CHANGELOG for 4.2.0

CHANGELOG.md

@@ -1,56 +1,66 @@
 # Clixon Changelog
 
-## 4.2.0 (Expected: October)
+## 4.2.0 (October 27 2019)
+
+### Summary
+
+The main improvement in thus release concerns security in terms of priveleges and credentials of accessing the clixon backend. There is also stricter multi-namespace checks which primarily effects where augmented models are used.
 
 ### Major New features
-* Privileges and credentials features
+* The backend daemon can drop privileges after initialization to run as non-privileged user
-  * Backend daemon can drop privileges after initialization to run as non-privileged user
+  * You can start as root and drop privileges either permanently or temporary
-    * You can start as root and drop privileges either permanently or temporary
+    * use `-U <user>` clixon_backend command-line option to drop to `user`
-    * Controlled by options: CLICON_BACKEND_USER and CLICON_BACKEND_PRIVELEGES
+  * Generic options are the following:
-    * Can also be set with `-U <user>` clixon_backend command-line option
+    * `CLICON_BACKEND_USER` sets the user to drop priveleges to
-    * If dropped temporary, you can restore privileges with `restore_priv()`
+    * CLICON_BACKEND_PRIVELEGES can have the following values:
-  * The backend socket has now support of credentials of peer clients 
+      * `none` Make no drop/change in privileges. This is currently the default.
-    * NACM users are cross-checked with client credentials (cli/netconf/restconf)
+      * `drop_perm`  After initialization, drop privileges permanently
-    * Only UNIX domain socket supports client credential checks (Not IP sockets.
+      * `drop_perm` After initialization, drop privileges temporarily (to a euid)
-    * Controlled by option CLICON_NACM_CREDENTIALS
+  * If dropped temporary, you can restore privileges with `restore_priv()`
-      * `none` means credentials are not checked. Only option for IP sockets.
+* The backend socket has now support of credentials of peer clients 
-      * `exact` means credentials of client user must match NACM user exactly.
+  * NACM users are cross-checked with client credentials (cli/netconf/restconf)
-      * `except` means exact match is done except for root and www user.This is necessary for Restconf. This is default.
+  * Only UNIX domain socket supports client credential checks (IP sockets do not).
-
+  * Controlled by option CLICON_NACM_CREDENTIALS
-### API changes on existing features (you may need to change your code)
+    * `none` means credentials are not checked. Only option for IP sockets.
-* Internal backend socket protocol changed: uint32_t session-id added, see clixon_proto.h
+    * `exact` means credentials of client user must match NACM user exactly.
-  * C-code: added `id` parameter to `clicon_msg_encode()` and `clicon_msg_decode()`
+    * `except` means exact match is done except for root and www user.This is necessary for Restconf. This is default.
-* NACM users are cross-checked with client user credentials (see new features).
-* Changed "Demon error" to "Daemon error" in logs and debug.
 * Stricter handling of multi-namespace handling
   * This occurs in cases where there are more than one XML namespaces in a config tree, such as `augment`:ed trees.
   * Affects all parts of the system, including datastore, backend, restconf and cli.
   * Examples of a mandated stricter usage of a simple augment `b` of symbol `a`. Assume `a` is in module `mod1` with namespace `urn:example:a` and `b` is in module `mod2` with namespace `urn:example:b`:
     * RESTCONF: `GET http://localhost/restconf/data/mod1:a/mod2:b`
     * NETCONF: `<a xmlns="urn:example:a" xmlns:b="urn:example:b"><b:b>42</b:b></a>`
-    * XPATH (in edit-config filter): `<filter type="xpath" select="a:a/b:b" xmlns:a="urn:example:a" xmlns:b="urn:example:b"/>`
+    * XPATH (in edit-config filter): `<filter type="xpath" select="a:a/b:b" xmlns:
-* Changed `clicon_rpc_get` and `clicon_rpc_get_config` as follows:
+
-  * Added `username` as second parameter, default NULL
+### API changes on existing features (you may need to change your code)
-  * Changed `namespace` to namespace context, which needs to be created
+* The stricter multi-namespace handling (see above) may affect the API, if you used the more relaxed usage.
-  * Example new usage:
+* The credentials check (see above) may cause access denied if UNIX user does not match NACM user.
-  ```
+* Changed "Demon error" to "Daemon error" in logs and debug. Output only.
-  cvec *nsc = xml_nsctx_init(NULL, "urn:example:clixon")
+a="urn:example:a" xmlns:b="urn:example:b"/>`
-  if (clicon_rpc_get_config(h, NULL, "running", "/interfaces", nsc, &xret) < 0)
-    err;
-  ```
-  See function reference how to make a call.
 * RESTCONF error reporting
   * Invalid api-path syntax (eg non-matching yang) error changed from 412 operation-failed to 400 Bad request invalid-value, or unknown-element.
   * Changed so that `400 Bad Request` are for invalid api-path or unknown yang elements, `404 Not Found` for valid xml when object not found.
-* Typical installation should now add a `clicon` user (as well as group)
 * New clixon-config@2019-09-11.yang revision
-  * Added: CLICON_BACKEND_USER: Drop of privileges to this user, owner of backend socket.
+  * Added: CLICON_BACKEND_USER: Drop of privileges to this user, owner of backend socket (default: `clicon`)
+    * Therefore new installation should now add a UNIX `clicon` user
   * Added: CLICON_BACKEND_PRIVELEGES: If and how to drop privileges
   * Added: CLICON_NACM_CREDENTIALS: If and how to check backend socket priveleges with NACM
   * Added: CLICON_NACM_RECOVERY_USER: Name of NACM recovery user.
 * Restconf top-level operations GET root resource modified to comply with RFC 8040 Sec 3.1 
   * non-pretty print remove all spaces, eg `{"operations":{"clixon-example:client-rpc":[null]`
   * Replaced JSON `null` with `[null]` as proper empty JSON leaf/leaf-list encoding.
+* C-code change
+  * Changed `clicon_rpc_get` and `clicon_rpc_get_config` as follows:
+    * Added `username` as second parameter, default NULL
+    * Changed `namespace` to namespace context, which needs to be created
+    * Example new usage:
+    ```
+    cvec *nsc = xml_nsctx_init(NULL, "urn:example:clixon")
+    if (clicon_rpc_get_config(h, NULL, "running", "/interfaces", nsc, &xret) < 0)
+      err;
+    ```
+    See function reference how to make a call.
+  * C-code: added `id` parameter to `clicon_msg_encode()` and `clicon_msg_decode()` due to internal backend socket message change
 
 ### Minor changes
 * Changed session-id handing. Instead of using pid of peer process, a proper session id generated by the server is used, following RFC6241.
@@ -62,7 +72,6 @@
 * FreeBSD modifications: Configure, makefiles and test scripts modification for Freebsd
 	
 ### Corrected Bugs
-* See "Stricter handling of multi-namespace handling" in API-changes above.
 * Hello netconf candidate capability misspelled, mentioned in [Can clixon_netconf receive netconf packets as a server? #93](https://github.com/clicon/clixon/issues/93)
 * [Cannot write to config using restconf example #91](https://github.com/clicon/clixon/issues/91)
   * Updated restconf documentation (the example was wrong)

test/test_nacm_module_read.sh

@@ -147,7 +147,7 @@ new "start restconf daemon (-a is enable basic authentication)"
 start_restconf -f $cfg -- -a
 
 new "waiting"
-wait_backend
+wait_restconf
 
 new "auth set authentication config"
 expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"