diff --git a/CHANGELOG.md b/CHANGELOG.md index ba2dac7f..b6793e1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,6 +72,7 @@ example backend_main() and others if you need details. ### Minor changes +* Renamed test/test_auth*.sh tests to test/test_nacm*.sh * YANG keywords "action" and "belongs-to" implemented by syntactically by parser (but not proper semantics). * clixon-config YAML file has new revision: 2018-10-21. * Allow new lines in CLI prompts diff --git a/README.md b/README.md index 85eae788..ac86f471 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ support. * [Netconf](#netconf) * [Restconf](#restconf) * [Datastore](datastore/README.md) - * [Authentication and Authorization](#auth) + * [Authentication](#auth) + * [NACM Access control](#nacm) * [Example](example/) * [Changelog](CHANGELOG.md) * [Runtime](#runtime) @@ -175,10 +176,38 @@ The clients send the ID of the user using a "username" attribute with the RPC calls to the backend. Note that the backend trusts the clients so the clients can in principle fake a username. -There is an ongoing effort to implement authorization for Clixon -according to [RFC8341(NACM)](https://tools.ietf.org/html/rfc8341), at -least a subset of the functionality. See more information here: -[NACM](README_NACM.md). +NACM +==== +Clixon includes an experimental Network Configuration Access Control Model (NACM) according to [RFC8341(NACM)](https://tools.ietf.org/html/rfc8341). It has limited functionality. + +The support is as follows: + +* There is a yang config variable `CLICON_NACM_MODE` to set whether NACM is disabled, uses internal(embedded) NACM configuration, or external configuration. (See yang/clixon-config.yang) +* If the mode is internal, NACM configurations is expected to be in the regular configuration, managed by regular candidate/runing/commit procedures. This mode may have some problems with bootstrapping. +* If the mode is `external`, the `CLICON_NACM_FILE` yang config variable contains the name of a separate configuration file containing the NACM configurations. After changes in this file, the backend needs to be restarted. +* The [example](example/README.md) contains a http basic auth and a NACM backend callback for mandatory state variables. +* There are two [tests](test/README.md) using internal and external NACM config +* The backend provides a limited NACM support (when enabled) described below + +NACM is implemented in the backend and a single access check is made +in `from_client_msg()` when an internal netconf RPC has +just been received and decoded. The code is in `nacm_access()`. + +The functionality is as follows: +* Notification is not supported +* Groups are supported +* Rule-lists are supported +* Rules are supported as follows + * module-name: Only '*' supported + * access-operations: only '*' and 'exec' supported + * rpc-name: fully supported (eg edit-config/get-config, etc) + * action: fully supported (permit/deny) + +The tests outlines an example of three groups (taken from the RFC): admin, limited and guest: +* admin: Full access +* limited: Read access (get and get-config) +* guest: No access + Runtime ======= diff --git a/README_NACM.md b/README_NACM.md deleted file mode 100644 index 7ec76ee3..00000000 --- a/README_NACM.md +++ /dev/null @@ -1,34 +0,0 @@ -# NACM - -Clixon includes an experimental NACM implementation according to [RFC8341(NACM)](https://tools.ietf.org/html/rfc8341). - -The support is as follows: - -* There is a yang config variable `CLICON_NACM_MODE` to set whether NACM is disabled, uses internal(embedded) NACM configuration, or external configuration. (See yang/clixon-config.yang) -* If the mode is internal, NACM configurations is expected to be in the regular configuration, managed by regular candidate/runing/commit procedures. This mode may have some problems with bootstrapping. -* If the mode is `external`, the `CLICON_NACM_FILE` yang config variable contains the name of a separate configuration file containing the NACM configurations. After changes in this file, the backend needs to be restarted. -* The [example](example/README.md) contains a http basic auth and a NACM backend callback for mandatory state variables. -* There are two [tests](test/README.md) using internal and external NACM config -* The backend provides a limited NACM support (when enabled) described below - -NACM functionality -================== - -NACM is implemented in the backend and a single access check is made -in from_client_msg() when an internal netconf RPC has -just been received and decoded. The code is in nacm_access(). - -The functionality is as follows: -* Notification is not supported -* Groups are supported -* Rule-lists are supported -* Rules are supported as follows - * module-name: Only '*' supported - * access-operations: only '*' and 'exec' supported - * rpc-name: fully supported (eg edit-config/get-config, etc) - * action: fully supported (permit/deny) - -The tests outlines an example of three groups (taken from the RFC): admin, limited and guest: -* admin: Full access -* limited: Read access (get and get-config) -* guest: No access diff --git a/test/README.md b/test/README.md index 08c92f1a..7ae292bb 100644 --- a/test/README.md +++ b/test/README.md @@ -4,8 +4,8 @@ This directory contains testing code for clixon and the example routing application. Assumes setup of http daemon as describe under apps/restonf - clixon A top-level script clones clixon in /tmp and starts all.sh. You can copy this file (review it first) and place as cron script - all.sh Run through all tests named 'test*.sh' in this directory. Therefore, if you place a test in this directory matching 'test*.sh' it will be run automatically. -- test_auth.sh Auth tests using internal NACM -- test_auth_ext.sh Auth tests using external NACM +- test_nacm.sh Auth tests using internal NACM +- test_nacm_ext.sh Auth tests using external NACM (separate file) - test_cli.sh CLI tests - test_netconf.sh Netconf tests - test_restconf.sh Restconf tests diff --git a/test/test_auth.sh b/test/test_nacm.sh similarity index 98% rename from test/test_auth.sh rename to test/test_nacm.sh index 6a16a318..764b92c9 100755 --- a/test/test_auth.sh +++ b/test/test_nacm.sh @@ -139,7 +139,7 @@ new "kill old restconf daemon" sudo pkill -u www-data clixon_restconf sleep 1 new "start restconf daemon (-a is enable basic authentication)" -sudo start-stop-daemon -S -q -o -b -x /www-data/clixon_restconf -d /www-data -c www-data -- -f $cfg -y $fyang -- -a +sudo su -c "/www-data/clixon_restconf -f $cfg -y $fyang -- -a" -s /bin/sh www-data & sleep 1 diff --git a/test/test_auth_ext.sh b/test/test_nacm_ext.sh similarity index 100% rename from test/test_auth_ext.sh rename to test/test_nacm_ext.sh