Access Control Model Interface
The netconfd-pro server supports 2 different access control models:
ietf: Use the ietf-netconf-acm.yang module defined in RFC 8341
external: an external data model provided by the vendor is used
If the 'external' mode is used, then ACM callback functions must be registered with yp-system API functions that the server needs to validate the following types of client access:
protocol operation requests
database read and write requests
notification delivery
Register ACM Callback Functions
The function 'agt_acm_extern_register_callbacks' in
agt/agt_acm_extern.h is used by the external system code to register
its own callback functions to handle access control requests. These
functions are used by the system instead of its own access control cache
and data model.
If the external access control method is selected in the system initialization then these callback functions MUST be provided or all access requests will be granted by default!
-
void agt_acm_extern_register_callbacks(agt_acm_extern_rpc_fn_t rpcfn, agt_acm_extern_notif_fn_t notfn, agt_acm_extern_write_fn_t writefn, agt_acm_extern_read_fn_t readfn)
Register the external callbacks for ACM implementation.
A NULL callback means that type of access will always be granted!!!
- Parameters:
rpcfn -- check-rpc function callback
notfn -- check-notification function callback
writefn -- check-val-write function callback
readfn -- check-val-write function callback
The following functions must be registered:
RPC Request Callback Function
Notification Send Callback Function
Database Write Request Callback Function
Database Read Request Callback Function
The following example "init1" function shows how this function might be used:
status_t yp_system_init1 (boolean pre_cli)
{
log_debug("\nyp_system init1\n");
if (pre_cli) {
;
} else {
// example -- external NACM callbacks
// load module for external module
// with ncxmod_load_module
// register the external ACM callbacks
// this will have no affect unless the
// yp_system_init_profile fn sets the
// agt_acm_model to AGT_ACM_MODEL_EXTERNAL
agt_acm_extern_register_callbacks(acm_extern_rpc,
acm_extern_notif,
acm_extern_write,
acm_extern_read);
}
return NO_ERR;
}
RPC Request
Checks if the user is allowed to invoke the specified YANG-defined protocol operation. The 'agt_acm_extern_rpc_fn_t' template is used for this callback.
-
typedef boolean (*agt_acm_extern_rpc_fn_t)(xml_msg_hdr_t *msg, const xmlChar *user, const obj_template_t *rpcobj)
Check if the specified user is allowed to invoke an RPC.
- Param msg:
XML header in incoming message in progress
- Param user:
user name string
- Param rpcobj:
obj_template_t for the RPC method to check
- Return:
TRUE if user allowed invoke this RPC; FALSE otherwise
This example RPC Request callback can be found in example-system.c:
static boolean
acm_extern_rpc (xml_msg_hdr_t *msg,
const xmlChar *user,
const obj_template_t *rpcobj)
{
(void)msg;
const xmlChar *modname = obj_get_mod_name(rpcobj);
const xmlChar *objname = obj_get_name(rpcobj);
log_debug("\nChecking RPC access for user %s to operation '%s:%s'",
user, modname, objname);
// check access here
log_debug("\nacm_extern_rpc: return OK\n");
return TRUE;
} /* acm_extern_rpc */
Notification Send
Checks if the user is allowed to receive the specified YANG-defined notification event. The 'agt_acm_extern_notif_fn_t' template is used for this callback.
-
typedef boolean (*agt_acm_extern_notif_fn_t)(const xmlChar *user, const obj_template_t *notifobj)
Check if the specified user is allowed to receive a notification event.
- Param user:
user name string
- Param notifobj:
obj_template_t for the notification event to check
- Return:
TRUE if user allowed receive this notification event
FALSE otherwise
This example Notification Send callback can be found in example-system.c:
static boolean
acm_extern_notif (const xmlChar *user,
const obj_template_t *notifobj)
{
const xmlChar *modname = obj_get_mod_name(rpcobj);
const xmlChar *objname = obj_get_name(rpcobj);
log_debug("\nChecking Notification access for "
"user %s to event '%s:%s'",
user, modname, objname);
// check access here
log_debug("\nacm_extern_notif: return OK\n");
return TRUE;
} /* acm_extern_notif */
Database Write
Checks if the user is allowed to edit the specified YANG-defined data node. The 'agt_acm_extern_write_fn_t' template is used for this callback.
-
typedef boolean (*agt_acm_extern_write_fn_t)(xml_msg_hdr_t *msg, const xmlChar *user, const val_value_t *newval, const val_value_t *curval, op_editop_t editop)
Check if the specified user is allowed to access a value node.
The val->obj template will be checked against the val->editop requested access and the user's configured max-access
- Param msg:
XML header from incoming message in progress
- Param user:
user name string to check for access
- Param newval:
in progress to check
(may be NULL, if curval set)
- Param curval:
in progress to check
(may be NULL, if newval set)
- Param editop:
requested CRUD operation
- Return:
TRUE if user allowed this level of access to the value node
This example Database Write callback can be found in example-system.c:
static boolean
acm_extern_write (xml_msg_hdr_t *msg,
const xmlChar *user,
const val_value_t *newval,
const val_value_t *curval,
op_editop_t editop)
{
(void)msg;
(void)user;
(void)newval;
(void)curval;
(void)editop;
log_debug("\nacm_extern_write: return OK\n");
return TRUE;
} /* acm_extern_write */
Database Read
Checks if the user is allowed to read the specified YANG-defined data node. The 'agt_acm_extern_read_fn_t' template is used for this callback.
-
typedef boolean (*agt_acm_extern_read_fn_t)(xml_msg_hdr_t *msg, const xmlChar *user, const val_value_t *val)
Check if the specified user is allowed to read a value node.
- Param msg:
XML header from incoming message in progress
- Param user:
user name string
- Param val:
val_value_t in progress to check
- Return:
TRUE if user allowed read access to the value node
This example Database Write callback can be found in example-system.c:
static boolean
acm_extern_read (xml_msg_hdr_t *msg,
const xmlChar *user,
const val_value_t *val)
{
(void)msg;
(void)user;
(void)val;
log_debug("\nacm_extern_read: return OK\n");
return TRUE;
} /* acm_extern_read */