What are Module Tags?

  • Module tags are strings that are used to select a set of YANG modules.
  • They allow administrators to simplify access to YANG-based content by mapping module names to module tags.
  • This work is being standardized in the NETMOD WG in the IETF as YANG Module Tags.

How Does netconfd-pro Support Module Tags?

  • The server allows module tags to be configured statically with CLI or configuration file parameters.
    (Dynamic configuration via a YANG module is pending a stable IETF draft).
  • The set of module name to module tag mappings can be retrieved with an RPC operation.
  • A "module tag filter" can be specified for the <get> and <get-config> operations
  • A "module tag rule" can be configured in NACM access control rules
  • The server does not enforce the strict syntax for module tags found in the IETF YANG module

Configuring Module Tags

The --with-modtags parameter is used to enable or disable the module tags feature:

with-modtags true

The YANG definition for the with-modtags parameter:

      leaf with-modtags {
          "If set to 'true', then the module tags feature will be
           enabled. Otherwise, this feature will be disabled.
           If disabled, the module-tagmap parameter will be ignored
           and the ietf-module-tags module will not be loaded.";
        type boolean;
        default true;

The --module-tagmap parameter is used to configure a module name to module tag mapping.

The following example configured 3 module-tags:

  • netconf (contains ietf-netconf-monitoring)
  • restconf (contains ietf-restconf-monitoring)
  • test (contains test, test1, and test2)

module-tagmap ietf-netconf-monitoring@netconf
module-tagmap ietf-restconf-monitoring@restconf
module-tagmap test@test
module-tagmap test1@test
module-tagmap test2@test

The YANG definition for the module-tagmap parameter:

      leaf-list module-tagmap {
          "Specifies a module tag mapping for use in module tags registry.
           The format is <modname>@<tag-string>.
        type string;

Retrieving the Module Tag Mappings

The <get-module-tags> operation provides the list of module tag mappings configured on the server.

This operation is defined in the module yumaworks-system.


<rpc message-id="2"
 <get-module-tags xmlns="http://yumaworks.com/ns/yumaworks-system"/>


<rpc-reply message-id="2"
 <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">
 <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">
 <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">

Retrieving YANG Content Filtered by Module Tags

  • A --module-tag parameter has been added to the <get> and <get-config> operations.
  • This parameter allows YANG data to be retrieved only if it matches the YANG module(s) that are mapped to the specified module tag.
  • It is not an error to provide an unknown module tag. The server will skip unknown module tags.

In this example, the "restconf" module tag is used as a filter:


<rpc message-id="4"
  <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">restconf</module-tag>


<rpc-reply message-id="4"
 ncx:last-modified="2018-05-25T00:21:39Z" ncx:etag="3843"
  <restconf-state xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring">
     <description>default RESTCONF event stream</description>

The YANG definition for the module-tag parameter:

      leaf-list module-tag {
        type string {
          length "1 .. 1023";
          "Include only data nodes that match the module-tag.

           Multiple module-tag parameters are combined as a
           logical OR expression. Matching any tag value will
           cause the data node to be included.

           It is not an error to include an unknown module-tag.
           Such tag values will simply be treated as a 'false'
           match result, when evaluating the filter.

           If any module-tag parameters are provided at all,
           and there are no matches found, then no data will be
           returned in the response.";

Configuring NACM Access Control Rules with Module Tags

  • The module-tag parameter can be used within the NACM "rule" list
  • The "module-tags" case is added to the "rule-type" choice
  • The module tags select all content from the mapped modules, and can apply to all types of NACM rules

In this example, a rule is configured to allow the "test" group all access to the module tag "test":

This will allow all access to the modules named "test", "test1", and "test2".

 <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
     <comment>allow full access to test modules</comment>
     <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">test</module-tag>