libnetconf2
libnetconf2 copied to clipboard
Published
20 hours ago •
CESNET
CESNET
How to enable tls-user to change model
trafficstars
Hi,
I am successfully logging in to netopeer2 on using TLS:
2021-08-27 15:09:48,702 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Accepted a connection on 0.0.0.0:6513.
2021-08-27 15:09:48,703 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Session 9 (user "root") created.
2021-08-27 15:09:48,704 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Session 10 (user "root") created.
2021-08-27 15:09:48,704 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Session 11 (user "root") created.
2021-08-27 15:09:48,714 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Cert verify: depth 1.
2021-08-27 15:09:48,715 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Cert verify: subject: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
2021-08-27 15:09:48,715 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Cert verify: issuer: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
2021-08-27 15:09:48,716 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Cert verify CTN: entry with a matching fingerprint found.
2021-08-27 15:09:48,716 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Cert verify CTN: new client username recognized as "tls-test".
2021-08-27 15:09:48,716 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Cert verify: depth 0.
2021-08-27 15:09:48,717 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Cert verify: subject: /C=CZ/ST=South Moravia/O=CESNET/OU=TMC/CN=example client/emailAddress=exampleclient@localhost.
2021-08-27 15:09:48,717 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LN: Cert verify: issuer: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
then I try to change a parameter in the model to get a notification event similar to the one I got with SSH ( see below).
<notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
<eventTime>2021-08-27T08:41:57Z</eventTime>
<netconf-config-change xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications">
<changed-by>
<username/>
<session-id>2</session-id>
</changed-by>
<datastore>running</datastore>
<edit>
<target xmlns:ncs="urn:ietf:params:xml:ns:yang:ietf-netconf-server">/ncs:netconf-server/ncs:call-home</target>
<operation>create</operation>
</edit>
However I get a problem when trying to do to an editConfig I get the following message:
2021-08-27 15:09:48,754 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Session 12 (user "root") created.
2021-08-27 15:09:48,754 (Netconf.java:25) DEBUG : Created Netconf instance for Netconf1.0
2021-08-27 15:09:48,754 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Published event "notif" "ietf-netconf-notifications" with ID 1 priority 0 for 1 subscribers.
2021-08-27 15:09:48,755 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: NP: Generated new event (netconf-session-start).
2021-08-27 15:09:48,755 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Processing "notif" "ietf-netconf-notifications" event with ID 1.
2021-08-27 15:09:48,755 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Successful processing of "notif" event with ID 1 priority 0 (remaining 0 subscribers).
2021-08-27 15:09:48,769 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LY: Resolving unresolved data nodes and their constraints...
2021-08-27 15:09:48,769 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LY: All data nodes and constraints resolved.
2021-08-27 15:09:48,769 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LY: Resolving unresolved data nodes and their constraints...
2021-08-27 15:09:48,769 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: LY: All data nodes and constraints resolved.
2021-08-27 15:09:48,770 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Published event "rpc" "/ietf-netconf:edit-config" with ID 4 priority 0 for 1 subscribers.
2021-08-27 15:09:48,770 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Processing "/ietf-netconf:edit-config" "rpc" event with ID 4 priority 0 (remaining 1 subscribers).
2021-08-27 15:09:48,770 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: NP: edit-config error-option "stop-on-error" not supported, rollback-on-error will be performed.
**2021-08-27 15:09:48,771 (Slf4jLogConsumer.java:71) INFO : STDERR: [ERR]: SR: Access to the data model "ietf-netconf-server" is denied because "tls-test" NACM authorization failed.**
2021-08-27 15:09:48,771 (Slf4jLogConsumer.java:71) INFO : STDERR: [INF]: SR: Failed processing of "rpc" event with ID 4 priority 0 (remaining 1 subscribers).
2021-08-27 15:09:48,771 (Slf4jLogConsumer.java:71) INFO : STDERR: [ERR]: SR: Access to the data model "ietf-netconf-server" is denied because "tls-test" NACM authorization failed.
How can I allow changes in model for tls-test. Or is there another way to generate notifications for tls-test?
br,
//mike
I am not sure what you mean since logging in using TLS give me user as "tls-test". If I want to do something with model when I have TLS connection how can I do it?
//mike
I do not know why I have to explain it more. The error is quite clear, NACM blocks the access for your user, which is expected and mentioned in the README that I referenced. To allow access for the user, change NACM configuration accordingly or disable it, several ways of fixing this.