search

vlvassilev / yuma123

The yuma123 repository
Other
24 stars 28 forks source link

NACM rules are not working #144

Open srilchan81 opened 7 months ago

srilchan81 commented 7 months ago

NON-SUPERUSER:

I have created a new user “test” with password “Test@123” For this new user I have connected yangcli and created some rules for the user “test” with the reference of RFC I have added the newly created user to the limited group and created rule to deny all the operations for the module “fscfa” with this new user (proprietary module) Here the user is treated as non-super user [Uploading nacm_non_super_user_configs.txt…]()

Below are the configs for non-superuser:

replace /nacm/groups/group/user-name test limited commit replace /nacm/rule-list/name limited-acl replace /nacm/rule-list/group limited limited-acl replace /nacm/rule-list/rule/action deny deny-fs-fs-cfa limited-acl replace /nacm/rule-list/rule/access-operations * deny-fs-fs-cfa limited-acl replace /nacm/rule-list/rule/module-name fscfa deny-fs-fs-cfa limited-acl commit sget /nacm/

even afer creating the deny rule for fscfa module , I am able to do all the operations like create, replace, get, delete .. so, I cross verified the xml generated with the above configs against the xml in RFC 8341 (“NACM_RFC_reference.txt” file contains XML reference from RFC) I didn’t find any differences between the xml’s, configurations are configured properly and reflected in sget output also, but the functionality is not working NOTE: for this non-superuser please find the “nacm_non_super_user_configs.txt” file for the configs log, sget output, testing for “fscfa”, and the XML populated for the nacm configs

SUPERUSER:

In the similar way, I have checked for the administrative user i.e, “root” user nothing but the superuser Here also same it is happing as non-superuser “test”. For “root” user used below configs

Below are the configs for superuser:

replace /nacm/groups/group/user-name root admin commit replace /nacm/rule-list/name admin-acl replace /nacm/rule-list/group admin admin-acl replace /nacm/rule-list/rule/action deny deny-fs-if admin-acl replace /nacm/rule-list/rule/access-operations create deny-fs-if admin-acl replace /nacm/rule-list/rule/module-name fsif deny-fs-if admin-acl commit sget /nacm/

NOTE: for this superuser please find the “nacm_root_user_configs.txt” file for the configs log, sget output, testing for “fscfa”, and the XML populated for the nacm configs

vlvassilev commented 7 months ago

NACM is only partially implemented and some of the rules are working but not all. I will keep this issue open as a warning for those who have NACM as absolute requirement. For me it is not high in the priority so do not expect any focus on the required work in near future.

srilchan81 commented 7 months ago

ok thanks for the reply.

srilchan81 commented 7 months ago

Hello Is it possible to specify working rules? we will convey the same to our customer.

regards Srilekha