nacm testcases for modules and datastore

2019-01-12 13:52:35 +01:00 · 2019-01-12 13:52:35 +01:00 · 90545b05cd
commit 90545b05cd
parent 9a7ce8e06d
6 changed files with 455 additions and 33 deletions
--- a/test/test_nacm.sh
+++ b/test/test_nacm.sh
@ -16,7 +16,7 @@ cat <<EOF > $cfg
 <config>
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
-  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
+  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
  <CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
  <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
@ -103,16 +103,16 @@ RULES=$(cat <<EOF
 EOF
 )
-new "test params: -f $cfg -y $fyang"
+new "test params: -f $cfg"
 if [ $BE -ne 0 ]; then
    new "kill old backend"
-    sudo clixon_backend -zf $cfg -y $fyang
+    sudo clixon_backend -zf $cfg
    if [ $? -ne 0 ]; then
 	err
    fi
-    new "start backend -s init -f $cfg -y $fyang"
+    new "start backend -s init -f $cfg"
-    sudo $clixon_backend -s init -f $cfg -y $fyang -D $DBG
+    sudo $clixon_backend -s init -f $cfg -D $DBG
    if [ $? -ne 0 ]; then
 	err
    fi
@ -123,7 +123,7 @@ sudo pkill -u www-data -f "/www-data/clixon_restconf"
 sleep 1
 new "start restconf daemon (-a is enable basic authentication)"
-sudo su -c "$clixon_restconf -f $cfg -y $fyang -D $DBG -- -a" -s /bin/sh www-data &
+sudo su -c "$clixon_restconf -f $cfg -D $DBG -- -a" -s /bin/sh www-data &
 sleep $RCWAIT
@ -135,10 +135,10 @@ expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x
 
'
 new "auth set authentication config"
-expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "commit it"
-expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new2 "auth get (no user: access denied)"
 expecteq "$(curl -sS -X GET -H \"Accept:\ application/yang-data+json\" http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "The requested URL was unauthorized"}}}
'
--- a/test/test_nacm_datanode.sh
+++ b/test/test_nacm_datanode.sh
@ -0,0 +1,230 @@
 #!/bin/bash
 # Authentication and authorization and IETF NACM
 # NACM data node rule
 # @see RFC 8341 A.1 and A.4 (and permit-all from A.2)
 # Tests for:
 # deny-nacm:  This rule denies the "guest" group any access to the
 #     /nacm subtree.
 # permit-acme-config:  This rule gives the "limited" group read-write
 #    access to the acme <config-parameters>.
 # permit-dummy-interface:  This rule gives the "limited" and "guest"
 #     groups read-update access to the acme <interface> entry named
 #     "dummy".  This entry cannot be created or deleted by these groups;
 #     it can only be altered.
 # permit-interface:  This rule gives the "admin" group read-write
 #     access to all acme <interface> entries.
 APPNAME=example
 # include err() and new() functions and creates $dir
 . ./lib.sh
 . ./nacm.sh
 cfg=$dir/conf_yang.xml
 fyang=$dir/test.yang
 fyangerr=$dir/err.yang
 cat <<EOF > $cfg
 <config>
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
  <CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
  <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
  <CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
  <CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
  <CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
  <CLICON_CLI_GENMODEL_COMPLETION>1</CLICON_CLI_GENMODEL_COMPLETION>
  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
  <CLICON_XMLDB_PLUGIN>/usr/local/lib/xmldb/text.so</CLICON_XMLDB_PLUGIN>
  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
 </config>
 EOF
 cat <<EOF > $fyang
 module $APPNAME{
  yang-version 1.1;
  namespace "urn:example:clixon";
  prefix ex;
  import ietf-netconf-acm {
 	prefix nacm;
  }
  leaf x{
    type int32;
    description "something to edit";
  }
 }
 EOF
 # The groups are slightly modified from RFC8341 A.1
 # The rule-list is from A.2
 RULES=$(cat <<EOF
   <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
     <enable-nacm>false</enable-nacm>
     <read-default>deny</read-default>
     <write-default>deny</write-default>
     <exec-default>deny</exec-default>
     $NGROUPS
     <rule-list>
       <name>guest-acl</name>
       <group>guest</group>
       <rule>
         <name>deny-nacm</name>
         <path xmlns:n="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
           /n:nacm
         </path>
         <access-operations>*</access-operations>
         <action>deny</action>
         <comment>
           Deny the 'guest' group any access to the /nacm data.
         </comment>
       </rule>
     </rule-list>
     <rule-list>
       <name>limited-acl</name>
       <group>limited</group>
       <rule>
         <name>permit-acme-config</name>
         <path xmlns:acme="http://example.com/ns/netconf">
           /acme:acme-netconf/acme:config-parameters
         </path>
         <access-operations>
           read create update delete
         </access-operations>
         <action>permit</action>
         <comment>
           Allow the 'limited' group complete access to the acme
           NETCONF configuration parameters.  Showing long form
           of 'access-operations' instead of shorthand.
         </comment>
       </rule>
     </rule-list>
     <rule-list>
       <name>guest-limited-acl</name>
       <group>guest</group>
       <group>limited</group>
       <rule>
         <name>permit-dummy-interface</name>
         <path xmlns:acme="http://example.com/ns/itf">
           /acme:interfaces/acme:interface[acme:name='dummy']
         </path>
         <access-operations>read update</access-operations>
         <action>permit</action>
         <comment>
           Allow the 'limited' and 'guest' groups read
           and update access to the dummy interface.
         </comment>
       </rule>
     </rule-list>
     <rule-list>
       <name>admin-acl</name>
       <group>admin</group>
       <rule>
         <name>permit-interface</name>
         <path xmlns:acme="http://example.com/ns/itf">
           /acme:interfaces/acme:interface
         </path>
         <access-operations>*</access-operations>
         <action>permit</action>
         <comment>
           Allow the 'admin' group full access to all acme interfaces.
         </comment>
       </rule>
     </rule-list>
     $NADMIN
   </nacm>
   <x xmlns="urn:example:clixon">0</x>
 EOF
 )
 # kill old backend (if any)
 new "kill old backend"
 sudo clixon_backend -zf $cfg
 if [ $? -ne 0 ]; then
    err
 fi
 new "start backend -s init -f $cfg"
 # start new backend
 sudo $clixon_backend -s init -f $cfg
 if [ $? -ne 0 ]; then
    err
 fi
 new "kill old restconf daemon"
 sudo pkill -u www-data -f "/www-data/clixon_restconf"
 sleep 1
 new "start restconf daemon (-a is enable basic authentication)"
 sudo su -c "$clixon_restconf -f $cfg -D $DBG -- -a" -s /bin/sh www-data &
 sleep $RCWAIT
 new "auth set authentication config"
 expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "commit it"
 expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "enable nacm"
 expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" ""
 #--------------- nacm enabled
 new2 "auth get (wrong passwd: access denied)"
 expecteq "$(curl -u andy:foo -sS -X GET http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "The requested URL was unauthorized"}}}
'
 new2 "auth get (access)"
 expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0}
 
'
 #----------------Enable NACM
 new "enable nacm"
 expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" ""
 new2 "admin get nacm"
 expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0}
 
'
 new2 "limited get nacm"
 expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0}
 
'
 new2 "guest get nacm"
 expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "The requested URL was unauthorized"}}}
'
 new "admin edit nacm"
 expecteq "$(curl -u andy:bar -sS -X PUT -d '{"x": 1}' http://localhost/restconf/data/example:x)" ""
 new2 "limited edit nacm"
 expecteq "$(curl -u wilma:bar -sS -X PUT -d '{"x": 2}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
 new2 "guest edit nacm"
 expecteq "$(curl -u guest:bar -sS -X PUT -d '{"x": 3}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "The requested URL was unauthorized"}}}
'
 new "Kill restconf daemon"
 sudo pkill -u www-data -f "/www-data/clixon_restconf"
 new "Kill backend"
 # Check if premature kill
 pid=`pgrep -u root -f clixon_backend`
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
 # kill backend
 sudo clixon_backend -z -f $cfg
 if [ $? -ne 0 ]; then
    err "kill backend"
 fi
 rm -rf $dir
--- a/test/test_nacm_ext.sh
+++ b/test/test_nacm_ext.sh
@ -20,6 +20,7 @@ cat <<EOF > $cfg
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_YANG_DIR>/usr/local/share/example/yang</CLICON_YANG_DIR>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
  <CLICON_BACKEND_DIR>/usr/local/lib/$APPNAME/backend</CLICON_BACKEND_DIR>
  <CLICON_BACKEND_REGEXP>example_backend.so$</CLICON_BACKEND_REGEXP>
@ -134,7 +135,7 @@ cat <<EOF > $nacmfile
   </nacm>
 EOF
-new "test params: -f $cfg -y $fyang"
+new "test params: -f $cfg"
 if [ $BE -ne 0 ]; then
    new "kill old backend -zf $cfg "
@ -143,9 +144,9 @@ if [ $BE -ne 0 ]; then
 	err
    fi
    sleep 1
-    new "start backend -s init -f $cfg -y $fyang"
+    new "start backend -s init -f $cfg"
    # start new backend
-    sudo $clixon_backend -s init -f $cfg -y $fyang -D $DBG
+    sudo $clixon_backend -s init -f $cfg -D $DBG
    if [ $? -ne 0 ]; then
 	err
    fi
@ -155,7 +156,7 @@ new "kill old restconf daemon"
 sudo pkill -u www-data -f "/www-data/clixon_restconf"
 new "start restconf daemon (-a is enable http basic auth)"
-sudo su -c "$clixon_restconf -f $cfg -y $fyang -D $DBG -- -a" -s /bin/sh www-data &
+sudo su -c "$clixon_restconf -f $cfg -D $DBG -- -a" -s /bin/sh www-data &
 sleep $RCWAIT
@ -200,22 +201,22 @@ new2 "guest edit nacm"
 expecteq "$(curl -u guest:bar -sS -X PUT -d '{"x": 3}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "access denied"}}}
'
 new "cli show conf as admin"
-expectfn "$clixon_cli -1 -U andy -l o -f $cfg -y $fyang show conf" 0 "^x 1;$"
+expectfn "$clixon_cli -1 -U andy -l o -f $cfg show conf" 0 "^x 1;$"
 new "cli show conf as limited"
-expectfn "$clixon_cli -1 -U wilma -l o -f $cfg -y $fyang show conf" 0 "^x 1;$"
+expectfn "$clixon_cli -1 -U wilma -l o -f $cfg show conf" 0 "^x 1;$"
 new "cli show conf as guest"
-expectfn "$clixon_cli -1 -U guest -l o -f $cfg -y $fyang show conf" 255 "protocol access-denied"
+expectfn "$clixon_cli -1 -U guest -l o -f $cfg show conf" 255 "protocol access-denied"
 new "cli rpc as admin"
-expectfn "$clixon_cli -1 -U andy -l o -f $cfg -y $fyang rpc ipv4" 0 "next-hop-list 2.3.4.5;"
+expectfn "$clixon_cli -1 -U andy -l o -f $cfg rpc ipv4" 0 "next-hop-list 2.3.4.5;"
 new "cli rpc as limited"
-expectfn "$clixon_cli -1 -U wilma -l o -f $cfg -y $fyang rpc ipv4" 255 "protocol access-denied default deny"
+expectfn "$clixon_cli -1 -U wilma -l o -f $cfg rpc ipv4" 255 "protocol access-denied default deny"
 new "cli rpc as guest"
-expectfn "$clixon_cli -1 -U guest -l o -f $cfg -y $fyang rpc ipv4" 255 "protocol access-denied access denied"
+expectfn "$clixon_cli -1 -U guest -l o -f $cfg rpc ipv4" 255 "protocol access-denied access denied"
 new "Kill restconf daemon"
 sudo pkill -u www-data -f "/www-data/clixon_restconf"
--- a/test/test_nacm_module.sh
+++ b/test/test_nacm_module.sh
@ -0,0 +1,187 @@
 #!/bin/bash
 # Authentication and authorization and IETF NACM
 # NACM module rules
 # @see test_nacm.sh is slightly modified - this follows the RFC more closely
 # See RFC 8341 A.1 and A.2
 # Tests for:
 # deny-ncm:  This rule prevents the "guest" group from reading any
 #     monitoring information in the "ietf-netconf-monitoring" YANG
 #     module.
 # permit-ncm:  This rule allows the "limited" group to read the
 #     "ietf-netconf-monitoring" YANG module.
 # permit-exec:  This rule allows the "limited" group to invoke any
 #     protocol operation supported by the server.
 # permit-all:  This rule allows the "admin" group complete access to
 #     all content in the server.  No subsequent rule will match for the
 #     "admin" group because of this module rule
 APPNAME=example
 # include err() and new() functions and creates $dir
 . ./lib.sh
 . ./nacm.sh
 cfg=$dir/conf_yang.xml
 fyang=$dir/test.yang
 fyangerr=$dir/err.yang
 cat <<EOF > $cfg
 <config>
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
  <CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
  <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
  <CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
  <CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
  <CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
  <CLICON_CLI_GENMODEL_COMPLETION>1</CLICON_CLI_GENMODEL_COMPLETION>
  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
  <CLICON_XMLDB_PLUGIN>/usr/local/lib/xmldb/text.so</CLICON_XMLDB_PLUGIN>
  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
 </config>
 EOF
 cat <<EOF > $fyang
 module $APPNAME{
  yang-version 1.1;
  namespace "urn:example:clixon";
  prefix ex;
  import ietf-netconf-acm {
 	prefix nacm;
  }
  leaf x{
    type int32;
    description "something to edit";
  }
 }
 EOF
 # The groups are slightly modified from RFC8341 A.1 ($USER added in admin group)
 # The rule-list is from A.2 
 RULES=$(cat <<EOF
   <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
     <enable-nacm>false</enable-nacm>
     <read-default>deny</read-default>
     <write-default>deny</write-default>
     <exec-default>deny</exec-default>
     $NGROUPS
     <rule-list>
       <name>guest-acl</name>
       <group>guest</group>
       <rule>
         <name>deny-ncm</name>
         <module-name>ietf-netconf-monitoring</module-name>
         <access-operations>*</access-operations>
         <action>deny</action>
         <comment>
             Do not allow guests any access to the NETCONF
             monitoring information.
         </comment>
       </rule>
     </rule-list>
     <rule-list>
       <name>limited-acl</name>
       <group>limited</group>
       <rule>
         <name>permit-ncm</name>
         <rpc-name>get</rpc-name>
         <module-name>ietf-netconf-monitoring</module-name>
         <access-operations>read</access-operations>
         <action>permit</action>
         <comment>
             Allow read access to the NETCONF monitoring information.
         </comment>
       </rule>
       <rule>
         <name>permit-exec</name>
         <module-name>*</module-name>
         <access-operations>exec</access-operations>
         <action>permit</action>
         <comment>
             Allow invocation of the supported server operations.
         </comment>
       </rule>
     </rule-list>
     $NADMIN
   </nacm>
   <x xmlns="urn:example:clixon">0</x>
 EOF
 )
 # kill old backend (if any)
 new "kill old backend"
 sudo clixon_backend -zf $cfg
 if [ $? -ne 0 ]; then
    err
 fi
 new "start backend -s init -f $cfg"
 # start new backend
 sudo $clixon_backend -s init -f $cfg
 if [ $? -ne 0 ]; then
    err
 fi
 new "kill old restconf daemon"
 sudo pkill -u www-data -f "/www-data/clixon_restconf"
 sleep 1
 new "start restconf daemon (-a is enable basic authentication)"
 sudo su -c "$clixon_restconf -f $cfg -D $DBG -- -a" -s /bin/sh www-data &
 sleep $RCWAIT
 new "auth set authentication config"
 expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "commit it"
 expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "enable nacm"
 expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" ""
 #--------------- nacm enabled
 # Read monitoring information from ietf-netconf-monitoring
 new2 "admin get nacm"
 expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0}
 
'
 new2 "limited get nacm"
 expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0}
 
'
 new2 "guest get nacm"
 expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
 new "admin edit nacm"
 expecteq "$(curl -u andy:bar -sS -X PUT -d '{"example:x": 1}' http://localhost/restconf/data/example:x)" ""
 new2 "limited edit nacm"
 expecteq "$(curl -u wilma:bar -sS -X PUT -d '{"example:x": 2}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
 new2 "guest edit nacm"
 expecteq "$(curl -u guest:bar -sS -X PUT -d '{"example:x": 3}' http://localhost/restconf/data/example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
 new "Kill restconf daemon"
 sudo pkill -u www-data -f "/www-data/clixon_restconf"
 new "Kill backend"
 # Check if premature kill
 pid=`pgrep -u root -f clixon_backend`
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
 # kill backend
 sudo clixon_backend -z -f $cfg
 if [ $? -ne 0 ]; then
    err "kill backend"
 fi
 rm -rf $dir
--- a/test/test_nacm_protocol.sh
+++ b/test/test_nacm_protocol.sh
@ -36,7 +36,7 @@ cat <<EOF > $cfg
 <config>
  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
-  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
+  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
  <CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
  <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
@ -125,17 +125,17 @@ RULES=$(cat <<EOF
 EOF
 )
-new "test params: -f $cfg -y $fyang"
+new "test params: -f $cfg"
 if [ $BE -ne 0 ]; then
    new "kill old backend"
-    sudo clixon_backend -zf $cfg -y $fyang
+    sudo clixon_backend -zf $cfg
    if [ $? -ne 0 ]; then
 	err
    fi
-    new "start backend -s init -f $cfg -y $fyang"
+    new "start backend -s init -f $cfg"
-    sudo $clixon_backend -s init -f $cfg -y $fyang -D $DBG
+    sudo $clixon_backend -s init -f $cfg -D $DBG
    if [ $? -ne 0 ]; then
 	err
    fi
@ -146,36 +146,38 @@ sudo pkill -u www-data -f "/www-data/clixon_restconf"
 sleep 1
 new "start restconf daemon (-a is enable basic authentication)"
-sudo su -c "$clixon_restconf -f $cfg -y $fyang -D $DBG -- -a" -s /bin/sh www-data &
+sudo su -c "$clixon_restconf -f $cfg -D $DBG -- -a" -s /bin/sh www-data &
 sleep $RCWAIT
 new "auth set authentication config"
-expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "commit it"
-expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "enable nacm"
 expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" ""
 #--------------- nacm enabled
 new2 "admin get nacm"
 expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/example:x)" '{"example:x": 0}
 
'
 # Rule 1: deny-kill-session
 new "deny-kill-session: limited fail (netconf)"
-expecteof "$clixon_netconf -qf $cfg -y $fyang -U wilma" 0 "<rpc><kill-session><session-id>44</session-id></kill-session></rpc>]]>]]>" "^<rpc-reply><rpc-error><error-type>protocol</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>access denied</error-message></rpc-error></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg -U wilma" 0 "<rpc><kill-session><session-id>44</session-id></kill-session></rpc>]]>]]>" "^<rpc-reply><rpc-error><error-type>protocol</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>access denied</error-message></rpc-error></rpc-reply>]]>]]>$"
 new "deny-kill-session: guest fail (netconf)"
-expecteof "$clixon_netconf -qf $cfg -y $fyang -U guest" 0 "<rpc><kill-session><session-id>44</session-id></kill-session></rpc>]]>]]>" "^<rpc-reply><rpc-error><error-type>protocol</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>access denied</error-message></rpc-error></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg -U guest" 0 "<rpc><kill-session><session-id>44</session-id></kill-session></rpc>]]>]]>" "^<rpc-reply><rpc-error><error-type>protocol</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>access denied</error-message></rpc-error></rpc-reply>]]>]]>$"
 new "deny-kill-session: admin ok (netconf)"
-expecteof "$clixon_netconf -qf $cfg -y $fyang -U andy" 0 "<rpc><kill-session><session-id>44</session-id></kill-session></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg -U andy" 0 "<rpc><kill-session><session-id>44</session-id></kill-session></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 # Rule 2: deny-delete-config
 new "deny-delete-config: limited fail (netconf)"
-expecteof "$clixon_netconf -qf $cfg -y $fyang -U wilma" 0 "<rpc><delete-config><target><startup/></target></delete-config></rpc>]]>]]>" "^<rpc-reply><rpc-error><error-type>protocol</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>access denied</error-message></rpc-error></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg -U wilma" 0 "<rpc><delete-config><target><startup/></target></delete-config></rpc>]]>]]>" "^<rpc-reply><rpc-error><error-type>protocol</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>access denied</error-message></rpc-error></rpc-reply>]]>]]>$"
 new2 "deny-delete-config: guest fail (restconf)"
 expecteq "$(curl -u guest:bar -sS -X DELETE http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
@ -193,10 +195,10 @@ expecteq "$(curl -u andy:bar -sS -X DELETE http://localhost/restconf/data)" ''
 # Here the whole config is gone so we need to start again
 new "auth set authentication config (restart)"
-expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "commit it"
-expecteof "$clixon_netconf -qf $cfg -y $fyang" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
 new "enable nacm"
 expecteq "$(curl -u andy:bar -sS -X PUT -d '{"ietf-netconf-acm:enable-nacm": true}' http://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" ""
--- a/yang/clixon-config@2018-10-21.yang
+++ b/yang/clixon-config@2018-10-21.yang
@ -145,7 +145,9 @@ module clixon-config {
 	leaf CLICON_YANG_MAIN_FILE {
 	    type string;
 	    description
-		"If specified load a yang module in a specific absolute filename";
+		"If specified load a yang module in a specific absolute filename.
                 This corresponds to the -y command-line option in most CLixon
                 programs.";
 	}
 	leaf CLICON_YANG_MAIN_DIR {
 	    type string;