Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RESTCONF & NACM, which modules are needed for RESTCONF access?

    Scheduled Pinned Locked Moved TNSR
    restconfnacmnetgate-acl
    10 Posts 3 Posters 1.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      meatprofit
      last edited by

      Tried to give netgate-acl access for a single user via NACM, RESTCONF login does not work. Which additional modules are needed to enable RESTCONF login but restrict the modules? I don't want to add the user to the admin group. I tried the "netgate-restconf-cli" too, but that does not work.

      Here is an example that does not work:

      nacm rule-list api-acl
      group api-acl
      rule netgate-acl
      module netgate-acl
      access-operations *
      action permit
      exit
      rule netgate-restconf-cli
      module netgate-restconf-cli
      access-operations *
      action permit
      exit
      exit

      M 1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        What do you need to know that is not covered here:

        https://docs.netgate.com/tnsr/en/latest/nacm/index.html

        And here:

        https://docs.netgate.com/tnsr/en/latest/restconf/index.html

        ??

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        M 1 Reply Last reply Reply Quote 0
        • M Offline
          meatprofit @Derelict
          last edited by meatprofit

          @Derelict Ah just the simple “how can I create a NACM user that can login via RESTCONF but has only access to certain modules, and which modules are needed for the RESTCONF login to work”, because it seems to be able to login to RESTCONF the user needs to be an admin and needs access to all modules. That’s why I asked, which modules are needed for RESTCONF login to work? My above example shows exactly what I mean and what you configure in TNSR for that purpose, but, the user can’t login via RESTCONF, only if I add the user to the admin group it works. Because your documentation has no requirements for the modules for RESTCONF to work. Neither does it say anywhere that it’s even possible to have a restricted user login via RESTCONF.

          or simply put: I have a user that has only access to the module "netgate-acl", how can this user still login via RESTCONF?

          This does not work, use can't login via RESTCONF.

          nacm rule-list api-acl
            group api-acl
            rule netgate-acl
              module netgate-acl
              access-operations *
              action permit
            exit
            rule netgate-restconf-cli
              module netgate-restconf-cli
              access-operations *
              action permit
            exit
          exit
          
          DerelictD 1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate @meatprofit
            last edited by

            @meatprofit

            Where is the rest of the nacm configuration?

            And the restconf configuration?

            What, specifically, are you doing to access? Testing with curl? Something else? What exactly is happening?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            M 2 Replies Last reply Reply Quote 0
            • M Offline
              meatprofit @Derelict
              last edited by

              @Derelict

              Not that these lines would matter:

              auth user api-acl
                password ************
              exit
              
              nacm group api-acl
                member api-acl
              exit
              

              nor these:

              restconf
               enable true
               server host *.*.*.* 443 true
               global authentication-type user
               global server-ca-cert-path restconf-CA
               global server-certificate restconf
               global server-key restconf
              exit
              

              and I wrote already that RESTCONF shows access denied. How much easier do I have to phrase my question? How hard is it to grasp the concept of a user that needs to login via restconf but has only access to the acl module? What more do you need? It's all default on a test instance, nothing is configured, and I wrote restconf access works when I grant access to all modules but that invalidates everything within nacm.

              1 Reply Last reply Reply Quote 0
              • M Offline
                meatprofit @Derelict
                last edited by

                @Derelict So I guess not even netgate knows how to have a user login via RESTCONF but having only access to the acl module?

                kiokomanK 1 Reply Last reply Reply Quote 0
                • kiokomanK Offline
                  kiokoman LAYER 8 @meatprofit
                  last edited by

                  @meatprofit
                  global authentication-type user
                  Users can be authenticated against any source supported by PAM modules in the operating system.
                  Once authenticated, the username is processed through NACM to determine group access privileges for the RESTCONF API.
                  so if the answer is "access denied" when you try to login it's PAM that's rejecting it and not NACM? did you try global authentication-type client-certificate ?

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    meatprofit @kiokoman
                    last edited by meatprofit

                    @kiokoman Thanks for you reply. Sadly no, I can login (SSH) with the api-acl user just fine, so PAM is not prohibiting the access. RESTCONF is. I’m still convinced that only users with all permissions can login via RESTCONF and a user that has limited privileges can’t, but @Derelict does neither confirm or deny this.

                    Here is an example output, as you can see I can login via SSH, but can't access the module I have all privileges for:

                    # login as restconf-test
                    TNSR01 tnsr# conf
                    TNSR01 tnsr(config)# show acl
                    tnsr_cli_get: Failed to retrieve /ngacl:acl-state/ngacl:acl-table
                    Dec 13 10:08:59: Query failure: application access-denied default deny
                    TNSR01 tnsr(config)# show int
                    tnsr_cli_get: Failed to retrieve /ngif:interfaces-state/ngif:interface
                    Dec 13 10:09:00: Query failure: application access-denied default deny
                    TNSR01 tnsr(config)#
                    
                    
                    # show nacm as tnsr
                    NACM
                    ====
                    NACM Enable: true
                    Default Read policy : deny
                    Default Write policy: deny
                    Default Exec policy : deny
                    
                    Group: admin
                    --------------------
                        root
                        tnsr
                    
                    
                    Group: restconf-test
                    --------------------
                        restconf-test
                    
                    Rule List: admin-rules
                    --------------------------
                    Groups:
                        admin
                    
                    Name            Action Op Module               Type
                    --------------- ------ -- -------------------- ----
                    permit-all      permit *  *
                    
                    
                    Rule List: restconf-test
                    --------------------------
                    Groups:
                        restconf-test
                    
                    Name            Action Op Module               Type
                    --------------- ------ -- -------------------- ----
                    netgate-acl     permit *  netgate-acl
                    netgate-restconf-cli permit *  netgate-restconf-cli
                    

                    it seems you need exec permission on all modules to even be able to login via RESTCONF, this works, all other modules are not accessible.

                    nacm rule-list api-acl-rules
                      group api-acl
                      rule exec
                        module *
                        access-operations exec
                        action permit
                      exit
                      rule netgate-acl
                        module netgate-acl
                        access-operations *
                        action permit
                      exit
                    exit
                    
                    kiokomanK 1 Reply Last reply Reply Quote 0
                    • M Offline
                      meatprofit @meatprofit
                      last edited by meatprofit

                      full solution for anyone else:

                      pki generate-restconf-certs
                      
                      restconf
                       enable true
                       server host *.*.*.* 443 true
                       global authentication-type user
                       global server-ca-cert-path restconf-CA
                       global server-certificate restconf
                       global server-key restconf
                      exit
                      
                      auth user api-acl
                        password *************
                      exit
                      
                      nacm group api-acl
                        member api-acl
                      exit
                      
                      nacm rule-list api-acl-rules
                        group api-acl
                        rule exec
                          module *
                          access-operations exec
                          action permit
                        exit
                        rule netgate-acl
                          module netgate-acl
                          access-operations *
                          action permit
                        exit
                      exit
                      
                      1 Reply Last reply Reply Quote 0
                      • kiokomanK Offline
                        kiokoman LAYER 8 @meatprofit
                        last edited by kiokoman

                        @meatprofit
                        there is an interesting section starting from here explaining ACL

                        https://datatracker.ietf.org/doc/html/rfc8341#section-3

                        As an example, if an action is defined as
                        /interfaces/interface/reset-interface, the group must be authorized
                        to (1) read /interfaces and /interfaces/interface and (2) execute on
                        /interfaces/interface/reset-interface.

                        7251b782-96b8-4416-98ff-cbc4da408612-image.png

                        glad you have solved anyway

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.