Solved: Re: Dedicated user for APIs

NIRO-7 · ‎11-28-2023

Good morning everyone,

I am currently trying to dig an API approach on a 9800-CL, to create Guest Users through API.

I tried with my admin user, everything works correctly, the customer is satisfied of the firsts tries and we are going deep in this way.

But I would like to use a dedicated account to send API requests to the 9800, by example "API-User".

I thought of a customized privilege account, 10 by exemple, to whom I'll grant access to a certain set of commands.

I tried to log in through CLI and it works fine, but when I use Postman, I get a 403 Forbidden error, and if I use a privilege 15 account, it works.

Fun fact : when I try a GET request with Postman, it says Access Denied, but the logs on the WLC says : DMI-5-AUTH_PASSED: Chassis 1 R0/0: dmiauthd: User 'API' authenticated successfully from 192.168.69.8:0 and was authorized for rest over http. External groups: PRIV10

In the Programmability Configuration Guide, chapter 13, this statement is made : "Upon enabling the NETCONF and/or RESTCONF services, a device that has no prior configuration of the
/nacm subtree will deny read, write, and execute access to all operations and data other than the users of
privilege level 15."

Therefore, I was wondering if it was possible to edit the NACM configuration that could allow privilege level 10 users to access operations through API.

Is there someone that faced the same issue ?

I hope that I could explain it clearly and that it's not impossible.

Thank you for your help.

Have a nice day.
Nicolas.

Marcel Zehnder · ‎11-28-2023

My example is NETCONF payload, a handy tool to deal with NETCONF is yangsuite (https://github.com/CiscoDevNet/yangsuite).

However, if you're more familiar with RESTCONF, you can post the payload using POSTMAN:

URL: https://{{YOUR-XE-DEVICE}}/restconf/data/ietf-netconf-acm:nacm/rule-list
Method: PATCH
Headers: Content-Type: application/yang-data+json, Accept: application/yang-data+json
Payload (Body):

{
    "rule-list": [
        {
            "name": "priv10-access",
            "group": [
                "PRIV10"
            ],
            "rule": [
                {
                    "name": "permit-all",
                    "module-name": "*",
                    "access-operations": "*",
                    "action": "permit"
                }
            ]
        }
    ]
}

HTH

View solution in original post

Marcel Zehnder · ‎12-05-2023

Hi, you need to specify the module and path for the priv10 access in this case. So to give priv 10 users only access to the username path of the XE native module you would need something like this:

{
    "rule-list": [
        {
            "name": "priv10-access-userconfig",
            "group": [
                "PRIV10"
            ],
            "rule": [
                {
                    "name": "permit-all-userconfig",
                    "module-name": "Cisco-IOS-XE-native",
                    "path": "/ios:native/ios:username",
                    "access-operations": "*",
                    "action": "permit"
                }
            ]
        }
    ]
}

HTH
Marcel

View solution in original post

Marcel Zehnder · ‎11-28-2023

Therefore, I was wondering if it was possible to edit the NACM configuration that could allow privilege level 10 users to access operations through API.

Yes, it should be possible to edit NACM accordingly. Level 10 users match to the NACM group name "PRIV10". You'll find configuration examples in the Model Based AAA chapter of the guide: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/176/b_176_programmability_cg/m_176_prog_model_based_aaa.html

NIRO-7 · ‎11-28-2023

Thanks Marcel, indeed I saw this but I don't know how to configure the NACM subtree, do you know how it's done ?

Marcel Zehnder · ‎11-28-2023

You can edit the rule-list via NETCONF edit-config (with merge).
The default NACM config looks like this:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
  <enable-nacm>true</enable-nacm>
  <read-default>deny</read-default>
  <write-default>deny</write-default>
  <exec-default>deny</exec-default>
  <enable-external-groups>true</enable-external-groups>
  <rule-list>
    <name>admin</name>
    <group>PRIV15</group>
    <rule>
      <name>permit-all</name>
      <module-name>*</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
    </rule>
  </rule-list>
</nacm>

To add full access for privilege users with level 10 you need to send the following config via NETCONF to the device:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
        <rule-list xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="merge">
          <name>priv10-access</name>
          <group>PRIV10</group>
          <rule>
            <name>permit-all</name>
            <module-name>*</module-name>
            <access-operations>*</access-operations>
            <action>permit</action>
          </rule>
        </rule-list>
      </nacm>

This will result in this new NACM configuration:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
      <rule-list>
        <name>admin</name>
        <group>PRIV15</group>
        <rule>
          <name>permit-all</name>
          <module-name>*</module-name>
          <access-operations>*</access-operations>
          <action>permit</action>
        </rule>
      </rule-list>
      <rule-list>
        <name>priv10-access</name>
        <group>PRIV10</group>
        <rule>
          <name>permit-all</name>
          <module-name>*</module-name>
          <access-operations>*</access-operations>
          <action>permit</action>
        </rule>
      </rule-list>
    </nacm>

For your usecase you probably want to limit the priv 10 access to a certain module (whichever one is needed to create the guest-user):

      <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
        <rule-list xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="merge">
          <name>priv10-access</name>
          <group>PRIV10</group>
          <rule>
            <name>permit-all</name>
            <module-name>NAME-OF-MODULE</module-name>
            <access-operations>*</access-operations>
            <action>permit</action>
          </rule>
        </rule-list>
      </nacm>

HTH
Marcel

NIRO-7 · ‎11-28-2023

Thanks, that sounds promising.

Though how do you push your code ? Through Postman ? But I don't know what URL to use to PUT or even just GET.

I defined the application to XML but Postman send me back 400 Bad Request.

I didn't find any documentation regarding edition of NACM settings, do you have any ?

Regards,

Nicolas

Marcel Zehnder · ‎11-28-2023

My example is NETCONF payload, a handy tool to deal with NETCONF is yangsuite (https://github.com/CiscoDevNet/yangsuite).

However, if you're more familiar with RESTCONF, you can post the payload using POSTMAN:

URL: https://{{YOUR-XE-DEVICE}}/restconf/data/ietf-netconf-acm:nacm/rule-list
Method: PATCH
Headers: Content-Type: application/yang-data+json, Accept: application/yang-data+json
Payload (Body):

{
    "rule-list": [
        {
            "name": "priv10-access",
            "group": [
                "PRIV10"
            ],
            "rule": [
                {
                    "name": "permit-all",
                    "module-name": "*",
                    "access-operations": "*",
                    "action": "permit"
                }
            ]
        }
    ]
}

HTH

NIRO-7 · ‎11-28-2023

That's exactly what I needed, but I'm not at ease with APIs and development, but I'd like to know if Cisco has a guide for configuring this or if it's because you're used to doing DevNet ?

Thanks a lot, I did the PATCH with Postman and it works just fine.

I think now I will tweak my Privilege 10 account !

jcohoe · ‎11-28-2023

Yes use the API NETCONF/RESTCONF or gNMI API to edit the NACM module like discussed above.

There are also 2 CLI you can use it to populate a read-only example and specify the privilege level (in your example prove 10 in my example I use priv1)

Config Guide:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/176/b_176_programmability_cg/m_176_prog_model_based_aaa.html

CLI to populate NACM with Read Only rules:

request platform software yang-management nacm populate-read-rules privilege 1

CLI to reset ACM:

request platform software yang-management nacm reset-config

Jeremy

NIRO-7 · ‎11-28-2023

I did find this, but I needed to get Write access for my Priv 10 account.

What is complicated is to know what URL use in postman to do the desirated thing on the WLC.

NIRO-7 · ‎12-05-2023

Hello again,

I come back because while trying to limit actions for my Priv10 account, I found that it works fine in CLI but with the NACM settings set as previously said, it's a permit all, which means that my PRIV10 account has the same rights as a PRIV15, therefore there is no point to create a PRIV10.

I tried to put this conf with a patch :

{
    "rule-list": [
        {
            "name": "priv10-access",
            "group": [
                "PRIV10"
            ],
            "rule": [
                {
                    "name": "permit-user-name",
                    "module-name": "user-name",
                    "access-operations": "*",
                    "action": "permit"
                }
            ]
        }
    ]
}

But I got this in return :

"error-message": "missing element: nacm in /nacm:nacm",

"error-path": "/ietf-netconf-acm:nacm",

"error-tag": "malformed-message",

I am reading this RFC https://datatracker.ietf.org/doc/html/rfc8341#appendix-A.2 but I feel like I can't do what I'm aiming to do.

Does Cisco has a Documentation about modules and access-operations that we can edit ?

Because I feel like I'm looking for something that's impossible.

With your DevNet and Cisco experience, do you think that it's possible ?

Thanks for your help

Regards,

Nicolas

Marcel Zehnder · ‎12-05-2023

Hi, you need to specify the module and path for the priv10 access in this case. So to give priv 10 users only access to the username path of the XE native module you would need something like this:

{
    "rule-list": [
        {
            "name": "priv10-access-userconfig",
            "group": [
                "PRIV10"
            ],
            "rule": [
                {
                    "name": "permit-all-userconfig",
                    "module-name": "Cisco-IOS-XE-native",
                    "path": "/ios:native/ios:username",
                    "access-operations": "*",
                    "action": "permit"
                }
            ]
        }
    ]
}

HTH
Marcel

NIRO-7 · ‎12-05-2023

Thanks for the code, but where did you find the module-name and the path associated ? This is what I am looking for for the last 2 days...

Is there a difference between username and user-name ?

Marcel Zehnder · ‎12-05-2023

I use https://yangcatalog.org/yang-search/module_details or yangsuite (https://github.com/CiscoDevNet/yangsuite) for this.

Not exactly sure whats the difference, but for your guest-user case, you most probably need the user-name path.

NIRO-7 · ‎12-05-2023

Thanks, I was using Yang Suite too, but I was not looking in the good module / repository.

Could you advise me a guide to understand the structure and where to find items I need ?

I went on a wrong path and was trying to edit the NACM table

Marcel Zehnder · ‎12-05-2023

Well to find the right module is always a bit tricky - some hints:

Regarding Cisco-IOS configuration: Cisco-IOS-XE-native is the module of choice in 90%. For operational data, search for the domain + -oper suffix (for example, if you're interested in BGP operational data, there is a model "Cisco-IOS-XE-bgp-oper". Also using Yangsuite, you can use the search-xpath function (Protocols --> NETCONF --> Select Module --> YANGtree --> Search xPath.
I'm not aware of a complete list of all modules with descriptions besides the github repo (https://github.com/YangModels/yang/tree/main/vendor/cisco)

It takes some time to get familiar with the modules, but Yangsuite is definitely your friend.