IETF-NACM

Overview

The IETF NETCONF Access Control Model (IETF-NACM) provides simple and easy-to-configure database access control rules. It helps flexibly manage a specific user's permissions to perform NETCONF operations and access NETCONF resources.

The YANG model defines IETF-NACM in the ietf-netconf-acm.yang file.

IETF-NACM supports the following functions:

Protocol operation authentication: authorizes users to perform specific NETCONF operations.

For example, <get>, <get-config>, <edit-config>, <copy-config>, <delete-config>, and <lock>.
Module authorization: authorizes users to access specific feature modules.
Data node authorization: authorizes users to query and modify specific data nodes.
Notification authentication: authorizes a system to report specified alarms or events through the notification mechanism.
Action authorization: authorizes users to define operations for data nodes through "action" statements.
Emergency session recovery: authorizes users to directly initialize or repair the IETF-NACM authentication configuration without the restriction of access control rules.

Emergency session recovery is a process in which a management-level user or a user in the manage-ug group bypasses the access control rule and initializes or repairs the IETF-NACM authentication configuration.

Management-level users are at Level 3 or 15.

By default, IETF-NACM authentication is disabled and the HUAWEI-NACM authentication process is experienced. If IETF-NACM authentication is enabled, the IETF-NACM authentication process is experienced.

If IETF-NACM authentication is enabled, the access permission on get/ietf-yang-library must be enabled during session establishment. Otherwise, session establishment fails due to no permission.

Data Node Access

The access control permissions of IETF-NACM apply only to NETCONF databases (<candidate/>, <running/>, and <startup/>). The local or remote file or database accessed using the <url> parameter is not controlled by IETF-NACM.

The access permissions on data nodes are as follows:

Create: allows a client to add new data nodes to a database.
Read: allows a client to read a data node from a database or receive notification events.
Update: allows a client to update existing data nodes in a database.
Delete: allows a client to delete a data node from a database.
Exec: allows a client to perform protocol operations.

Authentication is performed only for the delivered operations but not for all the changed nodes in the model tree. For example, when a delete operation is performed for a parent node, this operation automatically applies to its child nodes without authentication. Therefore, the data of both the parent node and its child nodes is deleted in this case.

Components of IETF-NACM

Table 1 describes the components and functions of IETF-NACM.

**Table 1** Description of IETF-NACM components
Component	Description
User	User defined in the NACM view. The user must be an SSH user. IETF-NACM authenticates users only. User authentication is implemented in the AAA view.
Group	Group defined in the NACM view. This group instead of a user performs protocol operations in a NETCONF session. The group identifier is a group name, which is unique on the NETCONF server. Different groups can contain the same user.
Global execution control	Execution control can be: enable-nacm: enables or disables the IETF-NACM authentication function. After IETF-NACM authentication is enabled, all requests are checked. Only the requests allowed by the execution control rules can be executed. After IETF-NACM authentication is disabled, the HUAWEI-NACM authentication process is experienced. read-default: sets the permission to view configuration databases and notifications. If the value is set to permit, NETCONF databases and notification events can be viewed. If the value is set to undo permit, NETCONF databases or notification events cannot be viewed. write-default: sets the permission to modify configuration databases. If the value is set to permit, NETCONF databases can be modified. If the value is set to undo permit, NETCONF databases cannot be modified. exec-default: sets the default execution permission for RPC operations. If the value is set to permit, NETCONF operations can be performed. If the value is set to undo permit, NETCONF operations cannot be performed.
Access control rule	There are five access control rules: Module name: specifies the control rule of the YANG module, which is identified using a module name. For example, ietf-netconf. Protocol operation: specifies the control rule of a protocol operation, which is identified using an RPC operation name defined in the YANG file. For example, <get> or <get-config>. Data node: specifies the control rule of a data node and whether an "action" statement can be used to define operations for the data node. The data node is identified using the XPath defined in the YANG file. For example, /ietf-netconf-acm:nacm/ietf-netconf-acm:rule-list. Notification: specifies the control rule of a notification event, which is identified using an alarm or event name defined in the YANG file. For example, hwCPUUtilizationRisingAlarm defined by huawei-sem. Access control operation permission: specifies the control rule of an operation type for objects of NACM authentication. For example, create, delete, read, update, or exec.

Implementation Principles

After a NETCONF session is established and a user passes the authentication, the NETCONF server controls access permissions based on the user name, group name, and NACM authentication rule list. Authentication rules are associated with users through the user group. The administrator of a user group can manage the permissions of users in the group.

An IETF-NACM user is associated with an IETF-NACM user group. After IETF-NACM users are added to a user group, the users in the same user group have the same permissions.
An IETF-NACM user group is associated with an IETF-NACM authentication rule list.
An IETF-NACM authentication rule list is associated with IETF-NACM authentication rules.

An IETF-NACM authentication rule list is a set of rules. Various authentication rules can be added to an IETF-NACM authentication rule list in the format of combinations. Users associated with the list can use the rules in it.

IETF-NACM Authentication Process

Figure 1 shows the IETF-NACM authentication process.

Figure 1 IETF-NACM authentication process

When a user group and an authentication rule list are traversed, if the user name that is the same as that carried in the request is not found or no rule that matches the requested operation is detected, the operation performed varies with the authenticated content. For details, see Table 2.

**Table 2** Operations performed for different authenticated contents
Authenticated Content	Operation
Protocol operation	If the RPC operation defined in the YANG file contains the nacm:default-deny-all statement, the RPC request is rejected. If the requested operation is <kill-session> or <delete-config>, the RPC request is rejected. If the user has the default execution permission of the RPC operation, the RPC request can be executed. Otherwise, the RPC request is rejected.
Data node	If the definition of the data node contains the nacm:default-deny-all statement, the data node does not support the read or write operation. If the definition of the data node contains the nacm:default-deny-write statement, the data node does not support the write operation. If the user has the query permission, the read operation is allowed. Otherwise, the read operation is rejected. If the user has the configuration permission, the write operation is allowed. Otherwise, the write operation is rejected.
Notification	If the notification statement contains the nacm:default-deny-all statement, the notification cannot be reported. If the user has the query permission, the notification can be reported. Otherwise, the notification is discarded.
Action	If the data node definition contains the nacm:default-deny-all statement, no "action" statement can be used to define operations for the data node. If an "action" statement can be used to define operations for a data node, the data node and each of its parent nodes must have the read permission, and the data node must also have the execute permission. If either of the two permissions is absent, operations for the data node cannot be defined using the "action" statement.