|
|
Table Of Contents
Cisco CRS-1 Series XML Security
Cisco CRS-1 Series XML Security
Specific security privileges are required for a client application requesting information from the
Cisco CRS-1 Series Carrier Routing System (Cisco CRS-1 Series) router.
Note
The extensible markup language (XML) application programming interface (API) code is available for use on any Cisco platform that runs Cisco IOS XR software.
This chapter contains the following sections:
Authentication
User authentication through authentication, authorization, and accounting (AAA) is handled on the router by the transport-specific XML agent and is not exposed through the XML interface.
Authorization
Every operation request by a client application is authorized. If the client is not authorized to perform an operation, the operation is not performed by the Cisco CRS-1 Series router and an error is returned.
Authorization of client requests is handled through the standard AAA "task permissions" mechanism. The XML agent caches the AAA user credentials obtained from the user authentication process, and then each client provides these to the XML infrastructure on the Cisco CRS-1 Series router. As a result, no AAA information needs to be passed in the XML request from the client application.
Each object class in the schema has a task ID associated with it. A client application's capabilities and privileges in terms of task IDs are exposed by AAA through a show command. A client application can use the XML interface to retrieve the capabilities prior to sending configuration requests to the router.
A client application requesting an operation through the XML interface must have the appropriate task privileges enabled/assigned for any objects accessed in the operation:
•
•
The "configuration services" operations through configuration manager can also require the appropriate predefined task privileges.
If an operation requested by a client application fails authorization, an appropriate <Error> element is returned in the response sent to the client. For "native data" operations, the <Error> element is associated with the specific element or object classes where the authorization error occurred.
Retrieving Task Permissions
A client application's capabilities and privileges in terms of task permissions are exposed by AAA through command-line interface (CLI) show commands. A client application can also use the XML interface to programatically retrieve the current AAA capabilities from the router. This retrieval can be done by issuing the appropriate <Get> request to the <AAA> component.
The following example shows a request to retrieve all of the AAA configuration from the router:
Sample XLM Request to Retrieve AAA Configuration Information
<?xml version="1.0" encoding="UTF-8"?><Request MajorVersion="1" MinorVersion="0"><Get><Configuration><AAA MajorVersion="1" MinorVersion="0"/></Configuration></Get></Request>Sample XML Response from the Cisco CRS-1 Series Router
<?xml version="1.0" encoding="UTF-8"?><Response MajorVersion="1" MinorVersion="0"><Get><Configuration><AAA MajorVersion="1" MinorVersion="0">...AAA configuration returned here...</AAA></Configuration></Get></Response>Task Privileges
A client application requesting a native data operation through the XML interface must have the appropriate task privileges enabled/assigned for any items accessed in the operation, as follows:
•
•
The "configuration services" operations through configuration manager can also require the appropriate predefined task privileges.
Task Names
Each object (that is, data item or table) exposed through the Cisco CRS-1 Series XML interface and accessible to the client application has one or more task names associated with it. The task names are published in the XML schema documents as <appinfo> annotations.
For example, the complex type definition for the top-level element in the Border Gateway Protocol (BGP) configuration schema contains the following annotation:
<xsd:appinfo><MajorVersion>1</MajorVersion><MinorVersion>0</MinorVersion><TaskIdInfo TaskGrouping="Single"><TaskName>bgp</TaskName></TaskIdInfo></xsd:appinfo>Here is another example from a different component schema. This annotation includes a list of task names.
<xsd:appinfo><MajorVersion>1</MajorVersion><MinorVersion>0</MinorVersion><TaskIdInfo TaskGrouping="And"><TaskName>ouni</TaskName><TaskName>mpls-te</TaskName></TaskIdInfo></xsd:appinfo>The task names indicate what permissions are required to access the data below the object. In this example, the task names "ouni" and "mpls-te" have been specified for the object. These task names apply to this object and are inherited by all of the object's descendents in the schema, unless a descendant has a task names of its own, in which case the descendant (and all of its descendants) assumes the more specific task name (that is, overriding the task name of the ancestor). Essentially, the rule for a particular object is that it assumes the task name of the closest ancestor for which there is a task name specified in the schema.
The TaskGrouping attribute is used to specify the logical relationship between the task names when multiple task names are specified for an object. For example, for a client application to issue a <Get> request for the object containing the annotation shown in the example, the corresponding AAA user credentials must have "read" permissions set for both the "ouni" and "mpls-te" tasks. The possible values for the TaskGrouping attribute are And, Or, and Single. Single is used when there is only a single task name specified for the object.
Authorization Failure
If an operation requested by a client application fails authorization, an appropriate <Error> element is returned in the response sent to the client. For "native data" operations, the <Error> element is associated with the specific element or object where the authorization error occurred.
If a client application issues a <Get> request to retrieve all data below a container object, and if any subsections of that data require permissions that the user does not have, then an error is not returned. Instead, the subsection of data is not included in the <Get> response.
Posted: Sun Nov 7 12:53:53 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
