Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NACM rules are not working #144

Open
srilchan81 opened this issue Mar 12, 2024 · 3 comments
Open

NACM rules are not working #144

srilchan81 opened this issue Mar 12, 2024 · 3 comments

Comments

@srilchan81
Copy link

NON-SUPERUSER:

I have created a new user “test” with password “Test@123”
For this new user I have connected yangcli and created some rules for the user “test” with the reference of RFC
I have added the newly created user to the limited group and created rule to deny all the operations for the module “fscfa” with this new user (proprietary module)
Here the user is treated as non-super user
Uploading nacm_non_super_user_configs.txt…

Below are the configs for non-superuser:

replace /nacm/groups/group/user-name
test
limited
commit
replace /nacm/rule-list/name
limited-acl
replace /nacm/rule-list/group
limited
limited-acl
replace /nacm/rule-list/rule/action
deny
deny-fs-fs-cfa
limited-acl
replace /nacm/rule-list/rule/access-operations
*
deny-fs-fs-cfa
limited-acl
replace /nacm/rule-list/rule/module-name
fscfa
deny-fs-fs-cfa
limited-acl
commit
sget /nacm/

even afer creating the deny rule for fscfa module , I am able to do all the operations like create, replace, get, delete ..
so, I cross verified the xml generated with the above configs against the xml in RFC 8341 (“NACM_RFC_reference.txt” file contains XML reference from RFC)
I didn’t find any differences between the xml’s, configurations are configured properly and reflected in sget output also, but the functionality is not working
NOTE: for this non-superuser please find the “nacm_non_super_user_configs.txt” file for the configs log, sget output, testing for “fscfa”, and the XML populated for the nacm configs

SUPERUSER:

In the similar way, I have checked for the administrative user i.e, “root” user nothing but the superuser
Here also same it is happing as non-superuser “test”. For “root” user used below configs

Below are the configs for superuser:

replace /nacm/groups/group/user-name
root
admin
commit
replace /nacm/rule-list/name
admin-acl
replace /nacm/rule-list/group
admin
admin-acl
replace /nacm/rule-list/rule/action
deny
deny-fs-if
admin-acl
replace /nacm/rule-list/rule/access-operations
create
deny-fs-if
admin-acl
replace /nacm/rule-list/rule/module-name
fsif
deny-fs-if
admin-acl
commit
sget /nacm/

NOTE: for this superuser please find the “nacm_root_user_configs.txt” file for the configs log, sget output, testing for “fscfa”, and the XML populated for the nacm configs
@vlvassilev
Copy link
Owner

NACM is only partially implemented and some of the rules are working but not all. I will keep this issue open as a warning for those who have NACM as absolute requirement. For me it is not high in the priority so do not expect any focus on the required work in near future.

@srilchan81
Copy link
Author

ok thanks for the reply.

@srilchan81
Copy link
Author

Hello
Is it possible to specify working rules? we will convey the same to our customer.

regards
Srilekha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlvassilev @srilchan81