From cd52a42388befdfca722a702f5b32c9b59782781 Mon Sep 17 00:00:00 2001 From: Tobias Waldekranz Date: Thu, 25 May 2023 15:31:51 +0200 Subject: [PATCH] netconf: Inject NACM config for admin user in factory-config On May 10, 2023, @troglobit wrote: > Initial proposal for factory-config, based on example from RFC8341. This gives the admin user the ability to configure the device over NETCONF. --- .../rootfs/etc/auto-factory.d/10-nacm.json | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 board/netconf/rootfs/etc/auto-factory.d/10-nacm.json diff --git a/board/netconf/rootfs/etc/auto-factory.d/10-nacm.json b/board/netconf/rootfs/etc/auto-factory.d/10-nacm.json new file mode 100644 index 000000000..39539e7e0 --- /dev/null +++ b/board/netconf/rootfs/etc/auto-factory.d/10-nacm.json @@ -0,0 +1,68 @@ +{ + "ietf-netconf-acm:nacm": { + "groups": { + "group": [ + { + "name": "admin", + "user-name": [ + "admin" + ] + } + ] + }, + "rule-list": [ + { + "name": "guest-acl", + "group": [ + "guest" + ], + "rule": [ + { + "name": "deny-ncm", + "module-name": "ietf-netconf-monitoring", + "access-operations": "*", + "action": "deny", + "comment": "Disallow guests access to any NETCONF monitoring information." + } + ] + }, + { + "name": "limited-acl", + "group": [ + "limited" + ], + "rule": [ + { + "name": "permit-ncm", + "module-name": "ietf-netconf-monitoring", + "access-operations": "read", + "action": "permit", + "comment": "Allow read access to the NETCONF monitoring information." + }, + { + "name": "permit-exec", + "module-name": "*", + "access-operations": "exec", + "action": "permit", + "comment": "Allow invocation of the supported server operations." + } + ] + }, + { + "name": "admin-acl", + "group": [ + "admin" + ], + "rule": [ + { + "name": "permit-all", + "module-name": "*", + "access-operations": "*", + "action": "permit", + "comment": "Allow 'admin' group complete access to all operations and data." + } + ] + } + ] + } +}