One day, this might become a RESTCONF server on top of sysrepo. Before that happens, it will, hopefully, be a small HTTP wrapper around sysrepo which publishes some data in a RESTCONF format.
Since this service only talks cleartext HTTP/2, it's recommended to run it behind a reverse proxy.
Rousette implements RFC 8341 (NACM). The access rights for users (and groups) are configurable via ietf-netconf-acm
YANG model.
The reverse proxy must pass the authorization
header as-is and delegate authentication/authorization to the RESTCONF server. The server currently supports two authentication/authorization methods:
authorization
header, which is checked against the system's PAM configurationWhen the request does not contain the authorization
header, and anonymous access is enabled (see below), the server will perform extra safety checks. When certain conditions are met, the anonymous access will be mapped to a NACM account named in the ANONYMOUS_USER
CMake option. Such user must be in group ANONYMOUS_USER_GROUP
(CMake option) and there must be some specific access rights set up in ietf-netconf-acm
model (these are currently very opinionated for our use-case):
rule-list
list must be configured for ANONYMOUS_USER_GROUP
.The anonymous user access is disabled whenever these rules are not met.
sd-journal
pam_matrix
and pam_wrapper
for PAM mockingThe standard way of building rousette looks like this:
mkdir build cd build cmake .. make make install
The development is being done on Gerrit here. Instructions on how to submit patches can be found here. GitHub Pull Requests are not used.