispatcher | | generator |
+--------------+ +---------------+
| | ^ ^
| V | |
| +=============+ | |
| | pre-read | | |
| | data node | | |
| | acc. ctl | | |
| +=============+ | |
| | | |
V V | |
+===========+ +-------------+ +----------------+
| operation |---> | reply | | <notification> |
| acc. ctl | | generator | | generator |
+===========+ +-------------+ +----------------+
| ^ ^ ^
V +------+ | |
+-----------+ | +=============+ +================+
| operation | | | read | | <notification> |
| processor |-+ | data node | | access ctl |
| | | acc. ctl | | |
+-----------+ +=============+ +================+
| | ^ ^ ^
V +----------------+ | | |
+===========+ | | | +============+
| write | | | | | pre-read |
| data node | | | | | data node |
| acc. ctl | -----------+ | | | | acc. ctl |
+===========+ | | | | +============+
| | | | | ^
V V V | | |
+---------------+ +-------------------+
| configuration | ---> | server |
| datastore | | instrumentation |
| | <--- | |
+---------------+ +-------------------+
+-------------------------+
| session |
| (username) |
+-------------------------+
| ^
V |
+--------------+ +---------------+
| message | | message |
| dispatcher | | generator |
+--------------+ +---------------+
| | ^ ^
| V | |
| +=============+ | |
| | pre-read | | |
| | data node | | |
| | acc. ctl | | |
| +=============+ | |
| | | |
V V | |
+===========+ +-------------+ +----------------+
| operation |---> | reply | | <notification> |
| acc. ctl | | generator | | generator |
+===========+ +-------------+ +----------------+
| ^ ^ ^
V +------+ | |
+-----------+ | +=============+ +================+
| operation | | | read | | <notification> |
| processor |-+ | data node | | access ctl |
| | | acc. ctl | | |
+-----------+ +=============+ +================+
| | ^ ^ ^
V +----------------+ | | |
+===========+ | | | +============+
| write | | | | | pre-read |
| data node | | | | | data node |
| acc. ctl | -----------+ | | | | acc. ctl |
+===========+ | | | | +============+
| | | | | ^
V V V | | |
+---------------+ +-------------------+
| configuration | ---> | server |
| datastore | | instrumentation |
| | <--- | |
+---------------+ +-------------------+
Figure 2
图2
The following high-level sequence of conceptual processing steps is executed for each received <rpc> message, if access control enforcement is enabled:
如果启用了访问控制强制,则对每个接收到的<rpc>消息执行以下高级概念处理步骤序列:
o For each active session, access control is applied individually to all <rpc> messages (except <close-session>) received by the server, unless the session is identified as a recovery session.
o 对于每个活动会话,访问控制将分别应用于服务器接收的所有<rpc>消息(除了<close session>),除非该会话被标识为恢复会话。
o If the <action> operation defined in [RFC7950] is invoked, then read access is required for all instances in the hierarchy of data nodes that identifies the specific action in the datastore, and execute access is required for the action node. If the user is not authorized to read all the specified data nodes and execute the action, then the request is rejected with an "access-denied" error.
o 如果调用[RFC7950]中定义的<action>操作,则需要对数据存储中标识特定操作的数据节点层次结构中的所有实例进行读取访问,并且需要对操作节点进行执行访问。如果未授权用户读取所有指定的数据节点并执行操作,则请求将被拒绝,并出现“拒绝访问”错误。
o Otherwise, if the user is not authorized to execute the specified protocol operation, then the request is rejected with an "access-denied" error.
o 否则,如果用户未被授权执行指定的协议操作,则请求将被拒绝,并出现“拒绝访问”错误。
o If a datastore is accessed by the protocol operation, then the server checks to see if the client is authorized to access the nodes in the datastore. If the user is not authorized to perform the requested access operation on the requested data, then the request is rejected with an "access-denied" error.
o 如果协议操作访问了数据存储,那么服务器将检查客户机是否有权访问数据存储中的节点。如果未授权用户对请求的数据执行请求的访问操作,则请求将被拒绝,并出现“拒绝访问”错误。
The following sequence of conceptual processing steps is executed for each generated notification event, if access control enforcement is enabled:
如果启用了访问控制强制,则为每个生成的通知事件执行以下一系列概念处理步骤:
o Server instrumentation generates a notification for a particular subscription.
o 服务器检测为特定订阅生成通知。
o If the "notification" statement is specified within a data subtree, as specified in [RFC7950], then read access is required for all instances in the hierarchy of data nodes that identifies the specific notification in the datastore, and read access is required for the notification node. If the user is not authorized to read all the specified data nodes and the notification node, then the notification is dropped for that subscription.
o 如[RFC7950]中所述,如果在数据子树中指定了“notification”语句,则数据节点层次结构中标识数据存储中特定通知的所有实例都需要读访问权限,而通知节点则需要读访问权限。如果未授权用户读取所有指定的数据节点和通知节点,则会删除该订阅的通知。
o If the "notification" statement is a top-level statement, the notification access control enforcer checks the notification event type, and if it is one that the user is not authorized to read, then the notification is dropped for that subscription.
o 如果“notification”语句是顶级语句,则通知访问控制执行器会检查通知事件类型,如果该类型是用户无权读取的,则会删除该订阅的通知。
The same access control rules apply to all datastores that support the NACM -- for example, the candidate configuration datastore or the running configuration datastore.
相同的访问控制规则适用于支持NACM的所有数据存储—例如,候选配置数据存储或正在运行的配置数据存储。
All conventional configuration datastores and the operational state datastore are controlled by the NACM. Local files, remote files, or datastores accessed via the <url> parameter are not controlled by the NACM.
所有常规配置数据存储和运行状态数据存储均由NACM控制。通过<url>参数访问的本地文件、远程文件或数据存储不受NACM控制。
It is possible that new datastores will be defined over time for use with NETCONF. The NACM MAY be applied to other datastores that have similar access rights as defined in the NACM. To apply the NACM to a new datastore, the new datastore specification needs to define how it maps to the NACM CRUDX (Create, Read, Update, Delete, eXec) access rights. It is possible that only a subset of the NACM access rights would be applicable. For example, only retrieval access control would be needed for a read-only datastore. Operations and access rights not supported by the NACM CRUDX model are outside the scope of this document. A datastore does not need to use the NACM, e.g., the datastore specification defines something else or does not use access control.
随着时间的推移,可能会定义新的数据存储,以便与NETCONF一起使用。NACM可应用于具有NACM中定义的类似访问权限的其他数据存储。要将NACM应用于新数据存储,新数据存储规范需要定义它如何映射到NACM CRUDX(创建、读取、更新、删除、执行)访问权限。可能只有NACM访问权限的一个子集适用。例如,只读数据存储只需要检索访问控制。NACM CRUDX型号不支持的操作和访问权限不在本文档范围内。数据存储不需要使用NACM,例如,数据存储规范定义了其他内容或不使用访问控制。
A small set of hard-wired datastore access rights is needed to control access to all possible protocol operations, including vendor extensions to the standard protocol operation set.
需要一小组硬连线数据存储访问权限来控制对所有可能协议操作的访问,包括对标准协议操作集的供应商扩展。
The CRUDX model can support all protocol operations:
CRUDX型号可支持所有协议操作:
o Create: allows the client to add a new data node instance to a datastore.
o 创建:允许客户端向数据存储添加新的数据节点实例。
o Read: allows the client to read a data node instance from a datastore or receive the notification event type.
o 读取:允许客户端从数据存储读取数据节点实例或接收通知事件类型。
o Update: allows the client to update an existing data node instance in a datastore.
o 更新:允许客户端更新数据存储中的现有数据节点实例。
o Delete: allows the client to delete a data node instance from a datastore.
o 删除:允许客户端从数据存储中删除数据节点实例。
o eXec: allows the client to execute the operation.
o eXec:允许客户端执行操作。
The RESTCONF protocol utilizes HTTP methods to perform datastore operations, similar to NETCONF. The NACM procedures were originally written for NETCONF protocol operations, so the RESTCONF methods are mapped to NETCONF operations for the purpose of access control processing. The enforcement procedures described within this document apply to both protocols unless explicitly stated otherwise.
RESTCONF协议利用HTTP方法执行数据存储操作,类似于NETCONF。NACM过程最初是为NETCONF协议操作编写的,因此RESTCONF方法被映射到NETCONF操作以进行访问控制处理。除非另有明确规定,否则本文件中描述的实施程序适用于两个协议。
The request URI needs to be considered when processing RESTCONF requests on data resources:
在处理数据资源上的RESTCONF请求时,需要考虑请求URI:
o For HEAD and GET requests, any data nodes that are ancestor nodes of the target resource are considered to be part of the retrieval request for access control purposes.
o 对于HEAD和GET请求,出于访问控制目的,作为目标资源的祖先节点的任何数据节点都被视为检索请求的一部分。
o For PUT, PATCH, and DELETE requests, any data nodes that are ancestor nodes of the target resource are not considered to be part of the edit request for access control purposes. The access operation for these nodes is considered to be "none". The edit begins at the target resource.
o 对于PUT、PATCH和DELETE请求,出于访问控制目的,作为目标资源的祖先节点的任何数据节点都不被视为编辑请求的一部分。这些节点的访问操作被视为“无”。编辑从目标资源开始。
o For POST requests on data resources, any data nodes that are specified in the request URI, including the target resource, are not considered to be part of the edit request for access control purposes. The access operation for these nodes is considered to be "none". The edit begins at a child node of the target resource, specified in the message body.
o 对于数据资源上的POST请求,出于访问控制目的,在请求URI中指定的任何数据节点(包括目标资源)都不会被视为编辑请求的一部分。这些节点的访问操作被视为“无”。编辑从消息正文中指定的目标资源的子节点开始。
Not all RESTCONF methods are subject to access control. The following table specifies how each method is mapped to NETCONF protocol operations. The value "none" indicates that the NACM is not applied at all to the specific RESTCONF method.
并非所有RESTCONF方法都受访问控制。下表指定了每个方法如何映射到NETCONF协议操作。值“none”表示NACM根本不应用于特定的RESTCONF方法。
+---------+-----------------+---------------------+-----------------+
| Method | Resource class | NETCONF operation | Access |
| | | | operation |
+---------+-----------------+---------------------+-----------------+
| OPTIONS | all | none | none |
| HEAD | all | <get>, <get-config> | read |
| GET | all | <get>, <get-config> | read |
| POST | datastore, data | <edit-config> | create |
| POST | operation | specified operation | execute |
| PUT | data | <edit-config> | create, update |
| PUT | datastore | <copy-config> | update |
| PATCH | data, datastore | <edit-config> | update |
| DELETE | data | <edit-config> | delete |
+---------+-----------------+---------------------+-----------------+
+---------+-----------------+---------------------+-----------------+
| Method | Resource class | NETCONF operation | Access |
| | | | operation |
+---------+-----------------+---------------------+-----------------+
| OPTIONS | all | none | none |
| HEAD | all | <get>, <get-config> | read |
| GET | all | <get>, <get-config> | read |
| POST | datastore, data | <edit-config> | create |
| POST | operation | specified operation | execute |
| PUT | data | <edit-config> | create, update |
| PUT | datastore | <copy-config> | update |
| PATCH | data, datastore | <edit-config> | update |
| DELETE | data | <edit-config> | delete |
+---------+-----------------+---------------------+-----------------+
Table 1: Mapping RESTCONF Methods to NETCONF
表1:将RESTCONF方法映射到NETCONF
The NACM access rights are not directly coupled to the <get> and <get-config> protocol operations but apply to all <rpc> operations that would result in a "read" access operation to the target datastore. This section describes how these access rights apply to the specific access operations supported by the <get> and <get-config> protocol operations.
NACM访问权限不直接耦合到<get>和<get config>协议操作,而是应用于所有<rpc>操作,这些操作将导致对目标数据存储的“读取”访问操作。本节介绍这些访问权限如何应用于<get>和<get config>协议操作支持的特定访问操作。
Data nodes to which the client does not have read access are silently omitted, along with any descendants, from the <rpc-reply> message. This is done to allow NETCONF filters for <get> and <get-config> to function properly, instead of causing an "access-denied" error because the filter criteria would otherwise include unauthorized read access to some data nodes. For NETCONF filtering purposes, the selection criteria are applied to the subset of nodes that the user is authorized to read, not the entire datastore.
从<rpc reply>消息中,客户端没有读取权限的数据节点以及任何子节点都会被悄悄地忽略。这样做是为了允许<get>和<get config>的NETCONF过滤器正常工作,而不是导致“访问被拒绝”错误,因为过滤器标准将包括对某些数据节点的未经授权的读取访问。出于NETCONF筛选目的,选择标准应用于用户有权读取的节点子集,而不是整个数据存储。
The NACM access rights are not directly coupled to the <edit-config> "operation" attribute, although they are similar. Instead, a NACM access right applies to all protocol operations that would result in a particular access operation to the target datastore. This section describes how these access rights apply to the specific access operations supported by the <edit-config> protocol operation.
NACM访问权限不直接耦合到<edit config>“operation”属性,尽管它们类似。相反,NACM访问权限适用于将导致对目标数据存储进行特定访问操作的所有协议操作。本节介绍这些访问权限如何应用于<edit config>协议操作支持的特定访问操作。
If the effective access operation is "none" (i.e., default-operation="none") for a particular data node, then no access control is applied to that data node. This is required to allow access to a subtree within a larger data structure. For example, a user may be authorized to create a new "/interfaces/interface" list entry but not be authorized to create or delete its parent container ("/interfaces"). If the "/interfaces" container already exists in the target datastore, then the effective operation will be "none" for the "/interfaces" node if an "/interfaces/interface" list entry is edited.
如果特定数据节点的有效访问操作为“无”(即默认操作=“无”),则不对该数据节点应用访问控制。这是允许访问更大数据结构中的子树所必需的。例如,用户可能有权创建新的“/interfaces/interface”列表条目,但无权创建或删除其父容器(“/interfaces”)。如果目标数据存储中已存在“/interfaces”容器,则如果编辑“/interfaces/interface”列表条目,则“/interfaces”节点的有效操作将为“none”。
If the protocol operation would result in the creation of a datastore node and the user does not have "create" access permission for that node, the protocol operation is rejected with an "access-denied" error.
如果协议操作将导致创建数据存储节点,并且用户没有该节点的“创建”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
If the protocol operation would result in the deletion of a datastore node and the user does not have "delete" access permission for that node, the protocol operation is rejected with an "access-denied" error.
如果协议操作将导致删除数据存储节点,并且用户没有该节点的“删除”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
If the protocol operation would result in the modification of a datastore node and the user does not have "update" access permission for that node, the protocol operation is rejected with an "access-denied" error.
如果协议操作将导致数据存储节点的修改,并且用户没有该节点的“更新”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
A "merge" or "replace" <edit-config> operation may include data nodes that do not alter portions of the existing datastore. For example, a container or list node may be present for naming purposes but does not actually alter the corresponding datastore node. These unaltered data nodes are ignored by the server and do not require any access rights by the client.
“合并”或“替换”<edit config>操作可能包括不改变现有数据存储部分的数据节点。例如,容器或列表节点可能出于命名目的而存在,但实际上并不改变相应的数据存储节点。服务器将忽略这些未更改的数据节点,客户端不需要任何访问权限。
A "merge" <edit-config> operation may include data nodes but not include particular child data nodes that are present in the datastore. These missing data nodes within the scope of a "merge" <edit-config> operation are ignored by the server and do not require any access rights by the client.
“merge”<edit config>操作可能包括数据节点,但不包括数据存储中存在的特定子数据节点。服务器将忽略“merge”<edit config>操作范围内缺少的这些数据节点,客户端不需要任何访问权限。
The contents of specific restricted datastore nodes MUST NOT be exposed in any <rpc-error> elements within the reply.
特定受限数据存储节点的内容不得在回复中的任何<rpc error>元素中公开。
An <edit-config> operation may cause data nodes to be implicitly created or deleted as an implicit side effect of a requested operation. For example, a YANG when-stmt expression may evaluate to a different result, causing data nodes to be deleted, or created with default values; or if a data node is created under one branch of a YANG choice-stmt, then all data nodes under the other branches are
<edit config>操作可能会导致隐式创建或删除数据节点,作为请求操作的隐式副作用。例如,stmt表达式的计算结果可能不同,导致删除数据节点或使用默认值创建数据节点;或者,如果数据节点是在stmt的一个分支下创建的,则其他分支下的所有数据节点都是
implicitly removed. No NACM access rights are required on any data nodes that are implicitly changed as a side effect of another allowed operation.
隐式删除。对于作为另一个允许操作的副作用而隐式更改的任何数据节点,不需要NACM访问权限。
Access control for the <copy-config> protocol operation requires special consideration because the administrator may be replacing the entire target datastore.
<copy config>协议操作的访问控制需要特别考虑,因为管理员可能正在替换整个目标数据存储。
If the source of the <copy-config> protocol operation is the running configuration datastore and the target is the startup configuration datastore, the client is only required to have permission to execute the <copy-config> protocol operation.
如果<copy config>协议操作的源是正在运行的配置数据存储,目标是启动配置数据存储,则客户机只需具有执行<copy config>协议操作的权限即可。
Otherwise:
否则:
o If the source of the <copy-config> operation is a datastore, then data nodes to which the client does not have read access are silently omitted.
o 如果<copy config>操作的源是一个数据存储,那么客户端没有读取权限的数据节点将被自动忽略。
o If the target of the <copy-config> operation is a datastore, the client needs access to the modified nodes. Specifically:
o 如果<copy config>操作的目标是数据存储,则客户端需要访问修改后的节点。明确地:
* If the protocol operation would result in the creation of a datastore node and the user does not have "create" access permission for that node, the protocol operation is rejected with an "access-denied" error.
* 如果协议操作将导致创建数据存储节点,并且用户没有该节点的“创建”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
* If the protocol operation would result in the deletion of a datastore node and the user does not have "delete" access permission for that node, the protocol operation is rejected with an "access-denied" error.
* 如果协议操作将导致删除数据存储节点,并且用户没有该节点的“删除”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
* If the protocol operation would result in the modification of a datastore node and the user does not have "update" access permission for that node, the protocol operation is rejected with an "access-denied" error.
* 如果协议操作将导致数据存储节点的修改,并且用户没有该节点的“更新”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
Access to the <delete-config> protocol operation is denied by default. The "exec-default" leaf does not apply to this protocol operation. Access control rules must be explicitly configured to allow invocation by a non-recovery session.
默认情况下,对<delete config>协议操作的访问被拒绝。“exec default”叶不适用于此协议操作。访问控制规则必须明确配置为允许非恢复会话调用。
The server MUST determine the exact nodes in the running configuration datastore that are actually different and only check "create", "update", and "delete" access permissions for this set of nodes, which could be empty.
服务器必须确定正在运行的配置数据存储中实际不同的确切节点,并且只检查这组节点的“创建”、“更新”和“删除”访问权限,这些权限可能为空。
For example, if a session can read the entire datastore but only change one leaf, that session needs to be able to edit and commit that one leaf.
例如,如果会话可以读取整个数据存储,但只更改一个叶,则该会话需要能够编辑和提交该叶。
The client is only required to have permission to execute the <discard-changes> protocol operation. No datastore permissions are needed.
客户端只需要具有执行<放弃更改>协议操作的权限。不需要数据存储权限。
The <kill-session> operation does not directly alter a datastore. However, it allows one session to disrupt another session that is editing a datastore.
<kill session>操作不会直接改变数据存储。但是,它允许一个会话中断正在编辑数据存储的另一个会话。
Access to the <kill-session> protocol operation is denied by default. The "exec-default" leaf does not apply to this protocol operation. Access control rules must be explicitly configured to allow invocation by a non-recovery session.
默认情况下,对<kill session>协议操作的访问被拒绝。“exec default”叶不适用于此协议操作。访问控制规则必须明确配置为允许非恢复会话调用。
This section defines the conceptual components related to the access control model.
本节定义了与访问控制模型相关的概念组件。
A "user" is the conceptual entity that is associated with the access permissions granted to a particular session. A user is identified by a string that is unique within the server.
“用户”是与授予特定会话的访问权限相关联的概念实体。用户由服务器中唯一的字符串标识。
As described in [RFC6241], the username string is derived from the transport layer during session establishment. If the transport layer cannot authenticate the user, the session is terminated.
如[RFC6241]所述,用户名字符串在会话建立期间从传输层派生。如果传输层无法对用户进行身份验证,则会话将终止。
Access to a specific NETCONF protocol operation is granted to a session. The session is associated with a group (i.e., not with a user).
会话被授予对特定NETCONF协议操作的访问权限。会话与组(即,不与用户)关联。
A group is identified by its name. All group names are unique within the server.
组由其名称标识。服务器中的所有组名都是唯一的。
Access control is applied at the level of groups. A group contains zero or more group members.
访问控制应用于组级别。一个组包含零个或多个组成员。
A group member is identified by a username string.
组成员由用户名字符串标识。
The same user can be a member of multiple groups.
同一用户可以是多个组的成员。
The server MAY support a recovery session mechanism, which will bypass all access control enforcement. This is useful for restricting initial access and repairing a broken access control configuration.
服务器可能支持恢复会话机制,该机制将绕过所有访问控制实施。这对于限制初始访问和修复损坏的访问控制配置非常有用。
There are five global controls that are used to help control how access control is enforced.
有五个全局控件用于帮助控制如何实施访问控制。
A global "enable-nacm" on/off switch is provided to enable or disable all access control enforcement. When this global switch is set to "true", all requests are checked against the access control rules and only permitted if configured to allow the specific access request. When this global switch is set to "false", all access requests are permitted.
提供一个全局“启用nacm”开/关开关,以启用或禁用所有访问控制实施。当此全局开关设置为“true”时,将根据访问控制规则检查所有请求,并且仅在配置为允许特定访问请求时才允许。当此全局开关设置为“false”时,允许所有访问请求。
An on/off "read-default" switch is provided to enable or disable default access to receive data in replies and notifications. When the "enable-nacm" global switch is set to "true", this global switch is relevant if no matching access control rule is found to explicitly permit or deny read access to the requested datastore data or notification event type.
提供打开/关闭“读取默认值”开关,以启用或禁用默认访问以接收回复和通知中的数据。当“enable nacm”全局开关设置为“true”时,如果未发现匹配的访问控制规则明确允许或拒绝对请求的数据存储数据或通知事件类型的读取访问,则此全局开关相关。
When this global switch is set to "permit" and no matching access control rule is found for the datastore read or notification event requested, access is permitted.
当此全局开关设置为“允许”且未找到请求的数据存储读取或通知事件的匹配访问控制规则时,允许访问。
When this global switch is set to "deny" and no matching access control rule is found for the datastore read or notification event requested, access is denied. This means that the requested data is not sent to the client. See step 11 in Section 3.4.5 for details.
当此全局开关设置为“拒绝”且未找到请求的数据存储读取或通知事件的匹配访问控制规则时,访问将被拒绝。这意味着请求的数据不会发送到客户端。详见第3.4.5节第11步。
An on/off "write-default" switch is provided to enable or disable default access to alter configuration data. When the "enable-nacm" global switch is set to "true", this global switch is relevant if no matching access control rule is found to explicitly permit or deny write access to the requested datastore data.
提供开/关“写入默认值”开关,以启用或禁用更改配置数据的默认访问。当“enable nacm”全局开关设置为“true”时,如果未发现匹配的访问控制规则明确允许或拒绝对请求的数据存储数据的写入访问,则此全局开关相关。
When this global switch is set to "permit" and no matching access control rule is found for the datastore write requested, access is permitted.
当此全局开关设置为“允许”且未找到请求的数据存储写入的匹配访问控制规则时,允许访问。
When this global switch is set to "deny" and no matching access control rule is found for the datastore write requested, access is denied. See step 12 in Section 3.4.5 for details.
当此全局开关设置为“拒绝”且未找到与请求的数据存储写入匹配的访问控制规则时,访问将被拒绝。详见第3.4.5节第12步。
An on/off "exec-default" switch is provided to enable or disable default access to execute protocol operations. When the "enable-nacm" global switch is set to "true", this global switch is relevant if no matching access control rule is found to explicitly permit or deny access to the requested NETCONF protocol operation.
提供了一个on/off“exec default”开关,用于启用或禁用默认访问以执行协议操作。当“enable nacm”全局开关设置为“true”时,如果未发现匹配的访问控制规则明确允许或拒绝访问请求的NETCONF协议操作,则此全局开关相关。
When this global switch is set to "permit" and no matching access control rule is found for the NETCONF protocol operation requested, access is permitted.
当此全局开关设置为“允许”且未找到请求的NETCONF协议操作的匹配访问控制规则时,允许访问。
When this global switch is set to "deny" and no matching access control rule is found for the NETCONF protocol operation requested, access is denied. See step 12 in Section 3.4.4 and step 13 in Section 3.4.5 for details.
当此全局开关设置为“拒绝”且未找到请求的NETCONF协议操作的匹配访问控制规则时,访问被拒绝。详见第3.4.4节步骤12和第3.4.5节步骤13。
When this global switch is set to "true", the group names reported by the transport layer for a session are used together with the locally configured group names to determine the access control rules for the session.
当此全局交换机设置为“true”时,传输层为会话报告的组名将与本地配置的组名一起使用,以确定会话的访问控制规则。
When this switch is set to "false", the group names reported by the transport layer are ignored by the NACM.
当此开关设置为“false”时,NACM将忽略传输层报告的组名。
There are four types of rules available in the NACM:
NACM中有四种可用的规则:
module rule: controls access for definitions in a specific YANG module, identified by its name.
模块规则:控制对特定模块中定义的访问,该模块由其名称标识。
protocol operation rule: controls access for a specific protocol operation, identified by its YANG module and name.
协议操作规则:控制特定协议操作的访问,由其模块和名称标识。
data node rule: controls access for a specific data node and its descendants, identified by its path location within the conceptual XML document for the data node.
数据节点规则:控制对特定数据节点及其子节点的访问,该子节点由其在数据节点的概念XML文档中的路径位置标识。
notification rule: controls access for a specific notification event type, identified by its YANG module and name.
通知规则:控制对特定通知事件类型的访问,该类型由其模块和名称标识。
There are six separate phases that need to be addressed, four of which are related to the NETCONF message processing model (Section 3.1.3):
需要解决六个独立的阶段,其中四个与NETCONF消息处理模型相关(第3.1.3节):
1. Initial operation
1. 初始操作
2. Session establishment
2. 会议设立
3. "access-denied" error handling
3. “拒绝访问”错误处理
4. Incoming RPC message validation
4. 传入RPC消息验证
5. Data node access validation
5. 数据节点访问验证
6. Outgoing <notification> authorization
6. 传出<通知>授权
In addition, the initial startup mode for a NETCONF server, session establishment, and "access-denied" error-handling procedures also need to be considered.
此外,还需要考虑NETCONF服务器的初始启动模式、会话建立和“拒绝访问”错误处理过程。
The server MUST use the access control rules in effect at the time it starts processing the message. The same access control rules MUST stay in effect for the processing of the entire message.
服务器必须在开始处理消息时使用有效的访问控制规则。对于整个消息的处理,相同的访问控制规则必须保持有效。
Upon the very first startup of the NETCONF server, the access control configuration will probably not be present. If it isn't, a server MUST NOT allow any write access to any session role except a recovery session.
在NETCONF服务器第一次启动时,访问控制配置可能不存在。如果不是,则服务器不得允许对任何会话角色(恢复会话除外)进行任何写入访问。
Access rules are enforced any time a request is initiated from a user session. Access control is not enforced for server-initiated access requests, such as the initial load of the running configuration datastore, during bootup.
无论何时从用户会话启动请求,都会强制执行访问规则。在启动过程中,不会对服务器启动的访问请求(例如运行的配置数据存储的初始加载)实施访问控制。
The access control model applies specifically to the well-formed XML content transferred between a client and a server after session establishment has been completed and after the <hello> exchange has been successfully completed.
访问控制模型特别适用于在会话建立完成和<hello>交换成功完成后在客户端和服务器之间传输的格式良好的XML内容。
Once session establishment is completed and a user has been authenticated, the transport layer reports the username and a possibly empty set of group names associated with the user to the NETCONF server. The NETCONF server will enforce the access control rules, based on the supplied username, group names, and the configuration data stored on the server.
一旦会话建立完成且用户已通过身份验证,传输层将向NETCONF服务器报告用户名和与用户相关联的可能为空的组名集。NETCONF服务器将根据提供的用户名、组名和服务器上存储的配置数据强制执行访问控制规则。
The "access-denied" error-tag is generated when the access control system denies access to either a request to invoke a protocol operation or a request to perform a particular access operation on the configuration datastore.
当访问控制系统拒绝访问调用协议操作的请求或对配置数据存储执行特定访问操作的请求时,会生成“拒绝访问”错误标记。
A server MUST NOT include any information the client is not allowed to read in any <error-info> elements within the <rpc-error> response.
服务器不得在<rpc error>响应中的任何<error info>元素中包含客户端不允许读取的任何信息。
The diagram below shows the basic conceptual structure of the access control processing model for incoming NETCONF <rpc> messages within a server.
下图显示了服务器内传入NETCONF<rpc>消息的访问控制处理模型的基本概念结构。
NETCONF server
+------------+
| XML |
| message |
| dispatcher |
+------------+
|
|
V
+---------------+
| <rpc> message |
+---------------+
| | |
| | +--------------------------------+
| +---------------+ |
V V V
+------------------+ +--------------------+ +--------------------+
| vendor operation | | standard operation | | standard operation |
| <my-edit> | | <edit-config> | | <unlock> |
+------------------+ +--------------------+ +--------------------+
| |
| |
V V
+----------------------+
| configuration |
| datastore |
+----------------------+
NETCONF server
+------------+
| XML |
| message |
| dispatcher |
+------------+
|
|
V
+---------------+
| <rpc> message |
+---------------+
| | |
| | +--------------------------------+
| +---------------+ |
V V V
+------------------+ +--------------------+ +--------------------+
| vendor operation | | standard operation | | standard operation |
| <my-edit> | | <edit-config> | | <unlock> |
+------------------+ +--------------------+ +--------------------+
| |
| |
V V
+----------------------+
| configuration |
| datastore |
+----------------------+
Figure 3
图3
Access control begins with the message dispatcher.
访问控制从消息调度程序开始。
After the server validates the <rpc> element and determines the namespace URI and the element name of the protocol operation being requested, the server verifies that the user is authorized to invoke the protocol operation.
在服务器验证<rpc>元素并确定所请求的协议操作的名称空间URI和元素名称后,服务器验证用户是否有权调用协议操作。
The server MUST separately authorize every protocol operation by following these steps:
服务器必须通过以下步骤分别授权每个协议操作:
1. If the "enable-nacm" leaf is set to "false", then the protocol operation is permitted.
1. 如果“启用nacm”叶设置为“false”,则允许协议操作。
2. If the requesting session is identified as a recovery session, then the protocol operation is permitted.
2. 如果请求会话被标识为恢复会话,则允许协议操作。
3. If the requested operation is the NETCONF <close-session> protocol operation, then the protocol operation is permitted.
3. 如果请求的操作是NETCONF<close session>协议操作,则允许协议操作。
4. Check all the "group" entries to see if any of them contain a "user-name" entry that equals the username for the session making the request. If the "enable-external-groups" leaf is "true", add to these groups the set of groups provided by the transport layer.
4. 检查所有“组”条目,查看其中是否有任何条目包含与发出请求的会话的用户名相等的“用户名”条目。如果“启用外部组”叶为“true”,则将传输层提供的组集添加到这些组中。
5. If no groups are found, continue with step 10.
5. 如果未找到任何组,请继续执行步骤10。
6. Process all rule-list entries, in the order they appear in the configuration. If a rule-list's "group" leaf-list does not match any of the user's groups, proceed to the next rule-list entry.
6. 按照规则列表项在配置中的显示顺序处理所有规则列表项。如果规则列表的“组”叶列表与用户的任何组都不匹配,请转至下一个规则列表条目。
7. For each rule-list entry found, process all rules, in order, until a rule that matches the requested access operation is found. A rule matches if all of the following criteria are met:
7. 对于找到的每个规则列表条目,按顺序处理所有规则,直到找到与请求的访问操作匹配的规则。如果满足以下所有条件,则规则匹配:
* The rule's "module-name" leaf is "*" or equals the name of the YANG module where the protocol operation is defined.
* 规则的“模块名”叶为“*”或等于定义协议操作的模块名。
* Either (1) the rule does not have a "rule-type" defined or (2) the "rule-type" is "protocol-operation" and the "rpc-name" is "*" or equals the name of the requested protocol operation.
* (1)规则未定义“规则类型”,或(2)“规则类型”为“协议操作”,“rpc名称”为“*”或等于请求的协议操作的名称。
* The rule's "access-operations" leaf has the "exec" bit set or has the special value "*".
* 规则的“访问操作”叶设置了“exec”位或具有特殊值“*”。
8. If a matching rule is found, then the "action" leaf is checked. If it is equal to "permit", then the protocol operation is permitted; otherwise, it is denied.
8. 如果找到匹配规则,则检查“操作”叶。如果等于“允许”,则允许协议操作;否则,它将被拒绝。
9. At this point, no matching rule was found in any rule-list entry.
9. 此时,在任何规则列表条目中都找不到匹配的规则。
10. If the requested protocol operation is defined in a YANG module advertised in the server capabilities and the "rpc" statement contains a "nacm:default-deny-all" statement, then the protocol operation is denied.
10. 如果请求的协议操作在服务器功能中公布的模块中定义,并且“rpc”语句包含“nacm:default deny all”语句,则协议操作被拒绝。
11. If the requested protocol operation is the NETCONF <kill-session> or <delete-config>, then the protocol operation is denied.
11. 如果请求的协议操作是NETCONF<kill session>或<delete config>,则协议操作被拒绝。
12. If the "exec-default" leaf is set to "permit", then permit the protocol operation; otherwise, deny the request.
12. 如果“exec default”页设置为“PROPERT”,则允许协议操作;否则,拒绝请求。
If the user is not authorized to invoke the protocol operation, then an <rpc-error> is generated with the following information:
如果未授权用户调用协议操作,则会生成带有以下信息的<rpc error>:
error-tag: access-denied
错误标记:访问被拒绝
error-path: Identifies the requested protocol operation. The following example represents the <edit-config> protocol operation in the NETCONF base namespace:
错误路径:标识请求的协议操作。以下示例表示NETCONF基本命名空间中的<edit config>协议操作:
<error-path
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
/nc:rpc/nc:edit-config
</error-path>
<error-path
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
/nc:rpc/nc:edit-config
</error-path>
If a datastore is accessed, either directly or as a side effect of the protocol operation, then the server MUST intercept the access operation and make sure that the user is authorized to perform the requested access operation on the specified data, as defined in Section 3.4.5.
如果直接或作为协议操作的副作用访问数据存储,则服务器必须拦截访问操作,并确保用户有权对指定数据执行请求的访问操作,如第3.4.5节所定义。
If (1) a data node within a datastore is accessed or (2) an action or notification is tied to a data node, then the server MUST ensure that the user is authorized to perform the requested "read", "create", "update", "delete", or "execute" access operation on the specified data node.
如果(1)访问了数据存储中的数据节点,或者(2)将操作或通知绑定到数据节点,则服务器必须确保用户有权在指定的数据节点上执行请求的“读取”、“创建”、“更新”、“删除”或“执行”访问操作。
If an action is requested to be executed, the server MUST ensure that the user is authorized to perform the "execute" access operation on the requested action.
如果请求执行操作,服务器必须确保用户有权对请求的操作执行“执行”访问操作。
If a notification tied to a data node is generated, the server MUST ensure that the user is authorized to perform the "read" access operation on the requested notification.
如果生成绑定到数据节点的通知,服务器必须确保用户有权对请求的通知执行“读取”访问操作。
The data node access request is authorized by following these steps:
通过以下步骤授权数据节点访问请求:
1. If the "enable-nacm" leaf is set to "false", then the access operation is permitted.
1. 如果“启用nacm”叶设置为“false”,则允许访问操作。
2. If the requesting session is identified as a recovery session, then the access operation is permitted.
2. 如果请求会话被标识为恢复会话,则允许访问操作。
3. Check all the "group" entries to see if any of them contain a "user-name" entry that equals the username for the session making the request. If the "enable-external-groups" leaf is "true", add to these groups the set of groups provided by the transport layer.
3. 检查所有“组”条目,查看其中是否有任何条目包含与发出请求的会话的用户名相等的“用户名”条目。如果“启用外部组”叶为“true”,则将传输层提供的组集添加到这些组中。
4. If no groups are found, continue with step 9.
4. 如果未找到任何组,请继续执行步骤9。
5. Process all rule-list entries, in the order they appear in the configuration. If a rule-list's "group" leaf-list does not match any of the user's groups, proceed to the next rule-list entry.
5. 按照规则列表项在配置中的显示顺序处理所有规则列表项。如果规则列表的“组”叶列表与用户的任何组都不匹配,请转至下一个规则列表条目。
6. For each rule-list entry found, process all rules, in order, until a rule that matches the requested access operation is found. A rule matches if all of the following criteria are met:
6. 对于找到的每个规则列表条目,按顺序处理所有规则,直到找到与请求的访问操作匹配的规则。如果满足以下所有条件,则规则匹配:
* The rule's "module-name" leaf is "*" or equals the name of the YANG module where the requested data node is defined.
* 规则的“模块名”叶为“*”或等于定义请求数据节点的模块名。
* Either (1) the rule does not have a "rule-type" defined or (2) the "rule-type" is "data-node" and the "path" matches the requested data node, action node, or notification node. A path is considered to match if the requested node is the node specified by the path or is a descendant node of the path.
* (1)规则未定义“规则类型”,或(2)“规则类型”为“数据节点”,且“路径”与请求的数据节点、操作节点或通知节点匹配。如果请求的节点是路径指定的节点或路径的子节点,则认为路径匹配。
* For a "read" access operation, the rule's "access-operations" leaf has the "read" bit set or has the special value "*".
* 对于“读取”访问操作,规则的“访问操作”叶设置了“读取”位或具有特殊值“*”。
* For a "create" access operation, the rule's "access-operations" leaf has the "create" bit set or has the special value "*".
* 对于“创建”访问操作,规则的“访问操作”叶设置了“创建”位或具有特殊值“*”。
* For a "delete" access operation, the rule's "access-operations" leaf has the "delete" bit set or has the special value "*".
* 对于“删除”访问操作,规则的“访问操作”叶设置了“删除”位或具有特殊值“*”。
* For an "update" access operation, the rule's "access-operations" leaf has the "update" bit set or has the special value "*".
* 对于“更新”访问操作,规则的“访问操作”叶设置了“更新”位或具有特殊值“*”。
* For an "execute" access operation, the rule's "access-operations" leaf has the "exec" bit set or has the special value "*".
* 对于“执行”访问操作,规则的“访问操作”叶设置了“exec”位或具有特殊值“*”。
7. If a matching rule is found, then the "action" leaf is checked. If it is equal to "permit", then the data node access is permitted; otherwise, it is denied. For a "read" access operation, "denied" means that the requested data is not returned in the reply.
7. 如果找到匹配规则,则检查“操作”叶。如果等于“允许”,则允许数据节点访问;否则,它将被拒绝。对于“读取”访问操作,“拒绝”表示请求的数据不会在应答中返回。
8. At this point, no matching rule was found in any rule-list entry.
8. 此时,在任何规则列表条目中都找不到匹配的规则。
9. For a "read" access operation, if the requested data node is defined in a YANG module advertised in the server capabilities and the data definition statement contains a "nacm:default-deny-all" statement, then the requested data node and all its descendants are not included in the reply.
9. 对于“读取”访问操作,如果请求的数据节点在服务器功能中公布的模块中定义,并且数据定义语句包含“nacm:default deny all”语句,则请求的数据节点及其所有子节点不包括在应答中。
10. For a "write" access operation, if the requested data node is defined in a YANG module advertised in the server capabilities and the data definition statement contains a "nacm:default-deny-write" or a "nacm:default-deny-all" statement, then the access request is denied for the data node and all its descendants.
10. 对于“写入”访问操作,如果请求的数据节点在服务器功能中公布的模块中定义,并且数据定义语句包含“nacm:default deny write”或“nacm:default deny all”语句,则拒绝数据节点及其所有子代的访问请求。
11. For a "read" access operation, if the "read-default" leaf is set to "permit", then include the requested data node in the reply; otherwise, do not include the requested data node or any of its descendants in the reply.
11. 对于“读取”访问操作,如果“读取默认”叶设置为“允许”,则在应答中包括请求的数据节点;否则,请勿在回复中包含请求的数据节点或其任何子节点。
12. For a "write" access operation, if the "write-default" leaf is set to "permit", then permit the data node access request; otherwise, deny the request.
12. 对于“写入”访问操作,如果“写入默认”叶设置为“允许”,则允许数据节点访问请求;否则,拒绝请求。
13. For an "execute" access operation, if the "exec-default" leaf is set to "permit", then permit the request; otherwise, deny the request.
13. 对于“执行”访问操作,如果“执行默认”叶设置为“允许”,则允许请求;否则,拒绝请求。
Configuration of access control rules specifically for descendant nodes of the notification event type are outside the scope of this document. If the user is authorized to receive the notification event type, then it is also authorized to receive any data it contains.
专门针对通知事件类型的子节点的访问控制规则的配置不在本文档的范围内。如果用户有权接收通知事件类型,则也有权接收其包含的任何数据。
If the notification is specified within a data subtree, as specified in [RFC7950], then read access to the notification is required. Processing continues as described in Section 3.4.5.
如果在[RFC7950]中指定的数据子树中指定了通知,则需要对该通知进行读取访问。按照第3.4.5节所述继续处理。
The following figure shows the conceptual message processing model for outgoing <notification> messages.
下图显示了传出<通知>消息的概念性消息处理模型。
NETCONF server
+------------+
| XML |
| message |
| generator |
+------------+
^
|
+----------------+
| <notification> |
| generator |
+----------------+
^
|
+=================+
| <notification> |
| access control |
| <eventType> |
+=================+
^
|
+------------------------+
| server instrumentation |
+------------------------+
| ^
V |
+----------------------+
| configuration |
| datastore |
+----------------------+
NETCONF server
+------------+
| XML |
| message |
| generator |
+------------+
^
|
+----------------+
| <notification> |
| generator |
+----------------+
^
|
+=================+
| <notification> |
| access control |
| <eventType> |
+=================+
^
|
+------------------------+
| server instrumentation |
+------------------------+
| ^
V |
+----------------------+
| configuration |
| datastore |
+----------------------+
Figure 4
图4
The generation of a notification for a specific subscription [RFC5277] is authorized by following these steps:
通过以下步骤授权生成特定订阅[RFC5277]的通知:
1. If the "enable-nacm" leaf is set to "false", then the notification is permitted.
1. 如果“启用nacm”叶设置为“false”,则允许通知。
2. If the session is identified as a recovery session, then the notification is permitted.
2. 如果会话被标识为恢复会话,则允许通知。
3. If the notification is the NETCONF <replayComplete> or <notificationComplete> event type [RFC5277], then the notification is permitted.
3. 如果通知是NETCONF<replayComplete>或<notificationComplete>事件类型[RFC5277],则允许通知。
4. Check all the "group" entries to see if any of them contain a "user-name" entry that equals the username for the session making the request. If the "enable-external-groups" leaf is "true", add to these groups the set of groups provided by the transport layer.
4. 检查所有“组”条目,查看其中是否有任何条目包含与发出请求的会话的用户名相等的“用户名”条目。如果“启用外部组”叶为“true”,则将传输层提供的组集添加到这些组中。
5. If no groups are found, continue with step 10.
5. 如果未找到任何组,请继续执行步骤10。
6. Process all rule-list entries, in the order they appear in the configuration. If a rule-list's "group" leaf-list does not match any of the user's groups, proceed to the next rule-list entry.
6. 按照规则列表项在配置中的显示顺序处理所有规则列表项。如果规则列表的“组”叶列表与用户的任何组都不匹配,请转至下一个规则列表条目。
7. For each rule-list entry found, process all rules, in order, until a rule that matches the requested access operation is found. A rule matches if all of the following criteria are met:
7. 对于找到的每个规则列表条目,按顺序处理所有规则,直到找到与请求的访问操作匹配的规则。如果满足以下所有条件,则规则匹配:
* The rule's "module-name" leaf is "*" or equals the name of the YANG module where the notification is defined.
* 规则的“模块名”叶为“*”或等于定义通知的模块名。
* Either (1) the rule does not have a "rule-type" defined or (2) the "rule-type" is "notification" and the "notification-name" is "*" or equals the name of the notification.
* (1)规则未定义“规则类型”,或(2)“规则类型”为“通知”,且“通知名称”为“*”或等于通知名称。
* The rule's "access-operations" leaf has the "read" bit set or has the special value "*".
* 规则的“访问操作”叶设置了“读取”位或具有特殊值“*”。
8. If a matching rule is found, then the "action" leaf is checked. If it is equal to "permit", then permit the notification; otherwise, drop the notification for the associated subscription.
8. 如果找到匹配规则,则检查“操作”叶。如果等于“许可”,则允许通知;否则,请删除关联订阅的通知。
9. Otherwise, no matching rule was found in any rule-list entry.
9. 否则,在任何规则列表条目中都找不到匹配的规则。
10. If the requested notification is defined in a YANG module advertised in the server capabilities and the "notification" statement contains a "nacm:default-deny-all" statement, then the notification is dropped for the associated subscription.
10. 如果请求的通知是在服务器功能中公布的模块中定义的,并且“通知”语句包含“nacm:default deny all”语句,则删除关联订阅的通知。
11. If the "read-default" leaf is set to "permit", then permit the notification; otherwise, drop the notification for the associated subscription.
11. 如果“读取默认”页设置为“允许”,则允许通知;否则,请删除关联订阅的通知。
The following diagram highlights the contents and structure of the NACM YANG module.
下图突出显示了NACM模块的内容和结构。
module: ietf-netconf-acm
+--rw nacm
+--rw enable-nacm? boolean
+--rw read-default? action-type
+--rw write-default? action-type
+--rw exec-default? action-type
+--rw enable-external-groups? boolean
+--ro denied-operations yang:zero-based-counter32
+--ro denied-data-writes yang:zero-based-counter32
+--ro denied-notifications yang:zero-based-counter32
+--rw groups
| +--rw group* [name]
| +--rw name group-name-type
| +--rw user-name* user-name-type
+--rw rule-list* [name]
+--rw name string
+--rw group* union
+--rw rule* [name]
+--rw name string
+--rw module-name? union
+--rw (rule-type)?
| +--:(protocol-operation)
| | +--rw rpc-name? union
| +--:(notification)
| | +--rw notification-name? union
| +--:(data-node)
| +--rw path node-instance-identifier
+--rw access-operations? union
+--rw action action-type
+--rw comment? string
module: ietf-netconf-acm
+--rw nacm
+--rw enable-nacm? boolean
+--rw read-default? action-type
+--rw write-default? action-type
+--rw exec-default? action-type
+--rw enable-external-groups? boolean
+--ro denied-operations yang:zero-based-counter32
+--ro denied-data-writes yang:zero-based-counter32
+--ro denied-notifications yang:zero-based-counter32
+--rw groups
| +--rw group* [name]
| +--rw name group-name-type
| +--rw user-name* user-name-type
+--rw rule-list* [name]
+--rw name string
+--rw group* union
+--rw rule* [name]
+--rw name string
+--rw module-name? union
+--rw (rule-type)?
| +--:(protocol-operation)
| | +--rw rpc-name? union
| +--:(notification)
| | +--rw notification-name? union
| +--:(data-node)
| +--rw path node-instance-identifier
+--rw access-operations? union
+--rw action action-type
+--rw comment? string
The following YANG module specifies the normative NETCONF content that MUST be supported by the server.
以下模块指定了服务器必须支持的标准NETCONF内容。
The "ietf-netconf-acm" YANG module imports typedefs from [RFC6991].
“ietf netconf acm”模块从[RFC6991]导入typedefs。
<CODE BEGINS> file "ietf-netconf-acm@2018-02-14.yang"
module ietf-netconf-acm {
<CODE BEGINS> file "ietf-netconf-acm@2018-02-14.yang"
module ietf-netconf-acm {
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
prefix nacm;
前缀nacm;
import ietf-yang-types {
prefix yang;
}
import ietf-yang-types {
prefix yang;
}
organization "IETF NETCONF (Network Configuration) Working Group";
组织“IETF网络配置工作组”;
contact
"WG Web: <https://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
contact
"WG Web: <https://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
Author: Andy Bierman
<mailto:andy@yumaworks.com>
Author: Andy Bierman
<mailto:andy@yumaworks.com>
Author: Martin Bjorklund
<mailto:mbj@tail-f.com>";
Author: Martin Bjorklund
<mailto:mbj@tail-f.com>";
description "Network Configuration Access Control Model.
描述“网络配置访问控制模型”。
Copyright (c) 2012 - 2018 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2012-2018 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8341; see the RFC itself for full legal notices.";
该模块的此版本是RFC 8341的一部分;有关完整的法律通知,请参见RFC本身。“;
revision "2018-02-14" {
description
"Added support for YANG 1.1 actions and notifications tied to
data nodes. Clarified how NACM extensions can be used by
other data models.";
reference
"RFC 8341: Network Configuration Access Control Model";
}
revision "2018-02-14" {
description
"Added support for YANG 1.1 actions and notifications tied to
data nodes. Clarified how NACM extensions can be used by
other data models.";
reference
"RFC 8341: Network Configuration Access Control Model";
}
revision "2012-02-22" {
description
"Initial version.";
reference
"RFC 6536: Network Configuration Protocol (NETCONF)
Access Control Model";
}
revision "2012-02-22" {
description
"Initial version.";
reference
"RFC 6536: Network Configuration Protocol (NETCONF)
Access Control Model";
}
/*
* Extension statements
*/
/*
* Extension statements
*/
extension default-deny-write { description "Used to indicate that the data model node represents a sensitive security system parameter.
扩展默认拒绝写入{description”,用于指示数据模型节点表示敏感的安全系统参数。
If present, the NETCONF server will only allow the designated 'recovery session' to have write access to the node. An explicit access control rule is required for all other users.
如果存在,NETCONF服务器将只允许指定的“恢复会话”对节点具有写访问权限。所有其他用户都需要明确的访问控制规则。
If the NACM module is used, then it must be enabled (i.e., /nacm/enable-nacm object equals 'true'), or this extension is ignored.
如果使用NACM模块,则必须启用它(即,/NACM/enable NACM object等于'true'),否则将忽略此扩展。
The 'default-deny-write' extension MAY appear within a data
definition statement. It is ignored otherwise.";
}
The 'default-deny-write' extension MAY appear within a data
definition statement. It is ignored otherwise.";
}
extension default-deny-all { description "Used to indicate that the data model node controls a very sensitive security system parameter.
扩展默认拒绝所有{description”,用于指示数据模型节点控制非常敏感的安全系统参数。
If present, the NETCONF server will only allow the designated 'recovery session' to have read, write, or execute access to the node. An explicit access control rule is required for all other users.
如果存在,NETCONF服务器将只允许指定的“恢复会话”对节点进行读、写或执行访问。所有其他用户都需要明确的访问控制规则。
If the NACM module is used, then it must be enabled (i.e., /nacm/enable-nacm object equals 'true'), or this extension is ignored.
如果使用NACM模块,则必须启用它(即,/NACM/enable NACM object等于'true'),否则将忽略此扩展。
The 'default-deny-all' extension MAY appear within a data
definition statement, 'rpc' statement, or 'notification'
statement. It is ignored otherwise.";
}
The 'default-deny-all' extension MAY appear within a data
definition statement, 'rpc' statement, or 'notification'
statement. It is ignored otherwise.";
}
/*
* Derived types
*/
/*
* Derived types
*/
typedef user-name-type {
type string {
length "1..max";
}
description
"General-purpose username string.";
}
typedef user-name-type {
type string {
length "1..max";
}
description
"General-purpose username string.";
}
typedef matchall-string-type {
type string {
pattern '\*';
}
description
"The string containing a single asterisk '*' is used
to conceptually represent all possible values
for the particular leaf using this data type.";
}
typedef matchall-string-type {
type string {
pattern '\*';
}
description
"The string containing a single asterisk '*' is used
to conceptually represent all possible values
for the particular leaf using this data type.";
}
typedef access-operations-type {
type bits {
bit create {
description
"Any protocol operation that creates a
new data node.";
}
bit read {
description
"Any protocol operation or notification that
returns the value of a data node.";
}
bit update {
description
"Any protocol operation that alters an existing
data node.";
}
typedef access-operations-type {
type bits {
bit create {
description
"Any protocol operation that creates a
new data node.";
}
bit read {
description
"Any protocol operation or notification that
returns the value of a data node.";
}
bit update {
description
"Any protocol operation that alters an existing
data node.";
}
bit delete {
description
"Any protocol operation that removes a data node.";
}
bit exec {
description
"Execution access to the specified protocol operation.";
}
}
description
"Access operation.";
}
bit delete {
description
"Any protocol operation that removes a data node.";
}
bit exec {
description
"Execution access to the specified protocol operation.";
}
}
description
"Access operation.";
}
typedef group-name-type {
type string {
length "1..max";
pattern '[^\*].*';
}
description
"Name of administrative group to which
users can be assigned.";
}
typedef group-name-type {
type string {
length "1..max";
pattern '[^\*].*';
}
description
"Name of administrative group to which
users can be assigned.";
}
typedef action-type {
type enumeration {
enum permit {
description
"Requested action is permitted.";
}
enum deny {
description
"Requested action is denied.";
}
}
description
"Action taken by the server when a particular
rule matches.";
}
typedef action-type {
type enumeration {
enum permit {
description
"Requested action is permitted.";
}
enum deny {
description
"Requested action is denied.";
}
}
description
"Action taken by the server when a particular
rule matches.";
}
typedef node-instance-identifier {
type yang:xpath1.0;
description
"Path expression used to represent a special
data node, action, or notification instance-identifier
string.
typedef node-instance-identifier {
type yang:xpath1.0;
description
"Path expression used to represent a special
data node, action, or notification instance-identifier
string.
A node-instance-identifier value is an unrestricted YANG instance-identifier expression.
节点实例标识符值是不受限制的实例标识符表达式。
All the same rules as an instance-identifier apply, except that predicates for keys are optional. If a key predicate is missing, then the node-instance-identifier represents all possible server instances for that key.
除了键的谓词是可选的之外,所有与实例标识符相同的规则都适用。如果缺少密钥谓词,则节点实例标识符表示该密钥的所有可能服务器实例。
This XML Path Language (XPath) expression is evaluated in the following context:
此XML路径语言(XPath)表达式在以下上下文中求值:
o The set of namespace declarations are those in scope on the leaf element where this type is used.
o 名称空间声明集是使用此类型的叶元素范围中的声明。
o The set of variable bindings contains one variable, 'USER', which contains the name of the user of the current session.
o 变量绑定集包含一个变量“USER”,它包含当前会话的用户名称。
o The function library is the core function library, but note that due to the syntax restrictions of an instance-identifier, no functions are allowed.
o 函数库是核心函数库,但请注意,由于实例标识符的语法限制,不允许使用函数。
o The context node is the root node in the data tree.
o 上下文节点是数据树中的根节点。
The accessible tree includes actions and notifications tied
to data nodes.";
}
The accessible tree includes actions and notifications tied
to data nodes.";
}
/*
* Data definition statements
*/
/*
* Data definition statements
*/
container nacm {
nacm:default-deny-all;
container nacm {
nacm:default-deny-all;
description "Parameters for NETCONF access control model.";
说明“NETCONF访问控制模型参数”;
leaf enable-nacm {
type boolean;
default "true";
description
"Enables or disables all NETCONF access control
enforcement. If 'true', then enforcement
is enabled. If 'false', then enforcement
is disabled.";
}
leaf enable-nacm {
type boolean;
default "true";
description
"Enables or disables all NETCONF access control
enforcement. If 'true', then enforcement
is enabled. If 'false', then enforcement
is disabled.";
}
leaf read-default {
type action-type;
default "permit";
description
"Controls whether read access is granted if
no appropriate rule is found for a
particular read request.";
}
leaf read-default {
type action-type;
default "permit";
description
"Controls whether read access is granted if
no appropriate rule is found for a
particular read request.";
}
leaf write-default {
type action-type;
default "deny";
description
"Controls whether create, update, or delete access
is granted if no appropriate rule is found for a
particular write request.";
}
leaf write-default {
type action-type;
default "deny";
description
"Controls whether create, update, or delete access
is granted if no appropriate rule is found for a
particular write request.";
}
leaf exec-default {
type action-type;
default "permit";
description
"Controls whether exec access is granted if no appropriate
rule is found for a particular protocol operation request.";
}
leaf exec-default {
type action-type;
default "permit";
description
"Controls whether exec access is granted if no appropriate
rule is found for a particular protocol operation request.";
}
leaf enable-external-groups {
type boolean;
default "true";
description
"Controls whether the server uses the groups reported by the
NETCONF transport layer when it assigns the user to a set of
NACM groups. If this leaf has the value 'false', any group
names reported by the transport layer are ignored by the
server.";
}
leaf enable-external-groups {
type boolean;
default "true";
description
"Controls whether the server uses the groups reported by the
NETCONF transport layer when it assigns the user to a set of
NACM groups. If this leaf has the value 'false', any group
names reported by the transport layer are ignored by the
server.";
}
leaf denied-operations {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that a
protocol operation request was denied.";
}
leaf denied-operations {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that a
protocol operation request was denied.";
}
leaf denied-data-writes {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that a
protocol operation request to alter
a configuration datastore was denied.";
}
leaf denied-data-writes {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that a
protocol operation request to alter
a configuration datastore was denied.";
}
leaf denied-notifications {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that
a notification was dropped for a subscription because
access to the event type was denied.";
}
leaf denied-notifications {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that
a notification was dropped for a subscription because
access to the event type was denied.";
}
container groups {
description
"NETCONF access control groups.";
container groups {
description
"NETCONF access control groups.";
list group {
key name;
list group {
key name;
description "One NACM group entry. This list will only contain configured entries, not any entries learned from any transport protocols.";
description“一个NACM组条目。此列表将仅包含已配置的条目,而不包含从任何传输协议学到的任何条目。”;
leaf name {
type group-name-type;
description
"Group name associated with this entry.";
}
leaf name {
type group-name-type;
description
"Group name associated with this entry.";
}
leaf-list user-name {
type user-name-type;
description
"Each entry identifies the username of
a member of the group associated with
this entry.";
}
}
}
leaf-list user-name {
type user-name-type;
description
"Each entry identifies the username of
a member of the group associated with
this entry.";
}
}
}
list rule-list {
key name;
ordered-by user;
description
"An ordered collection of access control rules.";
list rule-list {
key name;
ordered-by user;
description
"An ordered collection of access control rules.";
leaf name {
type string {
length "1..max";
}
description
"Arbitrary name assigned to the rule-list.";
}
leaf-list group {
type union {
type matchall-string-type;
type group-name-type;
}
description
"List of administrative groups that will be
assigned the associated access rights
defined by the 'rule' list.
leaf name {
type string {
length "1..max";
}
description
"Arbitrary name assigned to the rule-list.";
}
leaf-list group {
type union {
type matchall-string-type;
type group-name-type;
}
description
"List of administrative groups that will be
assigned the associated access rights
defined by the 'rule' list.
The string '*' indicates that all groups apply to the
entry.";
}
The string '*' indicates that all groups apply to the
entry.";
}
list rule {
key name;
ordered-by user;
description
"One access control rule.
list rule {
key name;
ordered-by user;
description
"One access control rule.
Rules are processed in user-defined order until a match is found. A rule matches if 'module-name', 'rule-type', and 'access-operations' match the request. If a rule matches, the 'action' leaf determines whether or not access is granted.";
规则按用户定义的顺序处理,直到找到匹配项。如果“模块名称”、“规则类型”和“访问操作”与请求匹配,则规则匹配。如果规则匹配,“操作”叶确定是否授予访问权限。“;
leaf name {
type string {
length "1..max";
}
description
"Arbitrary name assigned to the rule.";
}
leaf name {
type string {
length "1..max";
}
description
"Arbitrary name assigned to the rule.";
}
leaf module-name {
type union {
type matchall-string-type;
type string;
}
default "*";
description
"Name of the module associated with this rule.
leaf module-name {
type union {
type matchall-string-type;
type string;
}
default "*";
description
"Name of the module associated with this rule.
This leaf matches if it has the value '*' or if the
object being accessed is defined in the module with the
specified module name.";
}
choice rule-type {
description
"This choice matches if all leafs present in the rule
match the request. If no leafs are present, the
choice matches all requests.";
case protocol-operation {
leaf rpc-name {
type union {
type matchall-string-type;
type string;
}
description
"This leaf matches if it has the value '*' or if
its value equals the requested protocol operation
name.";
}
}
case notification {
leaf notification-name {
type union {
type matchall-string-type;
type string;
}
description
"This leaf matches if it has the value '*' or if its
value equals the requested notification name.";
}
}
This leaf matches if it has the value '*' or if the
object being accessed is defined in the module with the
specified module name.";
}
choice rule-type {
description
"This choice matches if all leafs present in the rule
match the request. If no leafs are present, the
choice matches all requests.";
case protocol-operation {
leaf rpc-name {
type union {
type matchall-string-type;
type string;
}
description
"This leaf matches if it has the value '*' or if
its value equals the requested protocol operation
name.";
}
}
case notification {
leaf notification-name {
type union {
type matchall-string-type;
type string;
}
description
"This leaf matches if it has the value '*' or if its
value equals the requested notification name.";
}
}
case data-node {
leaf path {
type node-instance-identifier;
mandatory true;
description
"Data node instance-identifier associated with the
data node, action, or notification controlled by
this rule.
case data-node {
leaf path {
type node-instance-identifier;
mandatory true;
description
"Data node instance-identifier associated with the
data node, action, or notification controlled by
this rule.
Configuration data or state data instance-identifiers start with a top-level data node. A complete instance-identifier is required for this type of path value.
配置数据或状态数据实例标识符以顶级数据节点开始。此类型的路径值需要完整的实例标识符。
The special value '/' refers to all possible
datastore contents.";
}
}
}
The special value '/' refers to all possible
datastore contents.";
}
}
}
leaf access-operations {
type union {
type matchall-string-type;
type access-operations-type;
}
default "*";
description
"Access operations associated with this rule.
leaf access-operations {
type union {
type matchall-string-type;
type access-operations-type;
}
default "*";
description
"Access operations associated with this rule.
This leaf matches if it has the value '*' or if the
bit corresponding to the requested operation is set.";
}
This leaf matches if it has the value '*' or if the
bit corresponding to the requested operation is set.";
}
leaf action {
type action-type;
mandatory true;
description
"The access control action associated with the
rule. If a rule has been determined to match a
particular request, then this object is used
to determine whether to permit or deny the
request.";
}
leaf action {
type action-type;
mandatory true;
description
"The access control action associated with the
rule. If a rule has been determined to match a
particular request, then this object is used
to determine whether to permit or deny the
request.";
}
leaf comment {
type string;
description
"A textual description of the access rule.";
}
}
}
}
}
leaf comment {
type string;
description
"A textual description of the access rule.";
}
}
}
}
}
<CODE ENDS>
<代码结束>
This document reuses the URI for "ietf-netconf-acm" in the "IETF XML Registry".
本文档重用“ietf XML注册表”中“ietf netconf acm”的URI。
This document updates the module registration in the "YANG Module Names" registry to reference this RFC instead of RFC 6536 for "ietf-netconf-acm". Following the format in [RFC6020], the following has been registered.
本文档更新了“YANG模块名称”注册表中的模块注册,以引用此RFC,而不是“ietf netconf acm”的RFC 6536。按照[RFC6020]中的格式,已注册以下内容。
Name: ietf-netconf-acm
Namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-acm
Prefix: nacm
Reference: RFC 8341
Name: ietf-netconf-acm
Namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-acm
Prefix: nacm
Reference: RFC 8341
The YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC5246].
本文档中指定的模块为数据定义了一个模式,该模式旨在通过网络管理协议(如NETCONF[RFC6241]或restcconf[RFC8040])进行访问。最低的NETCONF层是安全传输层,实现安全传输的强制要求是安全Shell(SSH)[RFC6242]。最低的RESTCONF层是HTTPS,实现安全传输的强制层是TLS[RFC5246]。
The NETCONF access control model [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.
NETCONF访问控制模型[RFC8341]提供了将特定NETCONF或RESTCONF用户的访问限制为所有可用NETCONF或RESTCONF协议操作和内容的预配置子集的方法。
There is a risk related to the lack of access control enforcement for the RESTCONF OPTIONS and PATCH methods. The risk here is that the response to OPTIONS and PATCH may vary based on the presence or absence of a resource corresponding to the URL's path. If this is the case, then it can be used to trivially probe for the presence or absence of values within a tree. Therefore, a server MUST NOT vary
存在与RESTCONF选项和修补程序方法缺乏访问控制强制相关的风险。这里的风险是,对选项和补丁的响应可能会根据URL路径对应的资源的存在与否而有所不同。如果是这种情况,那么可以使用它来探测树中是否存在值。因此,服务器不能改变
its responses based on the existence of the underlying resource, which would indicate the presence or absence of resource instances. In particular, servers should not expose any instance information before ensuring that the client has the necessary access permissions to obtain that information. In such cases, servers are expected to always return the "access-denied" error response.
它的响应基于基础资源的存在,这将指示是否存在资源实例。特别是,在确保客户端具有获取该信息所需的访问权限之前,服务器不应公开任何实例信息。在这种情况下,服务器总是会返回“拒绝访问”错误响应。
There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability:
此模块中定义了许多可写/可创建/可删除的数据节点(即,默认为config true)。在某些网络环境中,这些数据节点可能被视为敏感或易受攻击。对这些数据节点的写入操作(如编辑配置)如果没有适当的保护,可能会对网络操作产生负面影响。这些是子树和数据节点及其敏感性/漏洞:
o /nacm: The entire /nacm subtree is related to security. Refer to the following sections for more details.
o /nacm:整个/nacm子树与安全性相关。有关更多详细信息,请参阅以下章节。
This section highlights the issues for an administrator to consider when configuring a NETCONF server with the NACM.
本节突出了管理员在配置NACM服务器时要考虑的问题。
Configuration of the access control system is highly sensitive to system security. A server may choose not to allow any user configuration to some portions of it, such as the global security level or the groups that allowed access to system resources.
门禁系统的配置对系统安全性高度敏感。服务器可以选择不允许对其某些部分进行任何用户配置,例如全局安全级别或允许访问系统资源的组。
By default, NACM enforcement is enabled. By default, "read" access to all datastore contents is enabled (unless "nacm:default-deny-all" is specified for the data definition), and "exec" access is enabled for safe protocol operations. An administrator needs to ensure that the NACM is enabled and also decide if the default access parameters are set appropriately. Make sure that the following data nodes are properly configured:
默认情况下,启用NACM强制。默认情况下,启用对所有数据存储内容的“读取”访问(除非为数据定义指定了“nacm:default deny all”),并为安全协议操作启用“exec”访问。管理员需要确保NACM已启用,并决定是否正确设置了默认访问参数。确保正确配置了以下数据节点:
o /nacm/enable-nacm (default "true")
o /nacm/启用nacm(默认为“真”)
o /nacm/read-default (default "permit")
o /nacm/读取默认值(默认“许可”)
o /nacm/write-default (default "deny")
o /nacm/写入默认值(默认值为“拒绝”)
o /nacm/exec-default (default "permit")
o /nacm/exec默认(默认“许可”)
An administrator needs to restrict write access to all configurable objects within this data model.
管理员需要限制对此数据模型中所有可配置对象的写入访问权限。
If write access is allowed for configuration of access control rules, then care needs to be taken not to disrupt the access control enforcement. For example, if the NACM access control rules are edited directly within the running configuration datastore (i.e., :writable-running capability is supported and used), then care needs to be taken not to allow unintended access while the edits are being done.
如果访问控制规则的配置允许写访问,则需要注意不要中断访问控制的实施。例如,如果直接在正在运行的配置数据存储中编辑NACM访问控制规则(即:支持并使用可写运行功能),则需要注意在编辑过程中不允许意外访问。
An administrator needs to make sure that the translation from a transport- or implementation-dependent user identity to a NACM username is unique and correct. This requirement is specified in detail in Section 2.2 of [RFC6241].
管理员需要确保从依赖于传输或实现的用户标识到NACM用户名的转换是唯一和正确的。[RFC6241]第2.2节详细规定了该要求。
An administrator needs to be aware that the YANG data structures representing access control rules (/nacm/rule-list and /nacm/rule-list/rule) are ordered by the client. The server will evaluate the access control rules according to their relative conceptual order within the running configuration datastore.
管理员需要知道,表示访问控制规则的数据结构(/nacm/rule list和/nacm/rule list/rule)是由客户端排序的。服务器将根据访问控制规则在运行的配置数据存储中的相对概念顺序来评估这些规则。
Note that the /nacm/groups data structure contains the administrative group names used by the server. These group names may be configured locally and/or provided through an external protocol, such as RADIUS [RFC2865] [RFC5607].
请注意,/nacm/groups数据结构包含服务器使用的管理组名称。这些组名可以本地配置和/或通过外部协议提供,例如RADIUS[RFC2865][RFC5607]。
An administrator needs to be aware of the security properties of any external protocol used by the transport layer to determine group names. For example, if this protocol does not protect against man-in-the-middle attacks, an attacker might be able to inject group names that are configured in the NACM so that a user gets more permissions than it should. In such cases, the administrator may wish to disable the usage of such group names by setting /nacm/enable-external-groups to "false".
管理员需要了解传输层用于确定组名的任何外部协议的安全属性。例如,如果此协议无法防止中间人攻击,则攻击者可能会插入NACM中配置的组名,以便用户获得比其应获得的权限更多的权限。在这种情况下,管理员可能希望通过将/nacm/enable external groups设置为“false”来禁用这些组名的使用。
Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability:
在某些网络环境中,此模块中的某些可读数据节点可能被视为敏感或易受攻击。因此,控制对这些数据节点的读取访问(例如,通过get、get config或通知)非常重要。这些是子树和数据节点及其敏感性/漏洞:
o /nacm/enable-nacm
o /nacm/启用nacm
o /nacm/read-default
o /nacm/读取默认值
o /nacm/write-default
o /nacm/写入默认值
o /nacm/exec-default
o /nacm/exec默认值
o /nacm/enable-external-groups
o /nacm/启用外部组
o /nacm/groups
o /nacm/组
o /nacm/rule-list
o /nacm/规则列表
An administrator needs to restrict read access to the above-listed objects within this data model, as they reveal access control configuration that could be considered sensitive.
管理员需要限制对此数据模型中上述对象的读取权限,因为这些对象显示了可能被视为敏感的访问控制配置。
There is a risk that invocation of non-standard protocol operations will have undocumented side effects. An administrator needs to construct access control rules such that the configuration datastore is protected from such side effects.
调用非标准协议操作有可能产生未记录的副作用。管理员需要构造访问控制规则,以保护配置数据存储免受此类副作用的影响。
It is possible for a session with some write access (e.g., allowed to invoke <edit-config>), but without any access to a particular datastore subtree containing sensitive data, to determine the presence or non-presence of that data. This can be done by repeatedly issuing some sort of edit request (create, update, or delete) and possibly receiving "access-denied" errors in response. These "fishing" attacks can identify the presence or non-presence of specific sensitive data even without the "error-path" field being present within the <rpc-error> response.
具有某种写访问权限(例如,允许调用<edit config>),但不访问包含敏感数据的特定数据存储子树的会话可以确定该数据是否存在。这可以通过反复发出某种编辑请求(创建、更新或删除)并可能在响应中收到“拒绝访问”错误来实现。这些“钓鱼”攻击可以识别特定敏感数据的存在或不存在,即使<rpc error>响应中没有“error path”字段。
It may be possible for the set of NETCONF capabilities on the server to change over time. If so, then there is a risk that new protocol operations, notifications, and/or datastore content have been added to the device. An administrator needs to be sure that the access control rules are correct for the new content in this case. Mechanisms to detect NETCONF capability changes on a specific device are outside the scope of this document.
服务器上的一组NETCONF功能可能会随着时间的推移而改变。如果是这样,则存在向设备添加新协议操作、通知和/或数据存储内容的风险。在这种情况下,管理员需要确保新内容的访问控制规则是正确的。检测特定设备上NETCONF功能更改的机制不在本文档的范围内。
It is possible that the data model definition itself (e.g., a YANG when-stmt) will help an unauthorized session determine the presence or even value of sensitive data nodes by examining the presence and values of different data nodes.
数据模型定义本身(例如,stmt时的YANG)可能会通过检查不同数据节点的存在和值来帮助未经授权的会话确定敏感数据节点的存在或甚至值。
It is possible that the data model definition itself (e.g., a YANG when-stmt or choice-stmt) will allow a session to implicitly create or delete nodes that the session does not have write access to as an implicit side effect from the processing of an allowed <edit-config> operation.
数据模型定义本身(例如,YANG when stmt或choice stmt)可能允许会话隐式创建或删除会话没有写入权限的节点,这是处理允许的<edit config>操作的隐式副作用。
There is a risk that non-standard protocol operations, or even the standard <get> protocol operation, may return data that "aliases" or "copies" sensitive data from a different data object. There may simply be multiple data model definitions that expose or even configure the same underlying system instrumentation.
存在一种风险,即非标准协议操作,甚至是标准的<get>协议操作,可能会返回数据,这些数据“别名”或“复制”来自不同数据对象的敏感数据。可能只是有多个数据模型定义公开甚至配置相同的底层系统检测。
A data model may contain external keys (e.g., YANG leafref), which expose values from a different data structure. An administrator needs to be aware of sensitive data models that contain leafref nodes. This entails finding all the leafref objects that "point" at the sensitive data (i.e., "path-stmt" values) that implicitly or explicitly includes the sensitive data node.
数据模型可能包含外部键(例如,YANG leafref),这些键公开来自不同数据结构的值。管理员需要了解包含leafref节点的敏感数据模型。这需要查找“指向”敏感数据(即“路径stmt”值)的所有leafref对象,该敏感数据隐式或显式包含敏感数据节点。
It is beyond the scope of this document to define access control enforcement procedures for underlying device instrumentation that may exist to support the NETCONF server operation. An administrator can identify each protocol operation that the server provides and decide if it needs any access control applied to it.
为支持NETCONF服务器操作的底层设备检测定义访问控制实施过程超出了本文档的范围。管理员可以识别服务器提供的每个协议操作,并决定是否需要对其应用任何访问控制。
This document incorporates the optional use of a recovery session mechanism, which can be used to bypass access control enforcement in emergencies such as NACM configuration errors that disable all access to the server. The configuration and identification of such a recovery session mechanism are implementation specific and are outside the scope of this document. An administrator needs to be aware of any recovery session mechanisms available on the device and make sure that they are used appropriately.
本文档包含了恢复会话机制的可选使用,该机制可用于在紧急情况下绕过访问控制强制执行,如NACM配置错误,该错误会禁用对服务器的所有访问。此类恢复会话机制的配置和标识是特定于实现的,不在本文档的范围内。管理员需要了解设备上可用的任何恢复会话机制,并确保它们得到适当使用。
It is possible for a session to disrupt configuration management, even without any write access to the configuration, by locking the datastore. This may be done to ensure that all or part of the configuration remains stable while it is being retrieved, or it may be done as a "denial-of-service" attack. There is no way for the server to know the difference. An administrator may wish to restrict "exec" access to the following protocol operations:
会话有可能通过锁定数据存储中断配置管理,即使没有对配置的任何写访问。这样做可以确保在检索配置时,配置的全部或部分保持稳定,也可以作为“拒绝服务”攻击。服务器无法知道差异。管理员可能希望限制“exec”对以下协议操作的访问:
o <lock>
o <lock>
o <unlock>
o <unlock>
o <partial-lock>
o <partial lock>
o <partial-unlock>
o <部分解锁>
Designers need to clearly identify any sensitive data, notifications, or protocol operations defined within a YANG module. For such definitions, a "nacm:default-deny-write" or "nacm:default-deny-all" statement ought to be present, in addition to a clear description of the security risks.
设计者需要清楚地识别模块中定义的任何敏感数据、通知或协议操作。对于此类定义,除了明确说明安全风险外,还应提供“nacm:default deny write”或“nacm:default deny all”语句。
Protocol operations need to be properly documented by the data model designer so that it is clear to administrators what data nodes (if any) are affected by the protocol operation and what information (if any) is returned in the <rpc-reply> message.
协议操作需要由数据模型设计器正确记录,以便管理员清楚哪些数据节点(如果有)受到协议操作的影响,以及在<rpc reply>消息中返回哪些信息(如果有)。
Data models ought to be designed so that different access levels for input parameters to protocol operations are not required. The use of generic protocol operations should be avoided, and if different access levels are needed, separate protocol operations should be defined instead.
数据模型的设计应使协议操作的输入参数不需要不同的访问级别。应避免使用通用协议操作,如果需要不同的访问级别,则应定义单独的协议操作。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <https://www.rfc-editor.org/info/rfc5246>.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,DOI 10.17487/RFC5246,2008年8月<https://www.rfc-editor.org/info/rfc5246>.
[RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, <https://www.rfc-editor.org/info/rfc5277>.
[RFC5277]Chisholm,S.和H.Trevino,“NETCONF事件通知”,RFC 5277,DOI 10.17487/RFC5277,2008年7月<https://www.rfc-editor.org/info/rfc5277>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, <https://www.rfc-editor.org/info/rfc6020>.
[RFC6020]Bjorklund,M.,Ed.“YANG-网络配置协议的数据建模语言(NETCONF)”,RFC 6020,DOI 10.17487/RFC6020,2010年10月<https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <https://www.rfc-editor.org/info/rfc6241>.
[RFC6241]Enns,R.,Ed.,Bjorklund,M.,Ed.,Schoenwaeld,J.,Ed.,和A.Bierman,Ed.,“网络配置协议(NETCONF)”,RFC 6241,DOI 10.17487/RFC6241,2011年6月<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, <https://www.rfc-editor.org/info/rfc6242>.
[RFC6242]Wasserman,M.“在安全外壳上使用NETCONF协议(SSH)”,RFC 6242,DOI 10.17487/RFC6242,2011年6月<https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, <https://www.rfc-editor.org/info/rfc6991>.
[RFC6991]Schoenwaeld,J.,Ed.,“常见杨数据类型”,RFC 6991,DOI 10.17487/RFC69911913年7月<https://www.rfc-editor.org/info/rfc6991>.
[RFC7230] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <https://www.rfc-editor.org/info/rfc7230>.
[RFC7230]Fielding,R.,Ed.,和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):消息语法和路由”,RFC 7230,DOI 10.17487/RFC7230,2014年6月<https://www.rfc-editor.org/info/rfc7230>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, <https://www.rfc-editor.org/info/rfc7950>.
[RFC7950]Bjorklund,M.,Ed.“YANG 1.1数据建模语言”,RFC 7950,DOI 10.17487/RFC7950,2016年8月<https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, <https://www.rfc-editor.org/info/rfc8040>.
[RFC8040]Bierman,A.,Bjorklund,M.,和K.Watsen,“RESTCONF协议”,RFC 8040,DOI 10.17487/RFC8040,2017年1月<https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "Network Management Datastore Architecture (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, <https://www.rfc-editor.org/info/rfc8342>.
[RFC8342]Bjorklund,M.,Schoenwaeld,J.,Shafer,P.,Watsen,K.,和R.Wilton,“网络管理数据存储体系结构(NMDA)”,RFC 8342,DOI 10.17487/RFC8342,2018年3月<https://www.rfc-editor.org/info/rfc8342>.
[W3C.REC-xml-20081126] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth Edition)", World Wide Web Consortium Recommendation REC-xml-20081126, November 2008, <https://www.w3.org/TR/2008/REC-xml-20081126>.
[W3C.REC-xml-20081126]Bray,T.,Paoli,J.,Sperberg McQueen,M.,Maler,E.,和F.Yergeau,“可扩展标记语言(xml)1.0(第五版)”,万维网联盟建议REC-xml-20081126,2008年11月<https://www.w3.org/TR/2008/REC-xml-20081126>.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, DOI 10.17487/RFC2865, June 2000, <https://www.rfc-editor.org/info/rfc2865>.
[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 2865,DOI 10.17487/RFC2865,2000年6月<https://www.rfc-editor.org/info/rfc2865>.
[RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management", RFC 5607, DOI 10.17487/RFC5607, July 2009, <https://www.rfc-editor.org/info/rfc5607>.
[RFC5607]Nelson,D.和G.Weber,“网络访问服务器(NAS)管理的远程认证拨入用户服务(RADIUS)授权”,RFC 5607,DOI 10.17487/RFC5607,2009年7月<https://www.rfc-editor.org/info/rfc5607>.
[YANG-SEC] IETF, "YANG Security Guidelines", <https://trac.ietf.org/ trac/ops/wiki/yang-security-guidelines>.
[YANG-SEC]IETF,“YANG安全指南”<https://trac.ietf.org/ trac/ops/wiki/yang安全指南>。
The following XML [W3C.REC-xml-20081126] snippets are provided as examples only, to demonstrate how the NACM can be configured to perform some access control tasks.
以下XML[W3C.REC-XML-20081126]片段仅作为示例提供,以演示如何配置NACM以执行某些访问控制任务。
There needs to be at least one <group> entry in order for any of the access control rules to be useful.
需要至少有一个<group>条目,才能使用任何访问控制规则。
The following XML shows arbitrary groups and is not intended to represent any particular use case.
下面的XML显示任意组,并不表示任何特定的用例。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<groups>
<group>
<name>admin</name>
<user-name>admin</user-name>
<user-name>andy</user-name>
</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<groups>
<group>
<name>admin</name>
<user-name>admin</user-name>
<user-name>andy</user-name>
</group>
<group>
<name>limited</name>
<user-name>wilma</user-name>
<user-name>bam-bam</user-name>
</group>
<group>
<name>limited</name>
<user-name>wilma</user-name>
<user-name>bam-bam</user-name>
</group>
<group>
<name>guest</name>
<user-name>guest</user-name>
<user-name>guest@example.com</user-name>
</group>
</groups>
</nacm>
<group>
<name>guest</name>
<user-name>guest</user-name>
<user-name>guest@example.com</user-name>
</group>
</groups>
</nacm>
This example shows three groups:
此示例显示了三个组:
admin: The "admin" group contains two users named "admin" and "andy".
管理员:“管理员”组包含两个名为“管理员”和“安迪”的用户。
limited: The "limited" group contains two users named "wilma" and "bam-bam".
有限:“有限”组包含两个名为“wilma”和“bam bam”的用户。
guest: The "guest" group contains two users named "guest" and "guest@example.com".
guest:“guest”组包含两个名为“guest”和“guest”的用户guest@example.com".
Module rules are used to control access to all the content defined in a specific module. A module rule has the "module-name" leaf set but no nodes from the "rule-type" choice set.
模块规则用于控制对特定模块中定义的所有内容的访问。模块规则具有“模块名称”叶集,但“规则类型”选择集中没有节点。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-acl</name>
<group>guest</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-acl</name>
<group>guest</group>
<rule>
<name>deny-ncm</name>
<module-name>ietf-netconf-monitoring</module-name>
<access-operations>*</access-operations>
<action>deny</action>
<comment>
Do not allow guests any access to the NETCONF
monitoring information.
</comment>
</rule>
</rule-list>
<rule>
<name>deny-ncm</name>
<module-name>ietf-netconf-monitoring</module-name>
<access-operations>*</access-operations>
<action>deny</action>
<comment>
Do not allow guests any access to the NETCONF
monitoring information.
</comment>
</rule>
</rule-list>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule>
<name>permit-ncm</name>
<module-name>ietf-netconf-monitoring</module-name>
<access-operations>read</access-operations>
<action>permit</action>
<comment>
Allow read access to the NETCONF
monitoring information.
</comment>
</rule>
<rule>
<name>permit-exec</name>
<module-name>*</module-name>
<access-operations>exec</access-operations>
<action>permit</action>
<comment>
Allow invocation of the
supported server operations.
</comment>
</rule>
</rule-list>
<rule>
<name>permit-ncm</name>
<module-name>ietf-netconf-monitoring</module-name>
<access-operations>read</access-operations>
<action>permit</action>
<comment>
Allow read access to the NETCONF
monitoring information.
</comment>
</rule>
<rule>
<name>permit-exec</name>
<module-name>*</module-name>
<access-operations>exec</access-operations>
<action>permit</action>
<comment>
Allow invocation of the
supported server operations.
</comment>
</rule>
</rule-list>
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule>
<name>permit-all</name>
<module-name>*</module-name>
<access-operations>*</access-operations>
<action>permit</action>
<comment>
Allow the 'admin' group complete access to all
operations and data.
</comment>
</rule>
</rule-list>
</nacm>
<rule>
<name>permit-all</name>
<module-name>*</module-name>
<access-operations>*</access-operations>
<action>permit</action>
<comment>
Allow the 'admin' group complete access to all
operations and data.
</comment>
</rule>
</rule-list>
</nacm>
This example shows four module rules:
此示例显示了四个模块规则:
deny-ncm: This rule prevents the "guest" group from reading any monitoring information in the "ietf-netconf-monitoring" YANG module.
拒绝ncm:此规则阻止“来宾”组读取“ietf netconf监控”模块中的任何监控信息。
permit-ncm: This rule allows the "limited" group to read the "ietf-netconf-monitoring" YANG module.
允许ncm:此规则允许“受限”组读取“ietf netconf监控”模块。
permit-exec: This rule allows the "limited" group to invoke any protocol operation supported by the server.
permit exec:此规则允许“limited”组调用服务器支持的任何协议操作。
permit-all: This rule allows the "admin" group complete access to all content in the server. No subsequent rule will match for the "admin" group because of this module rule.
全部允许:此规则允许“管理员”组完全访问服务器中的所有内容。由于此模块规则,没有与“admin”组匹配的后续规则。
Protocol operation rules are used to control access to a specific protocol operation.
协议操作规则用于控制对特定协议操作的访问。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-limited-acl</name>
<group>limited</group>
<group>guest</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-limited-acl</name>
<group>limited</group>
<group>guest</group>
<rule>
<name>deny-kill-session</name>
<module-name>ietf-netconf</module-name>
<rpc-name>kill-session</rpc-name>
<access-operations>exec</access-operations>
<action>deny</action>
<comment>
Do not allow the 'limited' group or the 'guest' group
to kill another session.
</comment>
</rule>
<rule>
<name>deny-delete-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>delete-config</rpc-name>
<access-operations>exec</access-operations>
<action>deny</action>
<comment>
Do not allow the 'limited' group or the 'guest' group
to delete any configurations.
</comment>
</rule>
</rule-list>
<rule>
<name>deny-kill-session</name>
<module-name>ietf-netconf</module-name>
<rpc-name>kill-session</rpc-name>
<access-operations>exec</access-operations>
<action>deny</action>
<comment>
Do not allow the 'limited' group or the 'guest' group
to kill another session.
</comment>
</rule>
<rule>
<name>deny-delete-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>delete-config</rpc-name>
<access-operations>exec</access-operations>
<action>deny</action>
<comment>
Do not allow the 'limited' group or the 'guest' group
to delete any configurations.
</comment>
</rule>
</rule-list>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule>
<name>permit-edit-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>edit-config</rpc-name>
<access-operations>exec</access-operations>
<action>permit</action>
<comment>
Allow the 'limited' group to edit the configuration.
</comment>
</rule>
</rule-list>
</nacm>
<rule>
<name>permit-edit-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>edit-config</rpc-name>
<access-operations>exec</access-operations>
<action>permit</action>
<comment>
Allow the 'limited' group to edit the configuration.
</comment>
</rule>
</rule-list>
</nacm>
This example shows three protocol operation rules:
此示例显示了三个协议操作规则:
deny-kill-session: This rule prevents the "limited" group or the "guest" group from invoking the NETCONF <kill-session> protocol operation.
拒绝终止会话:此规则防止“受限”组或“来宾”组调用NETCONF<kill session>协议操作。
deny-delete-config: This rule prevents the "limited" group or the "guest" group from invoking the NETCONF <delete-config> protocol operation.
拒绝删除配置:此规则防止“受限”组或“来宾”组调用NETCONF<delete config>协议操作。
permit-edit-config: This rule allows the "limited" group to invoke the NETCONF <edit-config> protocol operation. This rule will have no real effect unless the "exec-default" leaf is set to "deny".
允许编辑配置:此规则允许“受限”组调用NETCONF<edit config>协议操作。除非“exec default”叶设置为“deny”,否则此规则将没有实际效果。
Data node rules are used to control access to specific (config and non-config) data nodes within the NETCONF content provided by the server.
数据节点规则用于控制对服务器提供的NETCONF内容中特定(配置和非配置)数据节点的访问。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-acl</name>
<group>guest</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-acl</name>
<group>guest</group>
<rule>
<name>deny-nacm</name>
<path xmlns:n="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
/n:nacm
</path>
<access-operations>*</access-operations>
<action>deny</action>
<comment>
Deny the 'guest' group any access to the /nacm data.
</comment>
</rule>
</rule-list>
<rule>
<name>deny-nacm</name>
<path xmlns:n="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
/n:nacm
</path>
<access-operations>*</access-operations>
<action>deny</action>
<comment>
Deny the 'guest' group any access to the /nacm data.
</comment>
</rule>
</rule-list>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule>
<name>permit-acme-config</name>
<path xmlns:acme="http://example.com/ns/netconf">
/acme:acme-netconf/acme:config-parameters
</path>
<access-operations>
read create update delete
</access-operations>
<action>permit</action>
<comment>
Allow the 'limited' group complete access to the acme
NETCONF configuration parameters. Showing long form
of 'access-operations' instead of shorthand.
</comment>
</rule>
</rule-list>
<rule>
<name>permit-acme-config</name>
<path xmlns:acme="http://example.com/ns/netconf">
/acme:acme-netconf/acme:config-parameters
</path>
<access-operations>
read create update delete
</access-operations>
<action>permit</action>
<comment>
Allow the 'limited' group complete access to the acme
NETCONF configuration parameters. Showing long form
of 'access-operations' instead of shorthand.
</comment>
</rule>
</rule-list>
<rule-list>
<name>guest-limited-acl</name>
<group>guest</group>
<group>limited</group>
<rule-list>
<name>guest-limited-acl</name>
<group>guest</group>
<group>limited</group>
<rule>
<name>permit-dummy-interface</name>
<path xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface[acme:name='dummy']
</path>
<access-operations>read update</access-operations>
<action>permit</action>
<comment>
Allow the 'limited' and 'guest' groups read
and update access to the dummy interface.
</comment>
</rule>
</rule-list>
<rule>
<name>permit-dummy-interface</name>
<path xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface[acme:name='dummy']
</path>
<access-operations>read update</access-operations>
<action>permit</action>
<comment>
Allow the 'limited' and 'guest' groups read
and update access to the dummy interface.
</comment>
</rule>
</rule-list>
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule>
<name>permit-interface</name>
<path xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface
</path>
<access-operations>*</access-operations>
<action>permit</action>
<comment>
Allow the 'admin' group full access to all acme interfaces.
</comment>
</rule>
</rule-list>
</nacm>
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule>
<name>permit-interface</name>
<path xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface
</path>
<access-operations>*</access-operations>
<action>permit</action>
<comment>
Allow the 'admin' group full access to all acme interfaces.
</comment>
</rule>
</rule-list>
</nacm>
This example shows four data node rules:
此示例显示了四个数据节点规则:
deny-nacm: This rule denies the "guest" group any access to the /nacm subtree.
拒绝nacm:此规则拒绝“来宾”组访问/nacm子树。
permit-acme-config: This rule gives the "limited" group read-write access to the acme <config-parameters>.
permit acme config:此规则为“受限”组提供对acme<config parameters>的读写访问权限。
permit-dummy-interface: This rule gives the "limited" and "guest" groups read-update access to the acme <interface> entry named "dummy". This entry cannot be created or deleted by these groups; it can only be altered.
允许虚拟接口:此规则为“受限”和“来宾”组提供对名为“虚拟”的acme<interface>条目的读取更新访问权限。这些组无法创建或删除此条目;它只能被改变。
permit-interface: This rule gives the "admin" group read-write access to all acme <interface> entries.
允许接口:此规则为“管理员”组提供对所有acme<interface>条目的读写访问权限。
Notification rules are used to control access to a specific notification event type.
通知规则用于控制对特定通知事件类型的访问。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>sys-acl</name>
<group>limited</group>
<group>guest</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>sys-acl</name>
<group>limited</group>
<group>guest</group>
<rule>
<name>deny-config-change</name>
<module-name>acme-system</module-name>
<notification-name>sys-config-change</notification-name>
<access-operations>read</access-operations>
<action>deny</action>
<comment>
Do not allow the 'guest' group or the 'limited' group
to receive config change events.
</comment>
</rule>
</rule-list>
</nacm>
<rule>
<name>deny-config-change</name>
<module-name>acme-system</module-name>
<notification-name>sys-config-change</notification-name>
<access-operations>read</access-operations>
<action>deny</action>
<comment>
Do not allow the 'guest' group or the 'limited' group
to receive config change events.
</comment>
</rule>
</rule-list>
</nacm>
This example shows one notification rule:
此示例显示了一个通知规则:
deny-config-change: This rule prevents the "limited" group or the "guest" group from receiving the acme <sys-config-change> event type.
拒绝配置更改:此规则阻止“受限”组或“来宾”组接收acme<sys config change>事件类型。
Authors' Addresses
作者地址
Andy Bierman YumaWorks 685 Cochran St. Suite #160 Simi Valley, CA 93065 United States of America
Andy Bierman Yumawers 685 Cochran St.Suite#160西米谷,加利福尼亚州,美利坚合众国,93065
Email: andy@yumaworks.com
Email: andy@yumaworks.com
Martin Bjorklund Tail-f Systems
Martin Bjorklund Tail-f系统
Email: mbj@tail-f.com
Email: mbj@tail-f.com