commit e6ecb9bc9fd274b836d625823ecbab1a2efd9af2
author Václav Kubernát <kubernat@cesnet.cz> Tue Feb 09 20:53:44 2021 +0100
committer Václav Kubernát <kubernat@cesnet.cz> Thu Feb 18 18:18:20 2021 +0100
tree 2454e5627eae235d99cd2d247bcf74409abade13
parent 0dde5049ee6c49a34f47dbdc483182383bae00f5

Add NACM rules

NACM completely bypasses sysrepo permissions, so some rules need to be
set up. Now that the default shell for non-root users is netconf-cli, we
can completely forget about the sysrepo permissions, and only focus on
NACM. The default configuration for everyone is to allow reading and
disallow writing of everything. This patch changes this to allow root to
do anything and also allow the dwdm user to manipulate a subset of
installed modules.

Change-Id: Ifbb18957ba8a692b4a34ba37dba666b60819a2e6

package/cla-sysrepo/cla-appliance.service.in

diff --git a/package/cla-sysrepo/cla-appliance.service.in b/package/cla-sysrepo/cla-appliance.service.in
index 2cf20b0..8263bc8 100644
--- a/package/cla-sysrepo/cla-appliance.service.in
+++ b/package/cla-sysrepo/cla-appliance.service.in
@@ -1,9 +1,9 @@
 [Unit]
 Description=CzechLight __MODEL__ driver
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 Before=rauc-mark-good.service velia-hardware-g1.service velia-hardware-g2.service
 PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 StartLimitIntervalSec=0
 ConditionKernelCommandLine=|czechlight=__MODEL__
 ConditionKernelCommandLine=|czechlight=__MODEL__-g2