czechlight-cfg-fs: add NACM rules for anonymous access
Depends-On: https://gerrit.cesnet.cz/c/CzechLight/dependencies/+/6373
Change-Id: Ifd7f4f9f4ff5d184a6459d3c98aa2602cbe53d5f
diff --git a/package/czechlight-cfg-fs/czechlight-migration-list.sh b/package/czechlight-cfg-fs/czechlight-migration-list.sh
index 7f8517c..7ceb7b9 100644
--- a/package/czechlight-cfg-fs/czechlight-migration-list.sh
+++ b/package/czechlight-cfg-fs/czechlight-migration-list.sh
@@ -3,4 +3,5 @@
'0002_default_startup_configuration_for_ietf-interfaces.sh'
'0003_shelve_alarms.sh'
'0004_nacm.sh'
+ '0005_nacm_anonymous_user.sh'
)
diff --git a/package/czechlight-cfg-fs/migrations/0005_nacm_anonymous_user.json b/package/czechlight-cfg-fs/migrations/0005_nacm_anonymous_user.json
new file mode 100644
index 0000000..b370ba7
--- /dev/null
+++ b/package/czechlight-cfg-fs/migrations/0005_nacm_anonymous_user.json
@@ -0,0 +1,114 @@
+{
+ "ietf-netconf-acm:nacm": {
+ "rule-list": [
+ {
+ "@": {
+ "yang:insert": "first"
+ },
+ "name": "Permit yangnobody user/group to read only some modules",
+ "group": [
+ "yangnobody"
+ ],
+ "rule": [
+ {
+ "name": "czechlight-roadm-device",
+ "module-name": "czechlight-roadm-device",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "czechlight-inline-amp",
+ "module-name": "czechlight-inline-amp",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "czechlight-coherent-add-drop",
+ "module-name": "czechlight-coherent-add-drop",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "ietf-yang-library",
+ "module-name": "ietf-yang-library",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "ietf-hardware",
+ "module-name": "ietf-hardware",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "ietf-interfaces",
+ "module-name": "ietf-interfaces",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "ietf-system: contact",
+ "module-name": "ietf-system",
+ "action": "permit",
+ "path": "/ietf-system:system/contact",
+ "access-operations": "read"
+ },
+ {
+ "name": "ietf-system: hostname",
+ "module-name": "ietf-system",
+ "action": "permit",
+ "path": "/ietf-system:system/hostname",
+ "access-operations": "read"
+ },
+ {
+ "name": "ietf-system: location",
+ "module-name": "ietf-system",
+ "action": "permit",
+ "path": "/ietf-system:system/location",
+ "access-operations": "read"
+ },
+ {
+ "name": "ietf-system: clock",
+ "module-name": "ietf-system",
+ "action": "permit",
+ "path": "/ietf-system:system/clock",
+ "access-operations": "read"
+ },
+ {
+ "name": "ietf-system: system-state",
+ "module-name": "ietf-system",
+ "action": "permit",
+ "path": "/ietf-system:system-state",
+ "access-operations": "read"
+ },
+ {
+ "name": "czechlight-lldp",
+ "module-name": "czechlight-lldp",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "czechlight-system:firmware",
+ "module-name": "czechlight-system",
+ "path": "/czechlight-system:firmware",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "czechlight-system:leds",
+ "module-name": "czechlight-system",
+ "path": "/czechlight-system:leds",
+ "action": "permit",
+ "access-operations": "read"
+ },
+ {
+ "name": "wildcard-deny",
+ "module-name": "*",
+ "action": "deny",
+ "access-operations": "*"
+ }
+ ]
+ }
+ ]
+ }
+}
diff --git a/package/czechlight-cfg-fs/migrations/0005_nacm_anonymous_user.sh b/package/czechlight-cfg-fs/migrations/0005_nacm_anonymous_user.sh
new file mode 100644
index 0000000..0e45c05
--- /dev/null
+++ b/package/czechlight-cfg-fs/migrations/0005_nacm_anonymous_user.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Introduce rules for NACM anonymous access user
+# ----------------------------------------------
+# Adds rules for the anonymous user access to the front of the ietf-netconf-acm:nacm/rule-list.
+
+sysrepocfg --datastore=startup --format=json --module=ietf-netconf-acm --edit="${MIGRATIONS_DIRECTORY}/0005_nacm_anonymous_user.json"