Configure rbac.xml
Location
This file is located in /etc/ensuite/yencap/rbac.xml
Description
This file contains the access control policy of YencaP. It relies on the Role-Based Access Control (RBAC) model which defines the following components:
- Users: each user has at least an id, a login and password and/or public-key
- Roles: a role has an id, a name and a set of junior-roles from which it inherits permissions
- Permissions: a permission has an id, a set of operations (r and w for read, write) and a scope expressed as an XPath,
- User-to-Role assignements: specifies the roles a user has
- Permission-to-Role assignements: specifies the permissions granted to a role
The previous relationships make use of the id(s) of the RBAC components to reference them. It is important to define the prefixes at the beginning of the file so that the XPath expressions can make use of them and allow them to be read and written easier. The following figure shows a very simple role hierarchy. Network_Admin has a senior role over BGP_Admin and RIP_Admin. This means that Network_Admin automatically inherits all the permissions of its junior roles, BGP_Admin and RIP_Admin.
The following XML code is a sample of an access control policy, instantiating the previously described components:
<?xml version="1.0" encoding="UTF-8"?>
<rbac xmlns="urn:loria:madynes:ensuite:yencap:module:RBAC:1.0"
xmlns:ycp="urn:loria:madynes:ensuite:yencap:1.0"
xmlns:ifs="urn:loria:madynes:ensuite:yencap:module:Interfaces:1.0"
xmlns:bgp="urn:loria:madynes:ensuite:yencap:module:BGP:1.0"
xmlns:ac="urn:loria:madynes:ensuite:yencap:module:RBAC:1.0"
xmlns:rt="urn:loria:madynes:ensuite:yencap:module:Route:1.0"
xmlns:s="urn:loria:madynes:ensuite:yencap:module:System:1.0">
<users>
<user id="13">
<login>cridligv</login>
<password>a</password>
<firstname>Vincent</firstname>
<lastname>Cridlig</lastname>
<room>B213</room>
</user>
<user id="14">
<login>alice</login>
<password>b</password>
<firstname>Alice</firstname>
<lastname>Blub</lastname>
<room>B213</room>
</user>
<user id="15">
<login>netconf</login>
<password>netconf</password>
<public-key keytype="rsa">AAAAB3NzaC1yc2EAAAABIwAAAIEAqSmp0ibI/kvv92aVz8A40GZA8hXomqcuwn9adOnuT5Sms9yaXwa2dFErOe6aghK550PvlSMNrMFw0caM2erD3xDM5B8XxQ7+RMZL6mSUndBN8/yIU3T/Ep4PLlL8wZ3B6SyfGbqVUj4v+taX7RtzupSpblQbP0CDbc350RfDJ6M=</public-key>
<room>B213</room>
</user>
</users>
<roles>
<role id="1">
<name>bgpAdmin</name>
</role>
<role id="2">
<name>ripAdmin</name>
</role>
<role id="3">
<name>routingAdmin</name>
<junior-roles>
<junior-role roleRef="1"/>
<junior-role roleRef="2"/>
</junior-roles>
</role>
<role id="4">
<name>guestAdmin</name>
<junior-roles/>
</role>
<role id="5">
<name>securityAdmin</name>
</role>
<role id="6">
<name>voipAdmin</name>
</role>
</roles>
<permissions>
<permission id="1" op="rw">
<scope>/ycp:netconf/ycp:security/ac:rbac/ac:permissions/ac:permission[@id='5']</scope>
</permission>
<permission id="2" op="rw">
<scope>/ycp:netconf/ycp:network/ifs:interfaces</scope>
</permission>
<permission id="3" op="rw">
<scope>/ycp:netconf/ycp:routing/bgp:bgp</scope>
</permission>
<permission id="4" op="rw">
<scope>/ycp:netconf/s:system</scope>
</permission>
<permission id="5" op="rw">
<scope>//voip:asterisk</scope>
</permission>
<permission id="6" op="r">
<scope>/ycp:netconf/ycp:security/ac:rbac</scope>
</permission>
<permission id="9" op="rw">
<scope>/ycp:netconf/ycp:routing/rip:rip</scope>
</permission>
</permissions>
<user-assignements>
<!-- Vincent (user 13) is assigned to bgpAdmin (role 1): -->
<user-assignement roleRef="1" userRef="13" id="1"/>
<!-- Alice (user 14) is assigned to ripAdmin (role 2): -->
<user-assignement roleRef="2" userRef="14" id="2"/>
<!-- … -->
</user-assignements>
<permission-assignements>
<!-- bgpAdmin (role 1) can read and write bgp configuration (permission 3): -->
<permission-assignement roleRef="1" permRef="3" id="1"/>
<!-- ripAdmin (role 2) can read and write rip configuration (permission 9): -->
<permission-assignement roleRef="2" permRef="9" id="2"/>
<permission-assignement roleRef="5" permRef="1" id="3"/>
<permission-assignement roleRef="5" permRef="6" id="4"/>
<permission-assignement roleRef="6" permRef="5" id="5"/>
</permission-assignements>
</rbac>
|