NACM access denied

[ankit7gup]

Hi Michal,

We are observing one error related to NACM.

Steps done:

1. Apply NACM config as below for user 'testadmin'
2. Establish connection via Callhome
3. Create subscription.
4. O-ran-supervision's Supervision-watchdog-reset RPC is sent by Client to the Netopeer server.

   After Step 3, Here one error is observed one time, and after that there is no NACM error observed. Can you please help to check for which RPC it is giving the error and if there is any config issue or some bug.

Sharing the NACM configuration as below:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
  <enable-nacm>true</enable-nacm>
  <read-default>permit</read-default>
  <write-default>deny</write-default>
  <exec-default>deny</exec-default>
  <enable-external-groups>false</enable-external-groups>
  <groups>
    <group>
      <name>sudo</name>
      <user-name>testadmin</user-name>
    </group>
  </groups>
  <rule-list>
    <name>sudo</name>
    <group>sudo</group>
    <rule>
      <name>notifications</name>
      <module-name>notifications</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-netconf</name>
      <module-name>ietf-netconf</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-netconf-acm</name>
      <module-name>ietf-netconf-acm</module-name>
      <access-operations>create read update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-yang-library</name>
      <module-name>ietf-yang-library</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-netconf-monitoring</name>
      <module-name>ietf-netconf-monitoring</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-netconf-notifications</name>
      <module-name>ietf-netconf-notifications</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-supervision</name>
      <module-name>o-ran-supervision</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-hardware</name>
      <module-name>o-ran-hardware</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-hardware</name>
      <module-name>ietf-hardware</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-usermgmt</name>
      <module-name>o-ran-usermgmt</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-fm</name>
      <module-name>o-ran-fm</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-sync</name>
      <module-name>o-ran-sync</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-delay</name>
      <module-name>o-ran-delay-management</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-module-cap</name>
      <module-name>o-ran-module-cap</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-udp-echo</name>
      <module-name>o-ran-udp-echo</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-operations</name>
      <module-name>o-ran-operations</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-uplane-conf</name>
      <module-name>o-ran-uplane-conf</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-beamforming</name>
      <module-name>o-ran-beamforming</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-lbm</name>
      <module-name>o-ran-lbm</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-software-management</name>
      <module-name>o-ran-software-management</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-file-management</name>
      <module-name>o-ran-file-management</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-performance-management</name>
      <module-name>o-ran-performance-management</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-transceiver</name>
      <module-name>o-ran-transceiver</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-externalio</name>
      <module-name>o-ran-externalio</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-ald-port</name>
      <module-name>o-ran-ald-port</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-interfaces</name>
      <module-name>o-ran-interfaces</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-ip</name>
      <module-name>ietf-ip</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-interfaces</name>
      <module-name>ietf-interfaces</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-processing-element</name>
      <module-name>o-ran-processing-element</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-mplane-interfaces</name>
      <module-name>o-ran-mplane-int</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-ald</name>
      <module-name>o-ran-ald</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-troubleshooting</name>
      <module-name>o-ran-troubleshooting</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-trace</name>
      <module-name>o-ran-trace</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-laa</name>
      <module-name>o-ran-laa</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-laa-operations</name>
      <module-name>o-ran-laa-operations</module-name>
      <access-operations>exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-antenna-calibration</name>
      <module-name>o-ran-antenna-calibration</module-name>
      <access-operations>create update delete exec</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-shared-cell</name>
      <module-name>o-ran-shared-cell</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>o-ran-ethernet-forwarding</name>
      <module-name>o-ran-ethernet-forwarding</module-name>
      <access-operations>create update delete</access-operations>
      <action>permit</action>
    </rule>
    <rule>
      <name>ietf-subscribed-notifications</name>
      <module-name>ietf-subscribed-notifications</module-name>
      <access-operations>read</access-operations>
      <action>deny</action>
    </rule>
  </rule-list>
</nacm>

Reply of rpc_action_send_command: {'error': 'Executing the operation is denied because "testadmin" NACM authorization failed.'}

2024-02-26 17:06:02.729730 info netopeer2-server[1616]: User "testadmin" has no authorized_keys file.
2024-02-26 17:06:02.729850 info netopeer2-server[1616]: Failed user "testadmin" authentication attempt (#1).
2024-02-26 17:06:02.730607 info netopeer2-server[1616]: Received an SSH message "request-service" of subtype "ssh-userauth".
2024-02-26 17:06:02.731088 info netopeer2-server[1616]: Received an SSH message "request-auth" of subtype "password".
2024-02-26 17:06:02.740882 info netopeer2-server[1616]: User "testadmin" authenticated.
2024-02-26 17:06:02.742001 info netopeer2-server[1616]: Received an SSH message "request-channel-open" of subtype "session".
2024-02-26 17:06:02.742802 info netopeer2-server[1616]: Received an SSH message "request-channel" of subtype "subsystem".
2024-02-26 17:06:02.745275 info netopeer2-server[1616]: Call Home client "vlan_client_2001:0db9:0130:0000:b696:91ff:febc:3236" session 2 established.
2024-02-26 17:06:02.745956 info netopeer2-server[1616]: Session 114 (user "root", CID 112) created.
2024-02-26 17:06:02.746782 info netopeer2-server[1616]: EV ORIGIN: "ietf-netconf-notifications" "notif" ID 3 priority 0 for 1 subscribers published.
2024-02-26 17:06:02.747227 info netopeer2-server[1616]: EV LISTEN: "ietf-netconf-notifications" "notif" ID 3 processing.
2024-02-26 17:06:02.747760 info netopeer2-server[1616]: EV LISTEN: "ietf-netconf-notifications" "notif" ID 3 priority 0 success (remaining 0 subscribers).
2024-02-26 17:06:02.748588 info netopeer2-server[1616]: Generated new event (netconf-session-start).
2024-02-26 17:06:02.899428 info netopeer2-server[1616]: EV ORIGIN: "/notifications:create-subscription" "rpc" ID 2 priority 5 for 1 subscribers published.
2024-02-26 17:06:02.909003 info netopeer2-server[1616]: EV ORIGIN: "/notifications:create-subscription" "rpc" ID 2 priority 5 succeeded.
2024-02-26 17:06:02.909289 info netopeer2-server[1616]: EV ORIGIN: "/notifications:create-subscription" "rpc" ID 2 priority 0 for 1 subscribers published.
2024-02-26 17:06:02.909638 info netopeer2-server[1616]: EV LISTEN: "/notifications:create-subscription" "rpc" ID 2 priority 0 processing (remaining 1 subscribers).
2024-02-26 17:06:02.938174 info netopeer2-server[1616]: EV LISTEN: "/notifications:create-subscription" "rpc" ID 2 priority 0 success (remaining 0 subscribers).
2024-02-26 17:06:02.938279 info netopeer2-server[1616]: EV ORIGIN: "/notifications:create-subscription" "rpc" ID 2 priority 0 succeeded.
2024-02-26 17:06:02.939010 info netopeer2-server[1616]: Session 2: thread 2 event new RPC.
**2024-02-26 17:06:03.148746 err netopeer2-server[1616]: NACM access denied.**
2024-02-26 17:06:03.148791 err netopeer2-server[1616]: Failed to send an RPC (Operation not authorized).
2024-02-26 17:06:03.149270 info netopeer2-server[1616]: Session 2: thread 2 event new RPC.
2024-02-26 17:06:03.149297 info netopeer2-server[1616]: Session 2: thread 2 event reply error.
2024-02-26 17:06:03.150048 info netopeer2-server[1616]: EV ORIGIN: "/o-ran-supervision:supervision-watchdog-reset" "rpc" ID 1 priority 0 for 1 subscribers published.
2024-02-26 17:06:03.157449 info netopeer2-server[1616]: EV ORIGIN: "/o-ran-supervision:supervision-watchdog-reset" "rpc" ID 1 priority 0 succeeded.

Thanks!

Regards, Ankit

[ankit7gup]

Found the Root cause.

[michalvasko]

Fine, so there is nothing for us to fix or improve, the cause was wrong NACM configuration or something similar?

[ankit7gup]

Issue was, the client application was sending RPC establish-subscription, for which denial is expected as it is set in the nacm config. However, in netopeer2-server logs the RPC name is not getting printed, only access denied error. If this can be improved, then it would be easier to debug.

Thanks!

[michalvasko]

There were some improvements implemented but only in version 2.2.138 (SO 7.19.32), I assume you are using an older one.

[ankit7gup]

Yes.