No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Network Management and Monitoring

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of Network Management and Monitoring, including SNMP, RMON, LLDP, NQA, Service Diagnosis, Mirroring, Packet Capture, sFlow, and NETCONF.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NETCONF Authorization

NETCONF Authorization

HUAWEI-NACM

Overview
HUAWEI-NACM authorization includes:
  • NETCONF operation authorization: authorizes user information by specific NETCONF operations, such as <edit-config>, <get>, <sync-full>, <sync-inc>, and <commit>.

  • Module authorization: authorizes users for specific feature modules, such as Telnet-client, Layer 3 virtual private network (L3VPN), Open Shortest Path First (OSPF), Fault-MGR, Device-MGR, and Intermediate System-to-Intermediate System (IS-IS).

  • Data node authorization: authorizes users for specific data nodes, such as: /ifm/interfaces/interface/ifAdminStatus/devm/globalPara/maxChassisNum.

The authorization rules for NETCONF operations and data nodes can be configured.

NOTE:

By default, HUAWEI-NACM authentication is enabled and only takes effect on schema sessions.

Principles

The NETCONF authorization mechanism is similar to the task authorization mechanism used to regulate command authorization. NETCONF authorization is also modeled based on NETCONF access control model (ACM).

Authentication, authorization and accounting (AAA) defines tasks, task groups, and user groups. The task authorization mechanism uses a three-layer permission control model. This model organizes commands into tasks, tasks into task groups, and task groups into user groups.

The NETCONF authorization mechanism is based on the task authorization mechanism. The NETCONF authorization mechanism subscribes to required authorization information from the task authorization mechanism and stores the obtained information in its local data structures.

NETCONF operations are implemented based on NETCONF sessions established using Secure Shell (SSH). NETCONF authorization applies only to SSH users.

  • The operation permissions of a user are defined by the user group to which the user belongs. All users in a user group have the same permissions.

  • A user group consists of multiple task groups.

  • A task group consists of multiple tasks.

    A task can be assigned one or more of the following permissions when being added to a task group: read, write, and execute.

    Commands for each feature or module belong to a single task. Tasks are pre-configured and cannot be added, modified, or deleted.

Figure 3-4 and Figure 3-5 show the NETCONF authorization schematic diagram. The NETCONF authorization mechanism adds rules for NETCONF operation and data node authorization based on the task authorization mechanism.

Figure 3-4 NETCONF authorization schematic diagram
Figure 3-5 NETCONF authorization schematic diagram
Benefits

NETCONF authorization is a mechanism to restrict access for particular users to a pre-configured subset of all available NETCONF protocol operations and contents.

IETF-NACM

Overview

The IETF NETCONF Access Control Model (IETF-NACM) provides simple and easy-to-configure database access control rules. It helps flexibly manage a specific user's permissions to perform NETCONF operations and access NETCONF resources.

The YANG model defines IETF-NACM in the ietf-netconf-acm.yang file.

IETF-NACM supports the following functions:
  • Protocol operation authentication: authorizes users to perform specific NETCONF operations.

    For example, <get>, <get-config>, <edit-config>, <copy-config>, <delete-config>, and <lock>.

  • Module authorization: authorizes users to access specific feature modules.

  • Data node authorization: authorizes users to query and modify specific data nodes.

  • Notification authentication: authorizes a system to report specified alarms or events through the notification mechanism.

  • Emergency session recovery: authorizes users to directly initialize or repair the IETF-NACM authentication configuration without the restriction of access control rules.

    Emergency session recovery is a process in which a management-level user or a user in the manage-ug group bypasses the access control rule and initializes or repairs the IETF-NACM authentication configuration.

    Management-level users are users of level 3 or 15.

NOTE:

By default, IETF-NACM authentication is disabled and the HUAWEI-NACM authentication process is experienced. If IETF-NACM authentication is enabled, the IETF-NACM authentication process is experienced.

If IETF-NACM authentication is enabled, the access permission on get/ietf-yang-library must be enabled during session establishment. Otherwise, session establishment fails due to no permission.

Data Node Access

The access control permissions of IETF-NACM apply only to NETCONF databases (<candidate/>, <running/>, and <startup/>). The local or remote file or database accessed using the <url> parameter is not controlled by IETF-NACM.

The access permissions on data nodes are as follows:
  • Create: allows a client to add new data nodes to a database.
  • Read: allows a client to read a data node from a database or receive notification events.
  • Update: allows a client to update existing data nodes in a database.
  • Delete: allows a client to delete a data node from a database.
  • Exec: allows a client to perform protocol operations.
Components of IETF-NACM

Table 3-5 describes the components and functions of IETF-NACM.

Table 3-5 Description of IETF-NACM components

Name

Description

User

User defined in the NACM view. The user must be an SSH user.

IETF-NACM authenticates only users. User authentication is implemented in AAA.

Group

Group defined in the NACM view. This group instead of a user performs protocol operations in a NETCONF session.

The group identifier is a group name, which is unique on the NETCONF server.

A user can be a member of multiple groups.

Global execution control

Execution control can be:

  • enable-nacm: enables or disables the IETF-NACM authentication function. After IETF-NACM authentication is enabled, all requests are checked. Only the requests allowed by the execution control rules can be executed. After IETF-NACM authentication is disabled, the HUAWEI-NACM authentication process is experienced.

  • read-default: sets the permission to view configuration databases and notifications. If the value is set to permit, NETCONF databases and notification events can be viewed. If the value is set to undo permit, NETCONF databases or notification events cannot be viewed.
  • write-default: sets the permission to modify configuration databases. If the value is set to permit, NETCONF databases can be modified. If the value is set to undo permit, NETCONF databases cannot be modified.
  • exec-default: sets the default execution permission for RPC operations. If the value is set to permit, NETCONF operations can be performed. If the value is set to undo permit, NETCONF operations cannot be performed.

Access control rule

There are five access control rules:

  • Module name: specifies the control rule of the YANG module, which is identified using a module name.

    For example, ietf-netconf.

  • Protocol operation: specifies the control rule of a protocol operation, which is identified using an RPC operation name defined in the YANG file.

    For example, <get> or <get-config>.

  • Data node: specifies the control rule of a data node. The data node is identified using the XPath defined in the YANG file.

    For example, /ietf-netconf-acm:nacm/ietf-netconf-acm:rule-list.

  • Notification: specifies the control rule of a notification event, which is identified using an alarm or event name defined in the YANG file.

    For example, hwCPUUtilizationRisingAlarm defined by huawei-sem.

  • Access control operation permission: specifies the control rule of an operation type for objects of NACM authentication.

    For example, create, delete, read, update, or exec.

Implementation Principles

After a NETCONF session is established and a user passes the authentication, the NETCONF server controls access permissions based on the user name, group name, and NACM authentication rule list. Authentication rules are associated with users through the user group. The administrator of a user group can manage the permissions of users in the group.

  • An IETF-NACM user is associated with an IETF-NACM user group. After IETF-NACM users are added to a user group, the users in the same user group have the same permissions.
  • An IETF-NACM user group is associated with an IETF-NACM authentication rule list.
  • An IETF-NACM authentication rule list is associated with IETF-NACM authentication rules.

    An IETF-NACM authentication rule list is a set of rules. Various authentication rules can be added to an IETF-NACM authentication rule list in the format of combinations. Users associated with the list can use the rules in it.

IETF-NACM Authentication Process

Figure 3-6 shows the IETF-NACM authentication process.

Figure 3-6 IETF-NACM authentication process

When a user group and an authentication rule list are traversed, if the user name that is the same as that carried in the request is not found or no rule that matches the requested operation is detected, the operation performed varies with the authenticated content. For details, see Table 3-6.

Table 3-6 Operations performed for different authenticated contents

Authenticated Content

Operation

Protocol operation

  • If the RPC operation defined in the YANG file contains the nacm:default-deny-all statement, the RPC request is rejected.
  • If the requested operation is <kill-session> or <delete-config>, the RPC request is rejected.
  • If the user has the default execution permission of the RPC operation, the RPC request can be executed. Otherwise, the RPC request is rejected.

Data node

  • If the definition of the data node contains the nacm:default-deny-all statement, the data node does not support the read or write operation.
  • If the definition of the data node contains the nacm:default-deny-write statement, the data node does not support the write operation.
  • If the user has the query permission, the read operation is allowed. Otherwise, the read operation is rejected.
  • If the user has the configuration permission, the write operation is allowed. Otherwise, the write operation is rejected.

Notification

  • If the notification statement contains the nacm:default-deny-all statement, the notification cannot be reported.
  • If the user has the query permission, the notification can be reported. Otherwise, the notification is discarded.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100075344

Views: 19843

Downloads: 22

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next