Internet Engineering Task Force (IETF) A. Bierman
Request for Comments: 6536 YumaWorks
Category: Standards Track M. Bjorklund
ISSN: 2070-1721 Tail-f Systems
March 2012
Internet Engineering Task Force (IETF) A. Bierman
Request for Comments: 6536 YumaWorks
Category: Standards Track M. Bjorklund
ISSN: 2070-1721 Tail-f Systems
March 2012
Network Configuration Protocol (NETCONF) Access Control Model
网络配置协议(NETCONF)访问控制模型
Abstract
摘要
The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF protocol access for particular users to a pre-configured subset of all available NETCONF protocol operations and content. This document defines such an access control model.
与网络配置协议(NETCONF)一起使用的网络配置接口的标准化需要一个结构化和安全的操作环境,以促进人的可用性和多供应商互操作性。需要标准机制来限制特定用户对所有可用NETCONF协议操作和内容的预配置子集的NETCONF协议访问。本文档定义了这样一个访问控制模型。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6536.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6536.
Copyright Notice
版权公告
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Terminology ................................................3
2. Access Control Design Objectives ................................4
2.1. Access Control Points ......................................5
2.2. Simplicity .................................................5
2.3. Procedural Interface .......................................6
2.4. Datastore Access ...........................................6
2.5. Users and Groups ...........................................6
2.6. Maintenance ................................................6
2.7. Configuration Capabilities .................................7
2.8. Identifying Security-Sensitive Content .....................7
3. NETCONF Access Control Model (NACM) .............................8
3.1. Introduction ...............................................8
3.1.1. Features ............................................8
3.1.2. External Dependencies ...............................9
3.1.3. Message Processing Model ............................9
3.2. Datastore Access ..........................................11
3.2.1. Access Rights ......................................11
3.2.2. <get> and <get-config> Operations ..................12
3.2.3. <edit-config> Operation ............................12
3.2.4. <copy-config> Operation ............................13
3.2.5. <delete-config> Operation ..........................14
3.2.6. <commit> Operation .................................14
3.2.7. <discard-changes> Operation ........................14
3.2.8. <kill-session> Operation ...........................14
3.3. Model Components ..........................................15
3.3.1. Users ..............................................15
3.3.2. Groups .............................................15
3.3.3. Emergency Recovery Session .........................15
3.3.4. Global Enforcement Controls ........................15
3.3.4.1. enable-nacm Switch ........................15
3.3.4.2. read-default Switch .......................16
3.3.4.3. write-default Switch ......................16
3.3.4.4. exec-default Switch .......................16
3.3.4.5. enable-external-groups Switch .............17
3.3.5. Access Control Rules ...............................17
3.4. Access Control Enforcement Procedures .....................17
3.4.1. Initial Operation ..................................17
3.4.2. Session Establishment ..............................18
3.4.3. "access-denied" Error Handling .....................18
3.4.4. Incoming RPC Message Validation ....................18
3.4.5. Data Node Access Validation ........................21
3.4.6. Outgoing <notification> Authorization ..............23
3.5. Data Model Definitions ....................................26
3.5.1. Data Organization ..................................26
3.5.2. YANG Module ........................................26
1. Introduction ....................................................3
1.1. Terminology ................................................3
2. Access Control Design Objectives ................................4
2.1. Access Control Points ......................................5
2.2. Simplicity .................................................5
2.3. Procedural Interface .......................................6
2.4. Datastore Access ...........................................6
2.5. Users and Groups ...........................................6
2.6. Maintenance ................................................6
2.7. Configuration Capabilities .................................7
2.8. Identifying Security-Sensitive Content .....................7
3. NETCONF Access Control Model (NACM) .............................8
3.1. Introduction ...............................................8
3.1.1. Features ............................................8
3.1.2. External Dependencies ...............................9
3.1.3. Message Processing Model ............................9
3.2. Datastore Access ..........................................11
3.2.1. Access Rights ......................................11
3.2.2. <get> and <get-config> Operations ..................12
3.2.3. <edit-config> Operation ............................12
3.2.4. <copy-config> Operation ............................13
3.2.5. <delete-config> Operation ..........................14
3.2.6. <commit> Operation .................................14
3.2.7. <discard-changes> Operation ........................14
3.2.8. <kill-session> Operation ...........................14
3.3. Model Components ..........................................15
3.3.1. Users ..............................................15
3.3.2. Groups .............................................15
3.3.3. Emergency Recovery Session .........................15
3.3.4. Global Enforcement Controls ........................15
3.3.4.1. enable-nacm Switch ........................15
3.3.4.2. read-default Switch .......................16
3.3.4.3. write-default Switch ......................16
3.3.4.4. exec-default Switch .......................16
3.3.4.5. enable-external-groups Switch .............17
3.3.5. Access Control Rules ...............................17
3.4. Access Control Enforcement Procedures .....................17
3.4.1. Initial Operation ..................................17
3.4.2. Session Establishment ..............................18
3.4.3. "access-denied" Error Handling .....................18
3.4.4. Incoming RPC Message Validation ....................18
3.4.5. Data Node Access Validation ........................21
3.4.6. Outgoing <notification> Authorization ..............23
3.5. Data Model Definitions ....................................26
3.5.1. Data Organization ..................................26
3.5.2. YANG Module ........................................26
3.6. IANA Considerations .......................................36
3.7. Security Considerations ...................................36
3.7.1. NACM Configuration and Monitoring Considerations ...37
3.7.2. General Configuration Issues .......................38
3.7.3. Data Model Design Considerations ...................40
4. References .....................................................40
4.1. Normative References ......................................40
4.2. Informative References ....................................41
Appendix A. Usage Examples .......................................42
A.1. <groups> Example ..........................................42
A.2. Module Rule Example .......................................43
A.3. Protocol Operation Rule Example ...........................44
A.4. Data Node Rule Example ....................................46
A.5. Notification Rule Example .................................48
3.6. IANA Considerations .......................................36
3.7. Security Considerations ...................................36
3.7.1. NACM Configuration and Monitoring Considerations ...37
3.7.2. General Configuration Issues .......................38
3.7.3. Data Model Design Considerations ...................40
4. References .....................................................40
4.1. Normative References ......................................40
4.2. Informative References ....................................41
Appendix A. Usage Examples .......................................42
A.1. <groups> Example ..........................................42
A.2. Module Rule Example .......................................43
A.3. Protocol Operation Rule Example ...........................44
A.4. Data Node Rule Example ....................................46
A.5. Notification Rule Example .................................48
The NETCONF protocol does not provide any standard mechanisms to restrict the protocol operations and content that each user is authorized to access.
NETCONF协议不提供任何标准机制来限制每个用户有权访问的协议操作和内容。
There is a need for interoperable management of the controlled access to administrator-selected portions of the available NETCONF content within a particular server.
需要对特定服务器内可用NETCONF内容的管理员选定部分的受控访问进行互操作管理。
This document addresses access control mechanisms for the Operations and Content layers of NETCONF, as defined in [RFC6241]. It contains three main sections:
本文档介绍了[RFC6241]中定义的NETCONF操作层和内容层的访问控制机制。它包括三个主要部分:
1. Access Control Design Objectives
1. 访问控制设计目标
2. NETCONF Access Control Model (NACM)
2. NETCONF访问控制模型(NACM)
3. YANG Data Model (ietf-netconf-acm.yang)
3. YANG数据模型(ietf netconf acm.YANG)
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The following terms are defined in [RFC6241] and are not redefined here:
[RFC6241]中定义了以下术语,此处未重新定义:
o client
o 客户
o datastore
o 数据存储
o protocol operation
o 协议操作
o server
o 服务器
o session
o 一场
o user
o 使用者
The following terms are defined in [RFC6020] and are not redefined here:
[RFC6020]中定义了以下术语,此处未重新定义:
o data node
o 数据节点
o data definition statement
o 数据定义语句
The following terms are used throughout this document:
本文件中使用了以下术语:
access control: A security feature provided by the NETCONF server that allows an administrator to restrict access to a subset of all NETCONF protocol operations and data, based on various criteria.
访问控制:NETCONF服务器提供的一种安全功能,允许管理员根据各种标准限制对所有NETCONF协议操作和数据的子集的访问。
access control model (ACM): A conceptual model used to configure and monitor the access control procedures desired by the administrator to enforce a particular access control policy.
访问控制模型(ACM):一个概念模型,用于配置和监控管理员所需的访问控制过程,以实施特定的访问控制策略。
access control rule: The criterion used to determine if a particular NETCONF protocol operation will be permitted or denied.
访问控制规则:用于确定是否允许或拒绝特定NETCONF协议操作的标准。
access operation: How a request attempts to access a conceptual object. One of "none", "read", "create", "delete", "update", or "execute".
访问操作:请求如何尝试访问概念对象。“无”、“读取”、“创建”、“删除”、“更新”或“执行”中的一个。
recovery session: A special administrative session that is given unlimited NETCONF access and is exempt from all access control enforcement. The mechanism(s) used by a server to control and identify whether or not a session is a recovery session are implementation specific and outside the scope of this document.
恢复会话:一种特殊的管理会话,它被赋予无限的NETCONF访问权限,并且不受所有访问控制强制的约束。服务器用于控制和识别会话是否为恢复会话的机制是特定于实现的,不在本文档的范围内。
write access: A shorthand for the "create", "delete", and "update" access operations.
写访问:“创建”、“删除”和“更新”访问操作的缩写。
This section documents the design objectives for the NETCONF Access Control Model presented in Section 3.
本节记录了第3节中介绍的NETCONF访问控制模型的设计目标。
NETCONF allows new protocol operations to be added at any time, and the YANG Data Modeling Language supports this feature. It is not possible to design an ACM for NETCONF that only focuses on a static set of protocol operations, like some other protocols. Since few assumptions can be made about an arbitrary protocol operation, the NETCONF architectural server components need to be protected at three conceptual control points.
NETCONF允许随时添加新的协议操作,YANG数据建模语言支持此功能。与其他一些协议一样,不可能为NETCONF设计只关注静态协议操作集的ACM。由于对任意协议操作的假设很少,因此需要在三个概念控制点保护NETCONF架构服务器组件。
These access control points, described in Figure 1, are as follows:
图1中描述的这些访问控制点如下:
protocol operation: Permission to invoke specific protocol operations.
协议操作:调用特定协议操作的权限。
datastore: Permission to read and/or alter specific data nodes within any datastore.
数据存储:在任何数据存储中读取和/或更改特定数据节点的权限。
notification: Permission to receive specific notification event types.
通知:接收特定通知事件类型的权限。
+-------------+ +-------------+
client | protocol | | data node |
request --> | operation | -------------> | access |
| allowed? | datastore | allowed? |
+-------------+ or state +-------------+
data access
+-------------+ +-------------+
client | protocol | | data node |
request --> | operation | -------------> | access |
| allowed? | datastore | allowed? |
+-------------+ or state +-------------+
data access
+----------------+
| notification |
event --> | allowed? |
+----------------+
+----------------+
| notification |
event --> | allowed? |
+----------------+
Figure 1
图1
There is concern that a complicated ACM will not be widely deployed because it is too hard to use. It needs to be easy to do simple things and possible to do complex things, instead of hard to do everything.
有人担心复杂的ACM不会被广泛部署,因为它太难使用。做简单的事情要容易,做复杂的事情要可能,而不是什么都难做。
Configuration of the access control system needs to be as simple as possible. Simple and common tasks need to be easy to configure and require little expertise or domain-specific knowledge. Complex tasks are possible using additional mechanisms, which may require additional expertise.
访问控制系统的配置需要尽可能简单。简单和常见的任务需要易于配置,并且只需要很少的专业知识或特定领域的知识。复杂的任务可以使用额外的机制,这可能需要额外的专业知识。
A single set of access control rules ought to be able to control all types of NETCONF protocol operation invocation, all datastore access, and all notification events.
一组访问控制规则应该能够控制所有类型的NETCONF协议操作调用、所有数据存储访问和所有通知事件。
Access control ought to be defined with a small and familiar set of permissions, while still allowing full control of NETCONF datastore access.
访问控制应该使用一组熟悉的小权限来定义,同时仍然允许完全控制NETCONF数据存储访问。
The NETCONF protocol uses a remote procedure call model and an extensible set of protocol operations. Access control for any possible protocol operation is necessary.
NETCONF协议使用远程过程调用模型和一组可扩展的协议操作。任何可能的协议操作都需要访问控制。
It is necessary to control access to specific nodes and subtrees within the NETCONF datastore, regardless of which protocol operation, standard or proprietary, was used to access the datastore.
有必要控制对NETCONF数据存储中特定节点和子树的访问,无论使用哪种协议操作(标准或专有)访问数据存储。
It is necessary that access control rules for a single user or a configurable group of users can be configured.
有必要为单个用户或可配置的用户组配置访问控制规则。
The ACM needs to support the concept of administrative groups, to support the well-established distinction between a root account and other types of less-privileged conceptual user accounts. These groups need to be configurable by the administrator.
ACM需要支持管理组的概念,以支持根帐户和其他类型的特权较低的概念用户帐户之间的既定区别。管理员需要配置这些组。
It is necessary that the user-to-group mapping can be delegated to a central server, such as a RADIUS server [RFC2865][RFC5607]. Since authentication is performed by the NETCONF transport layer and RADIUS performs authentication and service authorization at the same time, the underlying NETCONF transport needs to be able to report a set of group names associated with the user to the server. It is necessary that the administrator can disable the usage of these group names within the ACM.
有必要将用户到组的映射委托给中央服务器,例如RADIUS服务器[RFC2865][RFC5607]。由于身份验证由NETCONF传输层执行,RADIUS同时执行身份验证和服务授权,因此底层NETCONF传输需要能够向服务器报告一组与用户关联的组名。管理员有必要在ACM中禁用这些组名的使用。
It ought to be possible to disable part or all of the access control model enforcement procedures without deleting any access control rules.
在不删除任何访问控制规则的情况下,应该可以禁用部分或全部访问控制模型实施过程。
Suitable configuration and monitoring mechanisms are needed to allow an administrator to easily manage all aspects of the ACM's behavior. A standard data model, suitable for use with the <edit-config> protocol operation, needs to be available for this purpose.
需要合适的配置和监视机制,以允许管理员轻松管理ACM行为的各个方面。为此,需要提供一个适用于<edit config>协议操作的标准数据模型。
Access control rules to restrict access operations on specific subtrees within the configuration datastore need to be supported.
需要支持访问控制规则,以限制对配置数据存储中特定子树的访问操作。
One of the most important aspects of the data model documentation, and biggest concerns during deployment, is the identification of security-sensitive content. This applies to protocol operations in NETCONF, not just data and notifications.
数据模型文档最重要的方面之一,也是部署过程中最大的问题之一,是识别安全敏感内容。这适用于NETCONF中的协议操作,而不仅仅是数据和通知。
It is mandatory for security-sensitive objects to be documented in the Security Considerations section of an RFC. This is nice, but it is not good enough, for the following reasons:
必须在RFC的安全注意事项部分记录安全敏感对象。这很好,但还不够好,原因如下:
o This documentation-only approach forces administrators to study the RFC and determine if there are any potential security risks introduced by a new data model.
o 这种只提供文档的方法迫使管理员研究RFC,并确定新数据模型是否存在任何潜在的安全风险。
o If any security risks are identified, then the administrator must study some more RFC text and determine how to mitigate the security risk(s).
o 如果发现任何安全风险,则管理员必须研究更多RFC文本,并确定如何减轻安全风险。
o The ACM on each server must be configured to mitigate the security risks, e.g., require privileged access to read or write the specific data identified in the Security Considerations section.
o 必须对每台服务器上的ACM进行配置,以降低安全风险,例如,需要特权访问才能读取或写入安全注意事项部分中确定的特定数据。
o If the ACM is not pre-configured, then there will be a time window of vulnerability after the new data model is loaded and before the new access control rules for that data model are configured, enabled, and debugged.
o 如果未预先配置ACM,则在加载新数据模型之后,以及在配置、启用和调试该数据模型的新访问控制规则之前,将有一个漏洞时间窗口。
Often, the administrator just wants to disable default access to the secure content, so no inadvertent or malicious changes can be made to the server. This allows the default rules to be more lenient, without significantly increasing the security risk.
通常,管理员只想禁用对安全内容的默认访问,这样就不会对服务器进行意外或恶意更改。这使得默认规则更加宽松,而不会显著增加安全风险。
A data model designer needs to be able to use machine-readable statements to identify NETCONF content, which needs to be protected by default. This will allow client and server tools to automatically
数据模型设计器需要能够使用机器可读语句来标识NETCONF内容,默认情况下需要对其进行保护。这将允许客户端和服务器工具自动
identify data-model-specific security risks, by denying access to sensitive data unless the user is explicitly authorized to perform the requested access operation.
通过拒绝对敏感数据的访问来识别特定于数据模型的安全风险,除非明确授权用户执行请求的访问操作。
This section provides a high-level overview of the access control model structure. It describes the NETCONF protocol message processing model and the conceptual access control requirements within that model.
本节提供访问控制模型结构的高级概述。它描述了NETCONF协议消息处理模型以及该模型中的概念性访问控制需求。
The NACM data model provides the following features:
NACM数据模型提供以下功能:
o Independent control of remote procedure call (RPC), data, and notification access.
o 独立控制远程过程调用(RPC)、数据和通知访问。
o Simple access control rules configuration data model that is easy to use.
o 简单的访问控制规则配置数据模型,易于使用。
o The concept of an emergency recovery session is supported, but configuration of the server for this purpose is beyond the scope of this document. An emergency recovery session will bypass all access control enforcement, in order to allow it to initialize or repair the NACM configuration.
o 支持紧急恢复会话的概念,但为此目的配置服务器超出了本文档的范围。紧急恢复会话将绕过所有访问控制实施,以允许其初始化或修复NACM配置。
o A simple and familiar set of datastore permissions is used.
o 使用一组简单且熟悉的数据存储权限。
o Support for YANG security tagging (e.g., "nacm:default-deny-write" statement) allows default security modes to automatically exclude sensitive data.
o 对安全标记的支持(例如,“nacm:default deny write”语句)允许默认安全模式自动排除敏感数据。
o Separate default access modes for read, write, and execute permissions.
o 读取、写入和执行权限的单独默认访问模式。
o Access control rules are applied to configurable groups of users.
o 访问控制规则应用于可配置的用户组。
o The access control enforcement procedures can be disabled during operation, without deleting any access control rules, in order to debug operational problems.
o 可以在操作期间禁用访问控制实施过程,而无需删除任何访问控制规则,以便调试操作问题。
o Access control rules are simple to configure.
o 访问控制规则易于配置。
o The number of denied protocol operation requests and denied datastore write requests can be monitored by the client.
o 客户端可以监视被拒绝的协议操作请求和被拒绝的数据存储写入请求的数量。
o Simple unconstrained YANG instance identifiers are used to configure access control rules for specific data nodes.
o 简单的无约束实例标识符用于为特定数据节点配置访问控制规则。
The NETCONF protocol [RFC6241] is used for all management purposes within this document.
NETCONF协议[RFC6241]用于本文档中的所有管理目的。
The YANG Data Modeling Language [RFC6020] is used to define the NETCONF data models specified in this document.
YANG数据建模语言[RFC6020]用于定义本文档中指定的NETCONF数据模型。
The following diagram shows the conceptual message flow model, including the points at which access control is applied during NETCONF message processing.
下图显示了概念性的消息流模型,包括在NETCONF消息处理期间应用访问控制的点。
+-------------------------+
| session |
| (username) |
+-------------------------+
| ^
V |
+--------------+ +---------------+
| message | | message |
| dispatcher | | generator |
+--------------+ +---------------+
| ^ ^
V | |
+===========+ +-------------+ +----------------+
| <rpc> |---> | <rpc-reply> | | <notification> |
| acc. ctl | | generator | | generator |
+===========+ +-------------+ +----------------+
| ^ ^ ^
V +------+ | |
+-----------+ | +=============+ +================+
| <rpc> | | | read | | <notification> |
| processor |-+ | data node | | access ctl |
| | | acc. ctl | | |
+-----------+ +=============+ +================+
| | ^ ^
V +----------------+ | |
+===========+ | | |
| write | | | |
| data node | | | |
| acc. ctl | -----------+ | | |
+===========+ | | | |
| | | | |
V V V | |
+---------------+ +-----------------+
| configuration | ---> | server |
| datastore | | instrumentation |
| | <--- | |
+---------------+ +-----------------+
+-------------------------+
| session |
| (username) |
+-------------------------+
| ^
V |
+--------------+ +---------------+
| message | | message |
| dispatcher | | generator |
+--------------+ +---------------+
| ^ ^
V | |
+===========+ +-------------+ +----------------+
| <rpc> |---> | <rpc-reply> | | <notification> |
| acc. ctl | | generator | | generator |
+===========+ +-------------+ +----------------+
| ^ ^ ^
V +------+ | |
+-----------+ | +=============+ +================+
| <rpc> | | | read | | <notification> |
| processor |-+ | data node | | access ctl |
| | | acc. ctl | | |
+-----------+ +=============+ +================+
| | ^ ^
V +----------------+ | |
+===========+ | | |
| write | | | |
| data node | | | |
| acc. ctl | -----------+ | | |
+===========+ | | | |
| | | | |
V V V | |
+---------------+ +-----------------+
| configuration | ---> | server |
| datastore | | instrumentation |
| | <--- | |
+---------------+ +-----------------+
Figure 2
图2
The following high-level sequence of conceptual processing steps is executed for each received <rpc> message, if access control enforcement is enabled:
如果启用了访问控制强制,则对每个接收到的<rpc>消息执行以下高级概念处理步骤序列:
o For each active session, access control is applied individually to all <rpc> messages (except <close-session>) received by the server, unless the session is identified as a recovery session.
o 对于每个活动会话,访问控制将分别应用于服务器接收的所有<rpc>消息(除了<close session>),除非该会话被标识为恢复会话。
o If the user is authorized to execute the specified protocol operation, then processing continues; otherwise, the request is rejected with an "access-denied" error.
o 如果用户被授权执行指定的协议操作,则处理继续;否则,请求将被拒绝,并出现“拒绝访问”错误。
o If the configuration datastore or conceptual state data is accessed by the protocol operation, then the server checks if the client is authorized to access the nodes in the datastore. If the user is authorized to perform the requested access operation on the requested data, then processing continues.
o 如果配置数据存储或概念状态数据是通过协议操作访问的,那么服务器将检查客户端是否有权访问数据存储中的节点。如果用户被授权对请求的数据执行请求的访问操作,则处理将继续。
The following sequence of conceptual processing steps is executed for each generated notification event, if access control enforcement is enabled:
如果启用了访问控制强制,则为每个生成的通知事件执行以下一系列概念处理步骤:
o Server instrumentation generates a notification for a particular subscription.
o 服务器检测为特定订阅生成通知。
o The notification access control enforcer checks the notification event type, and if it is one that the user is not authorized to read, then the notification is dropped for that subscription.
o 通知访问控制执行器检查通知事件类型,如果该类型是用户无权读取的,则会删除该订阅的通知。
The same access control rules apply to all datastores, for example, the candidate configuration datastore or the running configuration datastore.
相同的访问控制规则适用于所有数据存储,例如,候选配置数据存储或正在运行的配置数据存储。
Only the standard NETCONF datastores (candidate, running, and startup) are controlled by NACM. Local or remote files or datastores accessed via the <url> parameter are not controlled by NACM.
NACM仅控制标准NETCONF数据存储(候选、运行和启动)。通过<url>参数访问的本地或远程文件或数据存储不受NACM控制。
A small set of hard-wired datastore access rights is needed to control access to all possible NETCONF protocol operations, including vendor extensions to the standard protocol operation set.
需要一小组硬连线数据存储访问权限来控制对所有可能的NETCONF协议操作的访问,包括对标准协议操作集的供应商扩展。
The "CRUDX" model can support all NETCONF protocol operations:
“CRUDX”型号可支持所有NETCONF协议操作:
o Create: allows the client to add a new data node instance to a datastore.
o 创建:允许客户端向数据存储添加新的数据节点实例。
o Read: allows the client to read a data node instance from a datastore or receive the notification event type.
o 读取:允许客户端从数据存储读取数据节点实例或接收通知事件类型。
o Update: allows the client to update an existing data node instance in a datastore.
o 更新:允许客户端更新数据存储中的现有数据节点实例。
o Delete: allows the client to delete a data node instance from a datastore.
o 删除:允许客户端从数据存储中删除数据节点实例。
o eXec: allows the client to execute the protocol operation.
o eXec:允许客户端执行协议操作。
Data nodes to which the client does not have read access are silently omitted from the <rpc-reply> message. This is done to allow NETCONF filters for <get> and <get-config> to function properly, instead of causing an "access-denied" error because the filter criteria would otherwise include unauthorized read access to some data nodes. For NETCONF filtering purposes, the selection criteria is applied to the subset of nodes that the user is authorized to read, not the entire datastore.
客户端没有读取权限的数据节点将从<rpc reply>消息中自动忽略。这样做是为了允许<get>和<get config>的NETCONF过滤器正常工作,而不是导致“访问被拒绝”错误,因为过滤器标准将包括对某些数据节点的未经授权的读取访问。出于NETCONF筛选目的,选择标准应用于用户有权读取的节点子集,而不是整个数据存储。
The NACM access rights are not directly coupled to the <edit-config> "operation" attribute, although they are similar. Instead, a NACM access right applies to all protocol operations that would result in a particular access operation to the target datastore. This section describes how these access rights apply to the specific access operations supported by the <edit-config> protocol operation.
NACM访问权限不直接耦合到<edit config>“operation”属性,尽管它们类似。相反,NACM访问权限适用于将导致对目标数据存储进行特定访问操作的所有协议操作。本节介绍这些访问权限如何应用于<edit config>协议操作支持的特定访问操作。
If the effective access operation is "none" (i.e., default-operation="none") for a particular data node, then no access control is applied to that data node. This is required to allow access to a subtree within a larger data structure. For example, a user may be authorized to create a new "/interfaces/interface" list entry but not be authorized to create or delete its parent container ("/interfaces"). If the "/interfaces" container already exists in the target datastore, then the effective operation will be "none" for the "/interfaces" node if an "/interfaces/interface" list entry is edited.
如果特定数据节点的有效访问操作为“无”(即默认操作=“无”),则不对该数据节点应用访问控制。这是允许访问更大数据结构中的子树所必需的。例如,用户可能有权创建新的“/interfaces/interface”列表条目,但无权创建或删除其父容器(“/interfaces”)。如果目标数据存储中已存在“/interfaces”容器,则如果编辑“/interfaces/interface”列表条目,则“/interfaces”节点的有效操作将为“none”。
If the protocol operation would result in the creation of a datastore node and the user does not have "create" access permission for that node, the protocol operation is rejected with an "access-denied" error.
如果协议操作将导致创建数据存储节点,并且用户没有该节点的“创建”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
If the protocol operation would result in the deletion of a datastore node and the user does not have "delete" access permission for that node, the protocol operation is rejected with an "access-denied" error.
如果协议操作将导致删除数据存储节点,并且用户没有该节点的“删除”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
If the protocol operation would result in the modification of a datastore node and the user does not have "update" access permission for that node, the protocol operation is rejected with an "access-denied" error.
如果协议操作将导致数据存储节点的修改,并且用户没有该节点的“更新”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
A "merge" or "replace" <edit-config> operation may include data nodes that do not alter portions of the existing datastore. For example, a container or list node may be present for naming purposes but does not actually alter the corresponding datastore node. These unaltered data nodes are ignored by the server and do not require any access rights by the client.
“合并”或“替换”<edit config>操作可能包括不改变现有数据存储部分的数据节点。例如,容器或列表节点可能出于命名目的而存在,但实际上并不改变相应的数据存储节点。服务器将忽略这些未更改的数据节点,客户端不需要任何访问权限。
A "merge" <edit-config> operation may include data nodes but not include particular child data nodes that are present in the datastore. These missing data nodes within the scope of a "merge" <edit-config> operation are ignored by the server and do not require any access rights by the client.
“merge”<edit config>操作可能包括数据节点,但不包括数据存储中存在的特定子数据节点。服务器将忽略“merge”<edit config>操作范围内缺少的这些数据节点,客户端不需要任何访问权限。
The contents of specific restricted datastore nodes MUST NOT be exposed in any <rpc-error> elements within the reply.
特定受限数据存储节点的内容不得在回复中的任何<rpc error>元素中公开。
Access control for the <copy-config> protocol operation requires special consideration because the administrator may be replacing the entire target datastore.
<copy config>协议操作的访问控制需要特别考虑,因为管理员可能正在替换整个目标数据存储。
If the source of the <copy-config> protocol operation is the running configuration datastore and the target is the startup configuration datastore, the client is only required to have permission to execute the <copy-config> protocol operation.
如果<copy config>协议操作的源是正在运行的配置数据存储,目标是启动配置数据存储,则客户机只需具有执行<copy config>协议操作的权限即可。
Otherwise:
否则:
o If the source of the <copy-config> operation is a datastore, then data nodes to which the client does not have read access are silently omitted.
o 如果<copy config>操作的源是一个数据存储,那么客户端没有读取权限的数据节点将被自动忽略。
o If the target of the <copy-config> operation is a datastore, the client needs access to the modified nodes, specifically:
o 如果<copy config>操作的目标是数据存储,则客户端需要访问修改后的节点,特别是:
* If the protocol operation would result in the creation of a datastore node and the user does not have "create" access permission for that node, the protocol operation is rejected with an "access-denied" error.
* 如果协议操作将导致创建数据存储节点,并且用户没有该节点的“创建”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
* If the protocol operation would result in the deletion of a datastore node and the user does not have "delete" access permission for that node, the protocol operation is rejected with an "access-denied" error.
* 如果协议操作将导致删除数据存储节点,并且用户没有该节点的“删除”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
* If the protocol operation would result in the modification of a datastore node and the user does not have "update" access permission for that node, the protocol operation is rejected with an "access-denied" error.
* 如果协议操作将导致数据存储节点的修改,并且用户没有该节点的“更新”访问权限,则协议操作将被拒绝,并出现“拒绝访问”错误。
Access to the <delete-config> protocol operation is denied by default. The "exec-default" leaf does not apply to this protocol operation. Access control rules must be explicitly configured to allow invocation by a non-recovery session.
默认情况下,对<delete config>协议操作的访问被拒绝。“exec default”叶不适用于此协议操作。访问控制规则必须明确配置为允许非恢复会话调用。
The server MUST determine the exact nodes in the running configuration datastore that are actually different and only check "create", "update", and "delete" access permissions for this set of nodes, which could be empty.
服务器必须确定正在运行的配置数据存储中实际不同的确切节点,并且只检查这组节点的“创建”、“更新”和“删除”访问权限,这些权限可能为空。
For example, if a session can read the entire datastore but only change one leaf, that session needs to be able to edit and commit that one leaf.
例如,如果会话可以读取整个数据存储,但只更改一个叶,则该会话需要能够编辑和提交该叶。
The client is only required to have permission to execute the <discard-changes> protocol operation. No datastore permissions are needed.
客户端只需要具有执行<放弃更改>协议操作的权限。不需要数据存储权限。
The <kill-session> operation does not directly alter a datastore. However, it allows one session to disrupt another session that is editing a datastore.
<kill session>操作不会直接改变数据存储。但是,它允许一个会话中断正在编辑数据存储的另一个会话。
Access to the <kill-session> protocol operation is denied by default. The "exec-default" leaf does not apply to this protocol operation. Access control rules must be explicitly configured to allow invocation by a non-recovery session.
默认情况下,对<kill session>协议操作的访问被拒绝。“exec default”叶不适用于此协议操作。访问控制规则必须明确配置为允许非恢复会话调用。
This section defines the conceptual components related to the access control model.
本节定义了与访问控制模型相关的概念组件。
A "user" is the conceptual entity that is associated with the access permissions granted to a particular session. A user is identified by a string that is unique within the server.
“用户”是与授予特定会话的访问权限相关联的概念实体。用户由服务器中唯一的字符串标识。
As described in [RFC6241], the username string is derived from the transport layer during session establishment. If the transport layer cannot authenticate the user, the session is terminated.
如[RFC6241]所述,用户名字符串在会话建立期间从传输层派生。如果传输层无法对用户进行身份验证,则会话将终止。
Access to a specific NETCONF protocol operation is granted to a session, associated with a group, not a user.
对特定NETCONF协议操作的访问权授予与组关联的会话,而不是用户。
A group is identified by its name. All group names are unique within the server.
组由其名称标识。服务器中的所有组名都是唯一的。
A group member is identified by a username string.
组成员由用户名字符串标识。
The same user can be a member of multiple groups.
同一用户可以是多个组的成员。
The server MAY support a recovery session mechanism, which will bypass all access control enforcement. This is useful for restricting initial access and repairing a broken access control configuration.
服务器可能支持恢复会话机制,该机制将绕过所有访问控制实施。这对于限制初始访问和修复损坏的访问控制配置非常有用。
There are five global controls that are used to help control how access control is enforced.
有五个全局控件用于帮助控制如何实施访问控制。
A global "enable-nacm" on/off switch is provided to enable or disable all access control enforcement. When this global switch is set to "true", then all requests are checked against the access control rules and only permitted if configured to allow the specific access request. When this global switch is set to "false", then all access requested are permitted.
提供一个全局“启用nacm”开/关开关,以启用或禁用所有访问控制实施。当此全局开关设置为“true”时,将根据访问控制规则检查所有请求,并且仅在配置为允许特定访问请求时才允许。当此全局开关设置为“false”时,则允许所有请求的访问。
An on/off "read-default" switch is provided to enable or disable default access to receive data in replies and notifications. When the "enable-nacm" global switch is set to "true", then this global switch is relevant if no matching access control rule is found to explicitly permit or deny read access to the requested NETCONF datastore data or notification event type.
提供打开/关闭“读取默认值”开关,以启用或禁用默认访问以接收回复和通知中的数据。当“enable nacm”全局开关设置为“true”时,如果未发现匹配的访问控制规则明确允许或拒绝对请求的NETCONF数据存储数据或通知事件类型的读取访问,则此全局开关相关。
When this global switch is set to "permit" and no matching access control rule is found for the NETCONF datastore read or notification event requested, then access is permitted.
当此全局开关设置为“允许”且未找到与请求的NETCONF数据存储读取或通知事件匹配的访问控制规则时,则允许访问。
When this global switch is set to "deny" and no matching access control rule is found for the NETCONF datastore read or notification event requested, then access is denied.
当此全局开关设置为“拒绝”且未找到请求的NETCONF数据存储读取或通知事件的匹配访问控制规则时,访问将被拒绝。
An on/off "write-default" switch is provided to enable or disable default access to alter configuration data. When the "enable-nacm" global switch is set to "true", then this global switch is relevant if no matching access control rule is found to explicitly permit or deny write access to the requested NETCONF datastore data.
提供开/关“写入默认值”开关,以启用或禁用更改配置数据的默认访问。当“enable nacm”全局开关设置为“true”时,如果未发现匹配的访问控制规则明确允许或拒绝对请求的NETCONF数据存储的写入访问,则此全局开关相关。
When this global switch is set to "permit" and no matching access control rule is found for the NETCONF datastore write requested, then access is permitted.
当此全局开关设置为“permit”且未找到与请求的NETCONF数据存储写入匹配的访问控制规则时,则允许访问。
When this global switch is set to "deny" and no matching access control rule is found for the NETCONF datastore write requested, then access is denied.
当此全局开关设置为“拒绝”且未找到与NETCONF数据存储写入请求匹配的访问控制规则时,访问将被拒绝。
An on/off "exec-default" switch is provided to enable or disable default access to execute protocol operations. When the "enable-nacm" global switch is set to "true", then this global switch is relevant if no matching access control rule is found to explicitly permit or deny access to the requested NETCONF protocol operation.
提供了一个on/off“exec default”开关,用于启用或禁用默认访问以执行协议操作。当“enable nacm”全局开关设置为“true”时,如果未发现匹配的访问控制规则明确允许或拒绝访问请求的NETCONF协议操作,则此全局开关相关。
When this global switch is set to "permit" and no matching access control rule is found for the NETCONF protocol operation requested, then access is permitted.
当此全局开关设置为“允许”且未找到请求的NETCONF协议操作的匹配访问控制规则时,则允许访问。
When this global switch is set to "deny" and no matching access control rule is found for the NETCONF protocol operation requested, then access is denied.
当此全局开关设置为“拒绝”且未找到请求的NETCONF协议操作的匹配访问控制规则时,访问将被拒绝。
When this global switch is set to "true", the group names reported by the NETCONF transport layer for a session are used together with the locally configured group names to determine the access control rules for the session.
当此全局交换机设置为“true”时,NETCONF传输层为会话报告的组名将与本地配置的组名一起使用,以确定会话的访问控制规则。
When this switch is set to "false", the group names reported by the NETCONF transport layer are ignored by NACM.
当此开关设置为“false”时,NACM将忽略NETCONF传输层报告的组名。
There are four types of rules available in NACM:
NACM中有四种可用的规则:
module rule: controls access for definitions in a specific YANG module, identified by its name.
模块规则:控制对特定模块中定义的访问,该模块由其名称标识。
protocol operation rule: controls access for a specific protocol operation, identified by its YANG module and name.
协议操作规则:控制特定协议操作的访问,由其模块和名称标识。
data node rule: controls access for a specific data node, identified by its path location within the conceptual XML document for the data node.
数据节点规则:控制对特定数据节点的访问,该数据节点由其在数据节点的概念XML文档中的路径位置标识。
notification rule: controls access for a specific notification event type, identified by its YANG module and name.
通知规则:控制对特定通知事件类型的访问,该类型由其模块和名称标识。
There are seven separate phases that need to be addressed, four of which are related to the NETCONF message processing model (Section 3.1.3). In addition, the initial startup mode for a NETCONF server, session establishment, and "access-denied" error-handling procedures also need to be considered.
需要解决七个独立的阶段,其中四个与NETCONF消息处理模型相关(第3.1.3节)。此外,还需要考虑NETCONF服务器的初始启动模式、会话建立和“拒绝访问”错误处理过程。
The server MUST use the access control rules in effect at the time it starts processing the message. The same access control rules MUST stay in effect for the processing of the entire message.
服务器必须在开始处理消息时使用有效的访问控制规则。对于整个消息的处理,相同的访问控制规则必须保持有效。
Upon the very first startup of the NETCONF server, the access control configuration will probably not be present. If it isn't, a server MUST NOT allow any write access to any session role except a recovery session.
在NETCONF服务器第一次启动时,访问控制配置可能不存在。如果不是,则服务器不得允许对任何会话角色(恢复会话除外)进行任何写入访问。
Access rules are enforced any time a request is initiated from a user session. Access control is not enforced for server-initiated access requests, such as the initial load of the running datastore, during bootup.
无论何时从用户会话启动请求,都会强制执行访问规则。在启动过程中,不会对服务器启动的访问请求(如运行数据存储的初始加载)实施访问控制。
The access control model applies specifically to the well-formed XML content transferred between a client and a server after session establishment has been completed and after the <hello> exchange has been successfully completed.
访问控制模型特别适用于在会话建立完成和<hello>交换成功完成后在客户端和服务器之间传输的格式良好的XML内容。
Once session establishment is completed and a user has been authenticated, the NETCONF transport layer reports the username and a possibly empty set of group names associated with the user to the NETCONF server. The NETCONF server will enforce the access control rules, based on the supplied username, group names, and the configuration data stored on the server.
一旦会话建立完成并且用户已通过身份验证,NETCONF传输层将向NETCONF服务器报告用户名以及与用户相关联的可能为空的组名集。NETCONF服务器将根据提供的用户名、组名和服务器上存储的配置数据强制执行访问控制规则。
The "access-denied" error-tag is generated when the access control system denies access to either a request to invoke a protocol operation or a request to perform a particular access operation on the configuration datastore.
当访问控制系统拒绝访问调用协议操作的请求或对配置数据存储执行特定访问操作的请求时,会生成“拒绝访问”错误标记。
A server MUST NOT include any information the client is not allowed to read in any <error-info> elements within the <rpc-error> response.
服务器不得在<rpc error>响应中的任何<error info>元素中包含客户端不允许读取的任何信息。
The diagram below shows the basic conceptual structure of the access control processing model for incoming NETCONF <rpc> messages within a server.
下图显示了服务器内传入NETCONF<rpc>消息的访问控制处理模型的基本概念结构。
NETCONF server
+------------+
| XML |
| message |
| dispatcher |
+------------+
|
|
V
+------------+
| NC-base NS |
| <rpc> |
+------------+
| | |
| | +-------------------------+
| +------------+ |
V V V
+-----------+ +---------------+ +------------+
| Vendor NS | | NC-base NS | | NC-base NS |
| <my-edit> | | <edit-config> | | <unlock> |
+-----------+ +---------------+ +------------+
| |
| |
V V
+----------------------+
| |
| configuration |
| datastore |
+----------------------+
NETCONF server
+------------+
| XML |
| message |
| dispatcher |
+------------+
|
|
V
+------------+
| NC-base NS |
| <rpc> |
+------------+
| | |
| | +-------------------------+
| +------------+ |
V V V
+-----------+ +---------------+ +------------+
| Vendor NS | | NC-base NS | | NC-base NS |
| <my-edit> | | <edit-config> | | <unlock> |
+-----------+ +---------------+ +------------+
| |
| |
V V
+----------------------+
| |
| configuration |
| datastore |
+----------------------+
Figure 3
图3
Access control begins with the message dispatcher.
访问控制从消息调度程序开始。
After the server validates the <rpc> element and determines the namespace URI and the element name of the protocol operation being requested, the server verifies that the user is authorized to invoke the protocol operation.
在服务器验证<rpc>元素并确定所请求的协议操作的名称空间URI和元素名称后,服务器验证用户是否有权调用协议操作。
The server MUST separately authorize every protocol operation by following these steps:
服务器必须通过以下步骤分别授权每个协议操作:
1. If the "enable-nacm" leaf is set to "false", then the protocol operation is permitted.
1. 如果“启用nacm”叶设置为“false”,则允许协议操作。
2. If the requesting session is identified as a recovery session, then the protocol operation is permitted.
2. 如果请求会话被标识为恢复会话,则允许协议操作。
3. If the requested operation is the NETCONF <close-session> protocol operation, then the protocol operation is permitted.
3. 如果请求的操作是NETCONF<close session>协议操作,则允许协议操作。
4. Check all the "group" entries for ones that contain a "user-name" entry that equals the username for the session making the request. If the "enable-external-groups" leaf is "true", add to these groups the set of groups provided by the transport layer.
4. 检查所有“组”条目中是否包含与发出请求的会话的用户名相等的“用户名”条目。如果“启用外部组”叶为“true”,则将传输层提供的组集添加到这些组中。
5. If no groups are found, continue with step 10.
5. 如果未找到任何组,请继续执行步骤10。
6. Process all rule-list entries, in the order they appear in the configuration. If a rule-list's "group" leaf-list does not match any of the user's groups, proceed to the next rule-list entry.
6. 按照规则列表项在配置中的显示顺序处理所有规则列表项。如果规则列表的“组”叶列表与用户的任何组都不匹配,请转至下一个规则列表条目。
7. For each rule-list entry found, process all rules, in order, until a rule that matches the requested access operation is found. A rule matches if all of the following criteria are met:
7. 对于找到的每个规则列表条目,按顺序处理所有规则,直到找到与请求的访问操作匹配的规则。如果满足以下所有条件,则规则匹配:
* The rule's "module-name" leaf is "*" or equals the name of the YANG module where the protocol operation is defined.
* 规则的“模块名”叶为“*”或等于定义协议操作的模块名。
* The rule does not have a "rule-type" defined or the "rule-type" is "protocol-operation" and the "rpc-name" is "*" or equals the name of the requested protocol operation.
* 该规则未定义“规则类型”,或者“规则类型”为“协议操作”,而“rpc名称”为“*”或等于请求的协议操作的名称。
* The rule's "access-operations" leaf has the "exec" bit set or has the special value "*".
* 规则的“访问操作”叶设置了“exec”位或具有特殊值“*”。
8. If a matching rule is found, then the "action" leaf is checked. If it is equal to "permit", then the protocol operation is permitted; otherwise, it is denied.
8. 如果找到匹配规则,则检查“操作”叶。如果等于“允许”,则允许协议操作;否则,它将被拒绝。
9. At this point, no matching rule was found in any rule-list entry.
9. 此时,在任何规则列表条目中都找不到匹配的规则。
10. If the requested protocol operation is defined in a YANG module advertised in the server capabilities and the "rpc" statement contains a "nacm:default-deny-all" statement, then the protocol operation is denied.
10. 如果请求的协议操作在服务器功能中公布的模块中定义,并且“rpc”语句包含“nacm:default deny all”语句,则协议操作被拒绝。
11. If the requested protocol operation is the NETCONF <kill-session> or <delete-config>, then the protocol operation is denied.
11. 如果请求的协议操作是NETCONF<kill session>或<delete config>,则协议操作被拒绝。
12. If the "exec-default" leaf is set to "permit", then permit the protocol operation; otherwise, deny the request.
12. 如果“exec default”页设置为“PROPERT”,则允许协议操作;否则,拒绝请求。
If the user is not authorized to invoke the protocol operation, then an <rpc-error> is generated with the following information:
如果未授权用户调用协议操作,则会生成带有以下信息的<rpc error>:
error-tag: access-denied
错误标记:访问被拒绝
error-path: Identifies the requested protocol operation. The following example represents the <edit-config> protocol operation in the NETCONF base namespace:
错误路径:标识请求的协议操作。以下示例表示NETCONF基本命名空间中的<edit config>协议操作:
<error-path
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
/nc:rpc/nc:edit-config
</error-path>
<error-path
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
/nc:rpc/nc:edit-config
</error-path>
If a datastore is accessed, either directly or as a side effect of the protocol operation, then the server MUST intercept the access operation and make sure the user is authorized to perform the requested access operation on the specified data, as defined in Section 3.4.5.
如果直接或作为协议操作的副作用访问数据存储,则服务器必须拦截访问操作,并确保用户有权对指定数据执行请求的访问操作,如第3.4.5节所定义。
If a data node within a datastore is accessed, then the server MUST ensure that the user is authorized to perform the requested "read", "create", "update", or "delete" access operation on the specified data node.
如果访问数据存储中的数据节点,则服务器必须确保用户有权在指定的数据节点上执行请求的“读取”、“创建”、“更新”或“删除”访问操作。
The data node access request is authorized by following these steps:
通过以下步骤授权数据节点访问请求:
1. If the "enable-nacm" leaf is set to "false", then the access operation is permitted.
1. 如果“启用nacm”叶设置为“false”,则允许访问操作。
2. If the requesting session is identified as a recovery session, then the access operation is permitted.
2. 如果请求会话被标识为恢复会话,则允许访问操作。
3. Check all the "group" entries for ones that contain a "user-name" entry that equals the username for the session making the request. If the "enable-external-groups" leaf is "true", add to these groups the set of groups provided by the transport layer.
3. 检查所有“组”条目中是否包含与发出请求的会话的用户名相等的“用户名”条目。如果“启用外部组”叶为“true”,则将传输层提供的组集添加到这些组中。
4. If no groups are found, continue with step 9.
4. 如果未找到任何组,请继续执行步骤9。
5. Process all rule-list entries, in the order they appear in the configuration. If a rule-list's "group" leaf-list does not match any of the user's groups, proceed to the next rule-list entry.
5. 按照规则列表项在配置中的显示顺序处理所有规则列表项。如果规则列表的“组”叶列表与用户的任何组都不匹配,请转至下一个规则列表条目。
6. For each rule-list entry found, process all rules, in order, until a rule that matches the requested access operation is found. A rule matches if all of the following criteria are met:
6. 对于找到的每个规则列表条目,按顺序处理所有规则,直到找到与请求的访问操作匹配的规则。如果满足以下所有条件,则规则匹配:
* The rule's "module-name" leaf is "*" or equals the name of the YANG module where the requested data node is defined.
* 规则的“模块名”叶为“*”或等于定义请求数据节点的模块名。
* The rule does not have a "rule-type" defined or the "rule-type" is "data-node" and the "path" matches the requested data node.
* 该规则未定义“规则类型”,或者“规则类型”为“数据节点”,且“路径”与请求的数据节点匹配。
* For a "read" access operation, the rule's "access-operations" leaf has the "read" bit set or has the special value "*".
* 对于“读取”访问操作,规则的“访问操作”叶设置了“读取”位或具有特殊值“*”。
* For a "create" access operation, the rule's "access-operations" leaf has the "create" bit set or has the special value "*".
* 对于“创建”访问操作,规则的“访问操作”叶设置了“创建”位或具有特殊值“*”。
* For a "delete" access operation, the rule's "access-operations" leaf has the "delete" bit set or has the special value "*".
* 对于“删除”访问操作,规则的“访问操作”叶设置了“删除”位或具有特殊值“*”。
* For an "update" access operation, the rule's "access-operations" leaf has the "update" bit set or has the special value "*".
* 对于“更新”访问操作,规则的“访问操作”叶设置了“更新”位或具有特殊值“*”。
7. If a matching rule is found, then the "action" leaf is checked. If it is equal to "permit", then the data node access is permitted; otherwise, it is denied. For a "read" access operation, "denied" means that the requested data is not returned in the reply.
7. 如果找到匹配规则,则检查“操作”叶。如果等于“允许”,则允许数据节点访问;否则,它将被拒绝。对于“读取”访问操作,“拒绝”表示请求的数据不会在应答中返回。
8. At this point, no matching rule was found in any rule-list entry.
8. 此时,在任何规则列表条目中都找不到匹配的规则。
9. For a "read" access operation, if the requested data node is defined in a YANG module advertised in the server capabilities and the data definition statement contains a "nacm:default-deny-all" statement, then the requested data node is not included in the reply.
9. 对于“读取”访问操作,如果请求的数据节点在服务器功能中公布的模块中定义,并且数据定义语句包含“nacm:default deny all”语句,则请求的数据节点不包括在应答中。
10. For a "write" access operation, if the requested data node is defined in a YANG module advertised in the server capabilities and the data definition statement contains a "nacm:default-deny-write" or a "nacm:default-deny-all" statement, then the data node access request is denied.
10. 对于“写入”访问操作,如果在服务器功能中公布的模块中定义了请求的数据节点,并且数据定义语句包含“nacm:default deny write”或“nacm:default deny all”语句,则拒绝数据节点访问请求。
11. For a "read" access operation, if the "read-default" leaf is set to "permit", then include the requested data node in the reply; otherwise, do not include the requested data node in the reply.
11. 对于“读取”访问操作,如果“读取默认”叶设置为“允许”,则在应答中包括请求的数据节点;否则,请不要在回复中包含请求的数据节点。
12. For a "write" access operation, if the "write-default" leaf is set to "permit", then permit the data node access request; otherwise, deny the request.
12. 对于“写入”访问操作,如果“写入默认”叶设置为“允许”,则允许数据节点访问请求;否则,拒绝请求。
Configuration of access control rules specifically for descendant nodes of the notification event type element are outside the scope of this document. If the user is authorized to receive the notification event type, then it is also authorized to receive any data it contains.
专门针对notification event type元素的子节点的访问控制规则的配置不在本文档的范围内。如果用户有权接收通知事件类型,则也有权接收其包含的任何数据。
The following figure shows the conceptual message processing model for outgoing <notification> messages.
下图显示了传出<通知>消息的概念性消息处理模型。
NETCONF server
+------------+
| XML |
| message |
| generator |
+------------+
^
|
+----------------+
| <notification> |
| generator |
+----------------+
^
|
+=================+
| <notification> |
| access control |
| <eventType> |
+=================+
^
|
+------------------------+
| server instrumentation |
+------------------------+
| ^
V |
+----------------------+
| configuration |
| datastore |
+----------------------+
NETCONF server
+------------+
| XML |
| message |
| generator |
+------------+
^
|
+----------------+
| <notification> |
| generator |
+----------------+
^
|
+=================+
| <notification> |
| access control |
| <eventType> |
+=================+
^
|
+------------------------+
| server instrumentation |
+------------------------+
| ^
V |
+----------------------+
| configuration |
| datastore |
+----------------------+
Figure 4
图4
The generation of a notification for a specific subscription [RFC5277] is authorized by following these steps:
通过以下步骤授权生成特定订阅[RFC5277]的通知:
1. If the "enable-nacm" leaf is set to "false", then the notification is permitted.
1. 如果“启用nacm”叶设置为“false”,则允许通知。
2. If the session is identified as a recovery session, then the notification is permitted.
2. 如果会话被标识为恢复会话,则允许通知。
3. If the notification is the NETCONF <replayComplete> or <notificationComplete> event type [RFC5277], then the notification is permitted.
3. 如果通知是NETCONF<replayComplete>或<notificationComplete>事件类型[RFC5277],则允许通知。
4. Check all the "group" entries for ones that contain a "user-name" entry that equals the username for the session making the request. If the "enable-external-groups" leaf is "true", add to these groups the set of groups provided by the transport layer.
4. 检查所有“组”条目中是否包含与发出请求的会话的用户名相等的“用户名”条目。如果“启用外部组”叶为“true”,则将传输层提供的组集添加到这些组中。
5. If no groups are found, continue with step 10.
5. 如果未找到任何组,请继续执行步骤10。
6. Process all rule-list entries, in the order they appear in the configuration. If a rule-list's "group" leaf-list does not match any of the user's groups, proceed to the next rule-list entry.
6. 按照规则列表项在配置中的显示顺序处理所有规则列表项。如果规则列表的“组”叶列表与用户的任何组都不匹配,请转至下一个规则列表条目。
7. For each rule-list entry found, process all rules, in order, until a rule that matches the requested access operation is found. A rule matches if all of the following criteria are met:
7. 对于找到的每个规则列表条目,按顺序处理所有规则,直到找到与请求的访问操作匹配的规则。如果满足以下所有条件,则规则匹配:
* The rule's "module-name" leaf is "*" or equals the name of the YANG module where the notification is defined.
* 规则的“模块名”叶为“*”或等于定义通知的模块名。
* The rule does not have a "rule-type" defined or the "rule-type" is "notification" and the "notification-name" is "*" and equals the name of the notification.
* 该规则未定义“规则类型”,或者“规则类型”为“通知”,而“通知名称”为“*”并等于通知的名称。
* The rule's "access-operations" leaf has the "read" bit set or has the special value "*".
* 规则的“访问操作”叶设置了“读取”位或具有特殊值“*”。
8. If a matching rule is found, then the "action" leaf is checked. If it is equal to "permit", then permit the notification; otherwise, drop the notification for the associated subscription.
8. 如果找到匹配规则,则检查“操作”叶。如果等于“许可”,则允许通知;否则,请删除关联订阅的通知。
9. Otherwise, no matching rule was found in any rule-list entry.
9. 否则,在任何规则列表条目中都找不到匹配的规则。
10. If the requested notification is defined in a YANG module advertised in the server capabilities and the "notification" statement contains a "nacm:default-deny-all" statement, then the notification is dropped for the associated subscription.
10. 如果请求的通知是在服务器功能中公布的模块中定义的,并且“通知”语句包含“nacm:default deny all”语句,则删除关联订阅的通知。
11. If the "read-default" leaf is set to "permit", then permit the notification; otherwise, drop the notification for the associated subscription.
11. 如果“读取默认”页设置为“允许”,则允许通知;否则,请删除关联订阅的通知。
The following diagram highlights the contents and structure of the NACM YANG module.
下图突出显示了NACM模块的内容和结构。
+--rw nacm
+--rw enable-nacm? boolean
+--rw read-default? action-type
+--rw write-default? action-type
+--rw exec-default? action-type
+--rw enable-external-groups? boolean
+--ro denied-operations yang:zero-based-counter32
+--ro denied-data-writes yang:zero-based-counter32
+--ro denied-notifications yang:zero-based-counter32
+--rw groups
| +--rw group [name]
| +--rw name group-name-type
| +--rw user-name* user-name-type
+--rw rule-list [name]
+--rw name string
+--rw group* union
+--rw rule [name]
+--rw name string
+--rw module-name? union
+--rw (rule-type)?
| +--:(protocol-operation)
| | +--rw rpc-name? union
| +--:(notification)
| | +--rw notification-name? union
| +--:(data-node)
| +--rw path node-instance-identifier
+--rw access-operations? union
+--rw action action-type
+--rw comment? string
+--rw nacm
+--rw enable-nacm? boolean
+--rw read-default? action-type
+--rw write-default? action-type
+--rw exec-default? action-type
+--rw enable-external-groups? boolean
+--ro denied-operations yang:zero-based-counter32
+--ro denied-data-writes yang:zero-based-counter32
+--ro denied-notifications yang:zero-based-counter32
+--rw groups
| +--rw group [name]
| +--rw name group-name-type
| +--rw user-name* user-name-type
+--rw rule-list [name]
+--rw name string
+--rw group* union
+--rw rule [name]
+--rw name string
+--rw module-name? union
+--rw (rule-type)?
| +--:(protocol-operation)
| | +--rw rpc-name? union
| +--:(notification)
| | +--rw notification-name? union
| +--:(data-node)
| +--rw path node-instance-identifier
+--rw access-operations? union
+--rw action action-type
+--rw comment? string
The following YANG module specifies the normative NETCONF content that MUST by supported by the server.
以下模块指定了服务器必须支持的标准NETCONF内容。
The "ietf-netconf-acm" YANG module imports typedefs from [RFC6021].
“ietf netconf acm”模块从[RFC6021]导入typedefs。
<CODE BEGINS> file "ietf-netconf-acm@2012-02-22.yang"
<CODE BEGINS> file "ietf-netconf-acm@2012-02-22.yang"
module ietf-netconf-acm {
模块ietf netconf acm{
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
prefix "nacm";
前缀为“nacm”;
import ietf-yang-types {
prefix yang;
}
import ietf-yang-types {
prefix yang;
}
organization "IETF NETCONF (Network Configuration) Working Group";
组织“IETF网络配置工作组”;
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
WG Chair: Mehmet Ersue
<mailto:mehmet.ersue@nsn.com>
WG Chair: Mehmet Ersue
<mailto:mehmet.ersue@nsn.com>
WG Chair: Bert Wijnen
<mailto:bertietf@bwijnen.net>
WG Chair: Bert Wijnen
<mailto:bertietf@bwijnen.net>
Editor: Andy Bierman
<mailto:andy@yumaworks.com>
Editor: Andy Bierman
<mailto:andy@yumaworks.com>
Editor: Martin Bjorklund
<mailto:mbj@tail-f.com>";
Editor: Martin Bjorklund
<mailto:mbj@tail-f.com>";
description "NETCONF Access Control Model.
说明“NETCONF访问控制模型”。
Copyright (c) 2012 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2012 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 6536; see the RFC itself for full legal notices.";
此模块的此版本是RFC 6536的一部分;有关完整的法律通知,请参见RFC本身。“;
revision "2012-02-22" {
修订版“2012-02-22”{
description
"Initial version";
reference
"RFC 6536: Network Configuration Protocol (NETCONF)
Access Control Model";
}
description
"Initial version";
reference
"RFC 6536: Network Configuration Protocol (NETCONF)
Access Control Model";
}
/*
* Extension statements
*/
/*
* Extension statements
*/
extension default-deny-write { description "Used to indicate that the data model node represents a sensitive security system parameter.
扩展默认拒绝写入{description”,用于指示数据模型节点表示敏感的安全系统参数。
If present, and the NACM module is enabled (i.e., /nacm/enable-nacm object equals 'true'), the NETCONF server will only allow the designated 'recovery session' to have write access to the node. An explicit access control rule is required for all other users.
如果存在,并且NACM模块已启用(即,/NACM/enable NACM object等于'true'),则NETCONF服务器将只允许指定的“恢复会话”对节点具有写访问权限。所有其他用户都需要明确的访问控制规则。
The 'default-deny-write' extension MAY appear within a data
definition statement. It is ignored otherwise.";
}
The 'default-deny-write' extension MAY appear within a data
definition statement. It is ignored otherwise.";
}
extension default-deny-all { description "Used to indicate that the data model node controls a very sensitive security system parameter.
扩展默认拒绝所有{description”,用于指示数据模型节点控制非常敏感的安全系统参数。
If present, and the NACM module is enabled (i.e., /nacm/enable-nacm object equals 'true'), the NETCONF server will only allow the designated 'recovery session' to have read, write, or execute access to the node. An explicit access control rule is required for all other users.
如果存在,且NACM模块已启用(即,/NACM/enable NACM object等于'true'),则NETCONF服务器将只允许指定的“恢复会话”对节点进行读、写或执行访问。所有其他用户都需要明确的访问控制规则。
The 'default-deny-all' extension MAY appear within a data
definition statement, 'rpc' statement, or 'notification'
statement. It is ignored otherwise.";
}
The 'default-deny-all' extension MAY appear within a data
definition statement, 'rpc' statement, or 'notification'
statement. It is ignored otherwise.";
}
/*
* Derived types
*/
/*
* Derived types
*/
typedef user-name-type {
type string {
typedef user-name-type {
type string {
length "1..max";
}
description
"General Purpose Username string.";
}
length "1..max";
}
description
"General Purpose Username string.";
}
typedef matchall-string-type {
type string {
pattern "\*";
}
description
"The string containing a single asterisk '*' is used
to conceptually represent all possible values
for the particular leaf using this data type.";
}
typedef matchall-string-type {
type string {
pattern "\*";
}
description
"The string containing a single asterisk '*' is used
to conceptually represent all possible values
for the particular leaf using this data type.";
}
typedef access-operations-type {
type bits {
bit create {
description
"Any protocol operation that creates a
new data node.";
}
bit read {
description
"Any protocol operation or notification that
returns the value of a data node.";
}
bit update {
description
"Any protocol operation that alters an existing
data node.";
}
bit delete {
description
"Any protocol operation that removes a data node.";
}
bit exec {
description
"Execution access to the specified protocol operation.";
}
}
description
"NETCONF Access Operation.";
}
typedef access-operations-type {
type bits {
bit create {
description
"Any protocol operation that creates a
new data node.";
}
bit read {
description
"Any protocol operation or notification that
returns the value of a data node.";
}
bit update {
description
"Any protocol operation that alters an existing
data node.";
}
bit delete {
description
"Any protocol operation that removes a data node.";
}
bit exec {
description
"Execution access to the specified protocol operation.";
}
}
description
"NETCONF Access Operation.";
}
typedef group-name-type {
type string {
typedef group-name-type {
type string {
length "1..max";
pattern "[^\*].*";
}
description
"Name of administrative group to which
users can be assigned.";
}
length "1..max";
pattern "[^\*].*";
}
description
"Name of administrative group to which
users can be assigned.";
}
typedef action-type {
type enumeration {
enum permit {
description
"Requested action is permitted.";
}
enum deny {
description
"Requested action is denied.";
}
}
description
"Action taken by the server when a particular
rule matches.";
}
typedef action-type {
type enumeration {
enum permit {
description
"Requested action is permitted.";
}
enum deny {
description
"Requested action is denied.";
}
}
description
"Action taken by the server when a particular
rule matches.";
}
typedef node-instance-identifier {
type yang:xpath1.0;
description
"Path expression used to represent a special
data node instance identifier string.
typedef node-instance-identifier {
type yang:xpath1.0;
description
"Path expression used to represent a special
data node instance identifier string.
A node-instance-identifier value is an unrestricted YANG instance-identifier expression. All the same rules as an instance-identifier apply except predicates for keys are optional. If a key predicate is missing, then the node-instance-identifier represents all possible server instances for that key.
节点实例标识符值是不受限制的实例标识符表达式。除了键的谓词是可选的之外,所有与实例标识符相同的规则都适用。如果缺少密钥谓词,则节点实例标识符表示该密钥的所有可能服务器实例。
This XPath expression is evaluated in the following context:
此XPath表达式在以下上下文中求值:
o The set of namespace declarations are those in scope on the leaf element where this type is used.
o 名称空间声明集是使用此类型的叶元素范围中的声明。
o The set of variable bindings contains one variable, 'USER', which contains the name of the user of the current session.
o 变量绑定集包含一个变量“USER”,它包含当前会话的用户名称。
o The function library is the core function library, but note that due to the syntax restrictions of an
o 函数库是核心函数库,但请注意,由于
instance-identifier, no functions are allowed.
实例标识符,不允许使用任何函数。
o The context node is the root node in the data tree.";
}
o The context node is the root node in the data tree.";
}
/*
* Data definition statements
*/
/*
* Data definition statements
*/
container nacm {
nacm:default-deny-all;
container nacm {
nacm:default-deny-all;
description "Parameters for NETCONF Access Control Model.";
说明“NETCONF访问控制模型参数”;
leaf enable-nacm {
type boolean;
default true;
description
"Enables or disables all NETCONF access control
enforcement. If 'true', then enforcement
is enabled. If 'false', then enforcement
is disabled.";
}
leaf enable-nacm {
type boolean;
default true;
description
"Enables or disables all NETCONF access control
enforcement. If 'true', then enforcement
is enabled. If 'false', then enforcement
is disabled.";
}
leaf read-default {
type action-type;
default "permit";
description
"Controls whether read access is granted if
no appropriate rule is found for a
particular read request.";
}
leaf read-default {
type action-type;
default "permit";
description
"Controls whether read access is granted if
no appropriate rule is found for a
particular read request.";
}
leaf write-default {
type action-type;
default "deny";
description
"Controls whether create, update, or delete access
is granted if no appropriate rule is found for a
particular write request.";
}
leaf write-default {
type action-type;
default "deny";
description
"Controls whether create, update, or delete access
is granted if no appropriate rule is found for a
particular write request.";
}
leaf exec-default {
type action-type;
default "permit";
description
"Controls whether exec access is granted if no appropriate
leaf exec-default {
type action-type;
default "permit";
description
"Controls whether exec access is granted if no appropriate
rule is found for a particular protocol operation request.";
}
rule is found for a particular protocol operation request.";
}
leaf enable-external-groups {
type boolean;
default true;
description
"Controls whether the server uses the groups reported by the
NETCONF transport layer when it assigns the user to a set of
NACM groups. If this leaf has the value 'false', any group
names reported by the transport layer are ignored by the
server.";
}
leaf enable-external-groups {
type boolean;
default true;
description
"Controls whether the server uses the groups reported by the
NETCONF transport layer when it assigns the user to a set of
NACM groups. If this leaf has the value 'false', any group
names reported by the transport layer are ignored by the
server.";
}
leaf denied-operations {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that a
protocol operation request was denied.";
}
leaf denied-operations {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that a
protocol operation request was denied.";
}
leaf denied-data-writes {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that a
protocol operation request to alter
a configuration datastore was denied.";
}
leaf denied-data-writes {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that a
protocol operation request to alter
a configuration datastore was denied.";
}
leaf denied-notifications {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that
a notification was dropped for a subscription because
access to the event type was denied.";
}
leaf denied-notifications {
type yang:zero-based-counter32;
config false;
mandatory true;
description
"Number of times since the server last restarted that
a notification was dropped for a subscription because
access to the event type was denied.";
}
container groups {
description
"NETCONF Access Control Groups.";
container groups {
description
"NETCONF Access Control Groups.";
list group {
列表组{
key name;
关键词;
description "One NACM Group Entry. This list will only contain configured entries, not any entries learned from any transport protocols.";
description“一个NACM组条目。此列表将仅包含已配置的条目,而不包含从任何传输协议学到的任何条目。”;
leaf name {
type group-name-type;
description
"Group name associated with this entry.";
}
leaf name {
type group-name-type;
description
"Group name associated with this entry.";
}
leaf-list user-name {
type user-name-type;
description
"Each entry identifies the username of
a member of the group associated with
this entry.";
}
}
}
leaf-list user-name {
type user-name-type;
description
"Each entry identifies the username of
a member of the group associated with
this entry.";
}
}
}
list rule-list {
key "name";
ordered-by user;
description
"An ordered collection of access control rules.";
list rule-list {
key "name";
ordered-by user;
description
"An ordered collection of access control rules.";
leaf name {
type string {
length "1..max";
}
description
"Arbitrary name assigned to the rule-list.";
}
leaf-list group {
type union {
type matchall-string-type;
type group-name-type;
}
description
"List of administrative groups that will be
assigned the associated access rights
defined by the 'rule' list.
leaf name {
type string {
length "1..max";
}
description
"Arbitrary name assigned to the rule-list.";
}
leaf-list group {
type union {
type matchall-string-type;
type group-name-type;
}
description
"List of administrative groups that will be
assigned the associated access rights
defined by the 'rule' list.
The string '*' indicates that all groups apply to the entry.";
字符串“*”表示所有组都应用于该条目。“;
}
}
list rule {
key "name";
ordered-by user;
description
"One access control rule.
list rule {
key "name";
ordered-by user;
description
"One access control rule.
Rules are processed in user-defined order until a match is found. A rule matches if 'module-name', 'rule-type', and 'access-operations' match the request. If a rule matches, the 'action' leaf determines if access is granted or not.";
规则按用户定义的顺序处理,直到找到匹配项。如果“模块名称”、“规则类型”和“访问操作”与请求匹配,则规则匹配。如果规则匹配,“操作”叶确定是否授予访问权限。“;
leaf name {
type string {
length "1..max";
}
description
"Arbitrary name assigned to the rule.";
}
leaf name {
type string {
length "1..max";
}
description
"Arbitrary name assigned to the rule.";
}
leaf module-name {
type union {
type matchall-string-type;
type string;
}
default "*";
description
"Name of the module associated with this rule.
leaf module-name {
type union {
type matchall-string-type;
type string;
}
default "*";
description
"Name of the module associated with this rule.
This leaf matches if it has the value '*' or if the
object being accessed is defined in the module with the
specified module name.";
}
choice rule-type {
description
"This choice matches if all leafs present in the rule
match the request. If no leafs are present, the
choice matches all requests.";
case protocol-operation {
leaf rpc-name {
type union {
type matchall-string-type;
type string;
}
description
"This leaf matches if it has the value '*' or if
This leaf matches if it has the value '*' or if the
object being accessed is defined in the module with the
specified module name.";
}
choice rule-type {
description
"This choice matches if all leafs present in the rule
match the request. If no leafs are present, the
choice matches all requests.";
case protocol-operation {
leaf rpc-name {
type union {
type matchall-string-type;
type string;
}
description
"This leaf matches if it has the value '*' or if
its value equals the requested protocol operation
name.";
}
}
case notification {
leaf notification-name {
type union {
type matchall-string-type;
type string;
}
description
"This leaf matches if it has the value '*' or if its
value equals the requested notification name.";
}
}
case data-node {
leaf path {
type node-instance-identifier;
mandatory true;
description
"Data Node Instance Identifier associated with the
data node controlled by this rule.
its value equals the requested protocol operation
name.";
}
}
case notification {
leaf notification-name {
type union {
type matchall-string-type;
type string;
}
description
"This leaf matches if it has the value '*' or if its
value equals the requested notification name.";
}
}
case data-node {
leaf path {
type node-instance-identifier;
mandatory true;
description
"Data Node Instance Identifier associated with the
data node controlled by this rule.
Configuration data or state data instance identifiers start with a top-level data node. A complete instance identifier is required for this type of path value.
配置数据或状态数据实例标识符以顶级数据节点开始。此类型的路径值需要完整的实例标识符。
The special value '/' refers to all possible
datastore contents.";
}
}
}
The special value '/' refers to all possible
datastore contents.";
}
}
}
leaf access-operations {
type union {
type matchall-string-type;
type access-operations-type;
}
default "*";
description
"Access operations associated with this rule.
leaf access-operations {
type union {
type matchall-string-type;
type access-operations-type;
}
default "*";
description
"Access operations associated with this rule.
This leaf matches if it has the value '*' or if the
bit corresponding to the requested operation is set.";
}
This leaf matches if it has the value '*' or if the
bit corresponding to the requested operation is set.";
}
leaf action {
叶作用{
type action-type;
mandatory true;
description
"The access control action associated with the
rule. If a rule is determined to match a
particular request, then this object is used
to determine whether to permit or deny the
request.";
}
type action-type;
mandatory true;
description
"The access control action associated with the
rule. If a rule is determined to match a
particular request, then this object is used
to determine whether to permit or deny the
request.";
}
leaf comment {
type string;
description
"A textual description of the access rule.";
}
}
}
}
}
leaf comment {
type string;
description
"A textual description of the access rule.";
}
}
}
}
}
<CODE ENDS>
<代码结束>
This document registers one URI in "The IETF XML Registry". Following the format in [RFC3688], the following has been registered.
本文档在“IETF XML注册表”中注册了一个URI。按照[RFC3688]中的格式,已注册以下内容。
URI: urn:ietf:params:xml:ns:yang:ietf-netconf-acm Registrant Contact: The IESG. XML: N/A, the requested URI is an XML namespace.
URI:urn:ietf:params:xml:ns:yang:ietf-netconf-acm注册人联系人:IESG。XML:N/A,请求的URI是一个XML名称空间。
This document registers one module in the "YANG Module Names" registry. Following the format in [RFC6020], the following has been registered.
本文件在“YANG模块名称”注册表中注册了一个模块。按照[RFC6020]中的格式,已注册以下内容。
Name: ietf-netconf-acm
Namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-acm
Prefix: nacm
reference: RFC 6536
Name: ietf-netconf-acm
Namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-acm
Prefix: nacm
reference: RFC 6536
This entire document discusses access control requirements and mechanisms for restricting NETCONF protocol behavior within a given session.
整个文档讨论了访问控制需求和限制给定会话中NETCONF协议行为的机制。
This section highlights the issues for an administrator to consider when configuring a NETCONF server with NACM.
本节重点介绍了在用NACM配置NETCONF服务器时管理员需要考虑的问题。
Configuration of the access control system is highly sensitive to system security. A server may choose not to allow any user configuration to some portions of it, such as the global security level or the groups that allowed access to system resources.
门禁系统的配置对系统安全性高度敏感。服务器可以选择不允许对其某些部分进行任何用户配置,例如全局安全级别或允许访问系统资源的组。
By default, NACM enforcement is enabled. By default, "read" access to all datastore contents is enabled (unless "nacm:default-deny-all" is specified for the data definition), and "exec" access is enabled for safe protocol operations. An administrator needs to ensure that NACM is enabled and also decide if the default access parameters are set appropriately. Make sure the following data nodes are properly configured:
默认情况下,启用NACM强制。默认情况下,启用对所有数据存储内容的“读取”访问(除非为数据定义指定了“nacm:default deny all”),并为安全协议操作启用“exec”访问。管理员需要确保已启用NACM,并决定是否正确设置了默认访问参数。确保正确配置了以下数据节点:
o /nacm/enable-nacm (default "true")
o /nacm/启用nacm(默认为“真”)
o /nacm/read-default (default "permit")
o /nacm/读取默认值(默认“许可”)
o /nacm/write-default (default "deny")
o /nacm/写入默认值(默认值为“拒绝”)
o /nacm/exec-default (default "permit")
o /nacm/exec默认(默认“许可”)
An administrator needs to restrict write access to all configurable objects within this data model.
管理员需要限制对此数据模型中所有可配置对象的写入访问权限。
If write access is allowed for configuration of access control rules, then care needs to be taken not to disrupt the access control enforcement. For example, if the NACM access control rules are edited directly within the running configuration datastore (i.e., :writable-running capability is supported and used), then care needs to be taken not to allow unintended access while the edits are being done.
如果访问控制规则的配置允许写访问,则需要注意不要中断访问控制的实施。例如,如果直接在正在运行的配置数据存储中编辑NACM访问控制规则(即:支持并使用可写运行功能),则需要注意在编辑过程中不允许意外访问。
An administrator needs to make sure that the translation from a transport- or implementation-dependent user identity to a NACM username is unique and correct. This requirement is specified in detail in Section 2.2 of [RFC6241].
管理员需要确保从依赖于传输或实现的用户标识到NACM用户名的转换是唯一和正确的。[RFC6241]第2.2节详细规定了该要求。
An administrator needs to be aware that the YANG data structures representing access control rules (/nacm/rule-list and /nacm/ rule-list/rule) are ordered by the client. The server will evaluate the access control rules according to their relative conceptual order within the running datastore configuration.
管理员需要知道,表示访问控制规则的数据结构(/nacm/rule list和/nacm/rule list/rule)是由客户端排序的。服务器将根据访问控制规则在运行的数据存储配置中的相对概念顺序来评估这些规则。
Note that the /nacm/groups data structure contains the administrative group names used by the server. These group names may be configured locally and/or provided through an external protocol, such as RADIUS [RFC2865][RFC5607].
请注意,/nacm/groups数据结构包含服务器使用的管理组名称。这些组名可以本地配置和/或通过外部协议提供,例如RADIUS[RFC2865][RFC5607]。
An administrator needs to be aware of the security properties of any external protocol used by the NETCONF transport layer to determine group names. For example, if this protocol does not protect against man-in-the-middle attacks, an attacker might be able to inject group names that are configured in NACM, so that a user gets more permissions than it should. In such cases, the administrator may wish to disable the usage of such group names, by setting /nacm/ enable-external-groups to "false".
管理员需要了解NETCONF传输层用于确定组名的任何外部协议的安全属性。例如,如果此协议无法防止中间人攻击,则攻击者可能会插入NACM中配置的组名,以便用户获得更多权限。在这种情况下,管理员可能希望通过将/nacm/enable external groups设置为“false”来禁用这些组名的使用。
An administrator needs to restrict read access to the following objects within this data model, as they reveal access control configuration that could be considered sensitive.
管理员需要限制对此数据模型中的以下对象的读取权限,因为这些对象显示了可能被视为敏感的访问控制配置。
o /nacm/enable-nacm
o /nacm/启用nacm
o /nacm/read-default
o /nacm/读取默认值
o /nacm/write-default
o /nacm/写入默认值
o /nacm/exec-default
o /nacm/exec默认值
o /nacm/enable-external-groups
o /nacm/启用外部组
o /nacm/groups
o /nacm/组
o /nacm/rule-list
o /nacm/规则列表
There is a risk that invocation of non-standard protocol operations will have undocumented side effects. An administrator needs to construct access control rules such that the configuration datastore is protected from such side effects.
调用非标准协议操作有可能产生未记录的副作用。管理员需要构造访问控制规则,以保护配置数据存储免受此类副作用的影响。
It is possible for a session with some write access (e.g., allowed to invoke <edit-config>), but without any access to a particular datastore subtree containing sensitive data, to determine the presence or non-presence of that data. This can be done by repeatedly issuing some sort of edit request (create, update, or delete) and possibly receiving "access-denied" errors in response. These "fishing" attacks can identify the presence or non-presence of specific sensitive data even without the "error-path" field being present within the <rpc-error> response.
具有某种写访问权限(例如,允许调用<edit config>),但不访问包含敏感数据的特定数据存储子树的会话可以确定该数据是否存在。这可以通过反复发出某种编辑请求(创建、更新或删除)并可能在响应中收到“拒绝访问”错误来实现。这些“钓鱼”攻击可以识别特定敏感数据的存在或不存在,即使<rpc error>响应中没有“error path”字段。
It may be possible for the set of NETCONF capabilities on the server to change over time. If so, then there is a risk that new protocol operations, notifications, and/or datastore content have been added to the device. An administrator needs to be sure the access control rules are correct for the new content in this case. Mechanisms to detect NETCONF capability changes on a specific device are outside the scope of this document.
服务器上的一组NETCONF功能可能会随着时间的推移而改变。如果是这样,则存在向设备添加新协议操作、通知和/或数据存储内容的风险。在这种情况下,管理员需要确保新内容的访问控制规则是正确的。检测特定设备上NETCONF功能更改的机制不在本文档的范围内。
It is possible that the data model definition itself (e.g., YANG when-stmt) will help an unauthorized session determine the presence or even value of sensitive data nodes by examining the presence and values of different data nodes.
数据模型定义本身(例如,stmt)可能会通过检查不同数据节点的存在和值来帮助未经授权的会话确定敏感数据节点的存在甚至值。
There is a risk that non-standard protocol operations, or even the standard <get> protocol operation, may return data that "aliases" or "copies" sensitive data from a different data object. There may simply be multiple data model definitions that expose or even configure the same underlying system instrumentation.
存在一种风险,即非标准协议操作,甚至是标准的<get>协议操作,可能会返回数据,这些数据“别名”或“复制”来自不同数据对象的敏感数据。可能只是有多个数据模型定义公开甚至配置相同的底层系统检测。
A data model may contain external keys (e.g., YANG leafref), which expose values from a different data structure. An administrator needs to be aware of sensitive data models that contain leafref nodes. This entails finding all the leafref objects that "point" at the sensitive data (i.e., "path-stmt" values) that implicitly or explicitly include the sensitive data node.
数据模型可能包含外部键(例如,YANG leafref),这些键公开来自不同数据结构的值。管理员需要了解包含leafref节点的敏感数据模型。这需要查找“指向”敏感数据(即“路径stmt”值)的所有leafref对象,这些敏感数据隐式或显式地包含敏感数据节点。
It is beyond the scope of this document to define access control enforcement procedures for underlying device instrumentation that may exist to support the NETCONF server operation. An administrator can identify each protocol operation that the server provides and decide if it needs any access control applied to it.
为支持NETCONF服务器操作的底层设备检测定义访问控制实施过程超出了本文档的范围。管理员可以识别服务器提供的每个协议操作,并决定是否需要对其应用任何访问控制。
This document incorporates the optional use of a recovery session mechanism, which can be used to bypass access control enforcement in emergencies, such as NACM configuration errors that disable all access to the server. The configuration and identification of such a recovery session mechanism are implementation-specific and outside the scope of this document. An administrator needs to be aware of any recovery session mechanisms available on the device and make sure they are used appropriately.
本文档包含了恢复会话机制的可选使用,该机制可用于在紧急情况下绕过访问控制强制,例如NACM配置错误,该错误会禁用对服务器的所有访问。此类恢复会话机制的配置和标识是特定于实现的,不在本文档的范围内。管理员需要了解设备上可用的任何恢复会话机制,并确保它们得到适当使用。
It is possible for a session to disrupt configuration management, even without any write access to the configuration, by locking the datastore. This may be done to ensure all or part of the configuration remains stable while it is being retrieved, or it may be done as a "denial-of-service" attack. There is no way for the server to know the difference. An administrator may wish to restrict "exec" access to the following protocol operations:
会话有可能通过锁定数据存储中断配置管理,即使没有对配置的任何写访问。这样做可以确保在检索配置时所有或部分配置保持稳定,也可以作为“拒绝服务”攻击。服务器无法知道差异。管理员可能希望限制“exec”对以下协议操作的访问:
o <lock>
o <lock>
o <unlock>
o <unlock>
o <partial-lock>
o <partial lock>
o <partial-unlock>
o <部分解锁>
Designers need to clearly identify any sensitive data, notifications, or protocol operations defined within a YANG module. For such definitions, a "nacm:default-deny-write" or "nacm:default-deny-all" statement ought to be present, in addition to a clear description of the security risks.
设计者需要清楚地识别模块中定义的任何敏感数据、通知或协议操作。对于此类定义,除了明确说明安全风险外,还应提供“nacm:default deny write”或“nacm:default deny all”语句。
Protocol operations need to be properly documented by the data model designer, so it is clear to administrators what data nodes (if any) are affected by the protocol operation and what information (if any) is returned in the <rpc-reply> message.
协议操作需要由数据模型设计器正确记录,以便管理员清楚哪些数据节点(如果有)受协议操作的影响,以及在<rpc reply>消息中返回哪些信息(如果有)。
Data models ought to be designed so that different access levels for input parameters to protocol operations are not required. Use of generic protocol operations should be avoided, and if different access levels are needed, separate protocol operations should be defined instead.
数据模型的设计应使协议操作的输入参数不需要不同的访问级别。应避免使用通用协议操作,如果需要不同的访问级别,则应定义单独的协议操作。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004.
[RFC3688]Mealling,M.“IETF XML注册表”,BCP 81,RFC 3688,2004年1月。
[RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event Notifications", RFC 5277, July 2008.
[RFC5277]Chisholm,S.和H.Trevino,“NETCONF事件通知”,RFC 5277,2008年7月。
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010.
[RFC6020]Bjorklund,M.“YANG-网络配置协议(NETCONF)的数据建模语言”,RFC6020,2010年10月。
[RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, October 2010.
[RFC6021]Schoenwaeld,J.,“常见的杨氏数据类型”,RFC 602112010年10月。
[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, June 2011.
[RFC6241]Enns,R.,Bjorklund,M.,Schoenwaeld,J.,和A.Bierman,“网络配置协议(NETCONF)”,RFC 62412011年6月。
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。
[RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management", RFC 5607, July 2009.
[RFC5607]Nelson,D.和G.Weber,“网络访问服务器(NAS)管理的远程认证拨入用户服务(RADIUS)授权”,RFC 5607,2009年7月。
The following XML snippets are provided as examples only, to demonstrate how NACM can be configured to perform some access control tasks.
以下XML片段仅作为示例提供,以演示如何配置NACM以执行某些访问控制任务。
There needs to be at least one <group> entry in order for any of the access control rules to be useful.
需要至少有一个<group>条目,才能使用任何访问控制规则。
The following XML shows arbitrary groups and is not intended to represent any particular use case.
下面的XML显示任意组,并不表示任何特定的用例。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<groups>
<group>
<name>admin</name>
<user-name>admin</user-name>
<user-name>andy</user-name>
</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<groups>
<group>
<name>admin</name>
<user-name>admin</user-name>
<user-name>andy</user-name>
</group>
<group>
<name>limited</name>
<user-name>wilma</user-name>
<user-name>bam-bam</user-name>
</group>
<group>
<name>limited</name>
<user-name>wilma</user-name>
<user-name>bam-bam</user-name>
</group>
<group>
<name>guest</name>
<user-name>guest</user-name>
<user-name>guest@example.com</user-name>
</group>
</groups>
</nacm>
<group>
<name>guest</name>
<user-name>guest</user-name>
<user-name>guest@example.com</user-name>
</group>
</groups>
</nacm>
This example shows three groups:
此示例显示了三个组:
admin: The "admin" group contains two users named "admin" and "andy".
管理员:“管理员”组包含两个名为“管理员”和“安迪”的用户。
limited: The "limited" group contains two users named "wilma" and "bam-bam".
有限:“有限”组包含两个名为“wilma”和“bam bam”的用户。
guest: The "guest" group contains two users named "guest" and "guest@example.com".
guest:“guest”组包含两个名为“guest”和“guest”的用户guest@example.com".
Module rules are used to control access to all the content defined in a specific module. A module rule has the <module-name> leaf set, but no case in the "rule-type" choice.
模块规则用于控制对特定模块中定义的所有内容的访问。模块规则具有<module name>叶集,但在“规则类型”选项中没有大小写。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-acl</name>
<group>guest</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-acl</name>
<group>guest</group>
<rule>
<name>deny-ncm</name>
<module-name>ietf-netconf-monitoring</module-name>
<access-operations>*</access-operations>
<action>deny</action>
<comment>
Do not allow guests any access to the NETCONF
monitoring information.
</comment>
</rule>
</rule-list>
<rule>
<name>deny-ncm</name>
<module-name>ietf-netconf-monitoring</module-name>
<access-operations>*</access-operations>
<action>deny</action>
<comment>
Do not allow guests any access to the NETCONF
monitoring information.
</comment>
</rule>
</rule-list>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule>
<name>permit-ncm</name>
<module-name>ietf-netconf-monitoring</module-name>
<access-operations>read</access-operations>
<action>permit</action>
<comment>
Allow read access to the NETCONF
monitoring information.
</comment>
</rule>
<rule>
<name>permit-exec</name>
<module-name>*</module-name>
<access-operations>exec</access-operations>
<action>permit</action>
<comment>
Allow invocation of the
supported server operations.
</comment>
</rule>
</rule-list>
<rule>
<name>permit-ncm</name>
<module-name>ietf-netconf-monitoring</module-name>
<access-operations>read</access-operations>
<action>permit</action>
<comment>
Allow read access to the NETCONF
monitoring information.
</comment>
</rule>
<rule>
<name>permit-exec</name>
<module-name>*</module-name>
<access-operations>exec</access-operations>
<action>permit</action>
<comment>
Allow invocation of the
supported server operations.
</comment>
</rule>
</rule-list>
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule>
<name>permit-all</name>
<module-name>*</module-name>
<access-operations>*</access-operations>
<action>permit</action>
<comment>
Allow the admin group complete access to all
operations and data.
</comment>
</rule>
</rule-list>
</nacm>
<rule>
<name>permit-all</name>
<module-name>*</module-name>
<access-operations>*</access-operations>
<action>permit</action>
<comment>
Allow the admin group complete access to all
operations and data.
</comment>
</rule>
</rule-list>
</nacm>
This example shows four module rules:
此示例显示了四个模块规则:
deny-ncm: This rule prevents the "guest" group from reading any monitoring information in the "ietf-netconf-monitoring" YANG module.
拒绝ncm:此规则阻止“来宾”组读取“ietf netconf监控”模块中的任何监控信息。
permit-ncm: This rule allows the "limited" group to read the "ietf-netconf-monitoring" YANG module.
允许ncm:此规则允许“受限”组读取“ietf netconf监控”模块。
permit-exec: This rule allows the "limited" group to invoke any protocol operation supported by the server.
permit exec:此规则允许“limited”组调用服务器支持的任何协议操作。
permit-all: This rule allows the "admin" group complete access to all content in the server. No subsequent rule will match for the "admin" group because of this module rule.
全部允许:此规则允许“管理员”组完全访问服务器中的所有内容。由于此模块规则,没有与“admin”组匹配的后续规则。
Protocol operation rules are used to control access to a specific protocol operation.
协议操作规则用于控制对特定协议操作的访问。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-limited-acl</name>
<group>limited</group>
<group>guest</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-limited-acl</name>
<group>limited</group>
<group>guest</group>
<rule>
<name>deny-kill-session</name>
<module-name>ietf-netconf</module-name>
<rpc-name>kill-session</rpc-name>
<rule>
<name>deny-kill-session</name>
<module-name>ietf-netconf</module-name>
<rpc-name>kill-session</rpc-name>
<access-operations>exec</access-operations>
<action>deny</action>
<comment>
Do not allow the limited or guest group
to kill another session.
</comment>
</rule>
<rule>
<name>deny-delete-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>delete-config</rpc-name>
<access-operations>exec</access-operations>
<action>deny</action>
<comment>
Do not allow limited or guest group
to delete any configurations.
</comment>
</rule>
</rule-list>
<access-operations>exec</access-operations>
<action>deny</action>
<comment>
Do not allow the limited or guest group
to kill another session.
</comment>
</rule>
<rule>
<name>deny-delete-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>delete-config</rpc-name>
<access-operations>exec</access-operations>
<action>deny</action>
<comment>
Do not allow limited or guest group
to delete any configurations.
</comment>
</rule>
</rule-list>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule>
<name>permit-edit-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>edit-config</rpc-name>
<access-operations>exec</access-operations>
<action>permit</action>
<comment>
Allow the limited group to edit the configuration.
</comment>
</rule>
</rule-list>
<rule>
<name>permit-edit-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>edit-config</rpc-name>
<access-operations>exec</access-operations>
<action>permit</action>
<comment>
Allow the limited group to edit the configuration.
</comment>
</rule>
</rule-list>
</nacm>
</nacm>
This example shows three protocol operation rules:
This example shows three protocol operation rules:translate error, please retry
deny-kill-session: This rule prevents the "limited" or "guest" groups from invoking the NETCONF <kill-session> protocol operation.
拒绝终止会话:此规则防止“受限”或“来宾”组调用NETCONF<kill session>协议操作。
deny-delete-config: This rule prevents the "limited" or "guest" groups from invoking the NETCONF <delete-config> protocol operation.
拒绝删除配置:此规则阻止“受限”或“来宾”组调用NETCONF<delete config>协议操作。
permit-edit-config: This rule allows the "limited" group to invoke the NETCONF <edit-config> protocol operation. This rule will have no real effect unless the "exec-default" leaf is set to "deny".
允许编辑配置:此规则允许“受限”组调用NETCONF<edit config>协议操作。除非“exec default”叶设置为“deny”,否则此规则将没有实际效果。
Data node rules are used to control access to specific (config and non-config) data nodes within the NETCONF content provided by the server.
数据节点规则用于控制对服务器提供的NETCONF内容中特定(配置和非配置)数据节点的访问。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-acl</name>
<group>guest</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>guest-acl</name>
<group>guest</group>
<rule>
<name>deny-nacm</name>
<path xmlns:n="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
/n:nacm
</path>
<access-operations>*</access-operations>
<action>deny</action>
<comment>
Deny the guest group any access to the /nacm data.
</comment>
</rule>
</rule-list>
<rule>
<name>deny-nacm</name>
<path xmlns:n="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
/n:nacm
</path>
<access-operations>*</access-operations>
<action>deny</action>
<comment>
Deny the guest group any access to the /nacm data.
</comment>
</rule>
</rule-list>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule-list>
<name>limited-acl</name>
<group>limited</group>
<rule>
<name>permit-acme-config</name>
<path xmlns:acme="http://example.com/ns/netconf">
/acme:acme-netconf/acme:config-parameters
</path>
<access-operations>
read create update delete
</access-operations>
<action>permit</action>
<comment>
Allow the limited group complete access to the acme
NETCONF configuration parameters. Showing long form
of 'access-operations' instead of shorthand.
</comment>
</rule>
</rule-list>
<rule>
<name>permit-acme-config</name>
<path xmlns:acme="http://example.com/ns/netconf">
/acme:acme-netconf/acme:config-parameters
</path>
<access-operations>
read create update delete
</access-operations>
<action>permit</action>
<comment>
Allow the limited group complete access to the acme
NETCONF configuration parameters. Showing long form
of 'access-operations' instead of shorthand.
</comment>
</rule>
</rule-list>
<rule-list>
<name>guest-limited-acl</name>
<group>guest</group>
<group>limited</group>
<rule-list>
<name>guest-limited-acl</name>
<group>guest</group>
<group>limited</group>
<rule>
<name>permit-dummy-interface</name>
<path xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface[acme:name='dummy']
</path>
<access-operations>read update</access-operations>
<action>permit</action>
<comment>
Allow the limited and guest groups read
and update access to the dummy interface.
</comment>
</rule>
</rule-list>
<rule>
<name>permit-dummy-interface</name>
<path xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface[acme:name='dummy']
</path>
<access-operations>read update</access-operations>
<action>permit</action>
<comment>
Allow the limited and guest groups read
and update access to the dummy interface.
</comment>
</rule>
</rule-list>
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule>
<name>permit-interface</name>
<path xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface
</path>
<access-operations>*</access-operations>
<action>permit</action>
<comment>
Allow admin full access to all acme interfaces.
</comment>
</rule>
</rule-list>
</nacm>
<rule-list>
<name>admin-acl</name>
<group>admin</group>
<rule>
<name>permit-interface</name>
<path xmlns:acme="http://example.com/ns/itf">
/acme:interfaces/acme:interface
</path>
<access-operations>*</access-operations>
<action>permit</action>
<comment>
Allow admin full access to all acme interfaces.
</comment>
</rule>
</rule-list>
</nacm>
This example shows four data node rules:
此示例显示了四个数据节点规则:
deny-nacm: This rule denies the "guest" group any access to the <nacm> subtree. Note that the default namespace is only applicable because this subtree is defined in the same namespace as the <data-rule> element.
拒绝nacm:此规则拒绝“来宾”组访问<nacm>子树。请注意,默认名称空间仅适用于此,因为此子树定义在与<data rule>元素相同的名称空间中。
permit-acme-config: This rule gives the "limited" group read-write access to the acme <config-parameters>.
permit acme config:此规则为“受限”组提供对acme<config parameters>的读写访问权限。
permit-dummy-interface: This rule gives the "limited" and "guest" groups read-update access to the acme <interface> entry named "dummy". This entry cannot be created or deleted by these groups, just altered.
允许虚拟接口:此规则为“受限”和“来宾”组提供对名为“虚拟”的acme<interface>条目的读取更新访问权限。这些组无法创建或删除此条目,只能对其进行更改。
permit-interface: This rule gives the "admin" group read-write access to all acme <interface> entries.
允许接口:此规则为“管理员”组提供对所有acme<interface>条目的读写访问权限。
Notification rules are used to control access to a specific notification event type.
通知规则用于控制对特定通知事件类型的访问。
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>sys-acl</name>
<group>limited</group>
<group>guest</group>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>sys-acl</name>
<group>limited</group>
<group>guest</group>
<rule>
<name>deny-config-change</name>
<module-name>acme-system</module-name>
<notification-name>sys-config-change</notification-name>
<access-operations>read</access-operations>
<action>deny</action>
<comment>
Do not allow the guest or limited groups
to receive config change events.
</comment>
</rule>
</rule-list>
</nacm>
<rule>
<name>deny-config-change</name>
<module-name>acme-system</module-name>
<notification-name>sys-config-change</notification-name>
<access-operations>read</access-operations>
<action>deny</action>
<comment>
Do not allow the guest or limited groups
to receive config change events.
</comment>
</rule>
</rule-list>
</nacm>
This example shows one notification rule:
此示例显示了一个通知规则:
deny-config-change: This rule prevents the "limited" or "guest" groups from receiving the acme <sys-config-change> event type.
拒绝配置更改:此规则阻止“受限”或“来宾”组接收acme<sys config change>事件类型。
Authors' Addresses
作者地址
Andy Bierman YumaWorks
安迪·比尔曼·尤马沃斯
EMail: andy@yumaworks.com
EMail: andy@yumaworks.com
Martin Bjorklund Tail-f Systems
Martin Bjorklund Tail-f系统
EMail: mbj@tail-f.com
EMail: mbj@tail-f.com