On Wed, 04 Jun 2003 14:33:48 -0700, Andy Bierman <abierman@cisco.com> said:
Andy> So what's so complex about reads? The authorization model?
Andy> IMO, the authorization model amounts to a set of tuples:
Andy> { user, operations-allowed, element-subtree }.
Andy> Read operations amount to 1 more bit in the operations-allowed field.
[aside: I agree with Juergen that "filter" would be a better word than
"element-subtree"].
Authorization should probably be able to select stuff on more
information than that. Specifically, you're designing a protocol that
is expected to run over multiple transports each with their own notion
of how security is performed.
Waitasecond.1) you probably want to build operational policy based on how the data
is being transferred. It's likely that you'll want to change what
your policy allows based on how the requests are arriving.
Specifically, if I'm using xmlconf over raw telnet, I certainly
wouldn't want to allow write operations to my data set. I'd also
want to reduce the view of the data that could be seen (IE, keys,
etc, would never be transmitted within get-config results over an
insecure link).
Only in the grossest sense. You don't want to even be listen()ing on a
port that is insecure because by its very nature this stuff is
sensitive. OTOH it's a knob to listen() on a particular port/service,
whether it's port 22, 23, 80, 443, or whatever.