JetConf is an implementation of the RESTCONF protocol for remote management of network devices and services.
YANG 1.1 data modelling language is also fully supported.
JetConf is written in Python 3 language and available as open source software under the terms of the GNU GPLv3 license.
Requirements and Restrictions
JetConf is a compliant RESTCONF implementation supporting all mandatory features.
Although it is written in Python, it should be fast enough to support large configuration databases with moderate rate of changes. A typical use can may be an authoritative TLD name server in which JetConf covers both server management and domain provisioning.
JetConf supports only the JSON data encoding, i.e. media types with
+json structured syntax suffix, such as
JetConf supports only HTTP/2 transport. Entity tags (ETag headers) can be generated for all data resources, whereas timestamps (Last-Modified headers) are supported for all container-like resources, i.e. not for individual leaf and leaf-list instances.
JetConf uses Yangson library, which is responsible for storage, validation and manipulation with YANG data. This library utilizes an in-memory persistent structure called "Zipper" where the YANG data are kept in.
JetConf also provides an option to serialize data into
file on each commit, which ensures that all configuration data will
be persistent among server startups.
Additionally, the datastore can have an access control module associated with it. If so, every read/write operation will be verified with this ACM.
The current version of JetConf implements NACM (RFC6536) access control system, which enables to specify fine-grained access permissions to particular data resources. However, some limitations may apply, because NACM does not have official support for RESTCONF yet, i.e. there can be potential problems with HTTP caching etc.
The NACM data can only be edited by privileged users (see JetConf Server Configuration).
In the future, it is also possible to implement another kinds of ACM, i.e. a simple r/o and r/w user list.
Dependencies on external Python packages, i.e. those that are not part of Python 3 standard library should be kept to a reasonable minimum. The initial version depends on following packages:
- Yangson – YANG 1.1 library (see below).
- Hyper-h2 – Python 3 library implementing HTTP/2,
- colorlog, pyaml, pytz - Available via PyPI
Yangson is a Python library that offers programmers tools for working with configuration and other data modelled with YANG 1.1.
Yangson also supports only the JSON data encoding as defined in RFC 7951.
The Yangson package comprises the following Python modules:
datamodel: This module defines the DataModel class that is designed as the main entry point to the library. It allows for composing a data model based on YANG library.
schema: This module defines a class hierarchy representing YANG schema nodes and their properties.
datatype: This module defines a class hierarchy representing YANG built-in and derived types.
instance: This module defines several classes that implement data instances as persistent structures.
statement: This module defines the Statement class that represents a generic YANG statement.
modparser: This module implements a parser for YANG modules and submodules.
context: This module defines the Context class that represents the context of the current YANG data model – YANG modules and submodules with their revision, namespaces of the (sub)modules, and the mapping of namespace prefixes to modules and revisions. This context is shared and accessed by several other Yangson modules. Only one instance of the Context class may exist at the same time.
typealiases: This module defines a number of Python type aliases that can be used in type hints.
constants: This module defines various constants that are used in other modules – base exception class, compiled regular expressions, and enumeration classes.
JetConf Server Configuration
The JetConf server needs some start-up configuration. See JetConf config wiki page for details.
The client opens a secure TLS connection.
The client is authenticated via a client certificate. The certificate of the CA that issued the client certificate needs to be specified in the configuration file. The e-mail field obtained from the client certificate is henceforth used as the user name, in particular for access control. If the client cannot be authenicated, for example because his certificate has expired or because it was not issued by correct CA, the connection is terminated.
The server waits for an incoming client request.
A received request is parsed and handed over to the appropriate component. If the media type specified is not supported (in particular, is not
415 Unsupported Media Typeis sent, If the message is otherwise invalid,
400 Bad Requestis sent.
The NACM data is queried to determine which groups the user is a member of.
Depending on the type of the request (read, write or RPC operation invocation) and the Request-URI, the required permissions are determined, and the NACM database is checked to verify that the user posseses all of them. If not,
403 Forbiddenis sent.
If the request is an RPC operation, it is invoked and an appropriate reply or error message generated.
If the request is a read operation, the corresponding data are retrieved from the datastore and formatted into a reply, or an error status code is returned.
If the request is a write operation, the changes are applied using a persistent structure API (so that the original unmodified configuration remains available). The new configration is passed to the Yangson library for validation. If the validation succeeds, the new configuration is written to non-volatile memory, and passed to server instrumentation that applies the necessary changes. An appropriate response or error code is generated and sent.
After finishing one of the steps 7, 8 or 9, the server returns to step 3.
- rest_server: a module providing the HTTP/2 and user authentication functionality for REST operations,
- http_handlers: handlers connecting HTTP requests to datastore operations,
- data: datastore implementation,
- nacm: basic NACM implementation,
- config: a module for reading and parsing the config file,
- helpers: static helper classes shared across modules,
- op_internal: implementation of JetConf internal RPCs,
- errors: definition of exceptions used in JetConf.