netconf: Inject NACM config for admin user in factory-config

On May 10, 2023, @troglobit wrote: > Initial proposal for factory-config, based on example from RFC8341. This gives the admin user the ability to configure the device over NETCONF.
kernelkit · May 25, 2023 · cd52a42 · cd52a42
1 parent 3dbc591
commit cd52a42
Showing 1 changed file with 68 additions and 0 deletions.
diff --git a/board/netconf/rootfs/etc/auto-factory.d/10-nacm.json b/board/netconf/rootfs/etc/auto-factory.d/10-nacm.json
@@ -0,0 +1,68 @@
+{
+    "ietf-netconf-acm:nacm": {
+	"groups": {
+	    "group": [
+		{
+		    "name": "admin",
+		    "user-name": [
+			"admin"
+		    ]
+		}
+	    ]
+	},
+	"rule-list": [
+	    {
+		"name": "guest-acl",
+		"group": [
+		    "guest"
+		],
+		"rule": [
+		    {
+			"name": "deny-ncm",
+			"module-name": "ietf-netconf-monitoring",
+			"access-operations": "*",
+			"action": "deny",
+			"comment": "Disallow guests access to any NETCONF monitoring information."
+		    }
+		]
+	    },
+	    {
+		"name": "limited-acl",
+		"group": [
+		    "limited"
+		],
+		"rule": [
+		    {
+			"name": "permit-ncm",
+			"module-name": "ietf-netconf-monitoring",
+			"access-operations": "read",
+			"action": "permit",
+			"comment": "Allow read access to the NETCONF monitoring information."
+		    },
+		    {
+			"name": "permit-exec",
+			"module-name": "*",
+			"access-operations": "exec",
+			"action": "permit",
+			"comment": "Allow invocation of the supported server operations."
+		    }
+		]
+	    },
+	    {
+		"name": "admin-acl",
+		"group": [
+		    "admin"
+		],
+		"rule": [
+		    {
+			"name": "permit-all",
+			"module-name": "*",
+			"access-operations": "*",
+			"action": "permit",
+			"comment": "Allow 'admin' group complete access to all operations and data."
+		    }
+		]
+	    }
+	]
+    }
+}