[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: access control issues
Randy Presuhn wrote:
Hi -
From: "Andy Bierman" <ietf@andybierman.com>
To: "netconf" <netconf@ops.ietf.org>
Sent: Thursday, May 19, 2005 10:36 AM
Subject: access control issues
...
The document should say somewhere that access control (i.e., user's
ability to access specific portions of particular configurations in
particular ways) MUST be enforced, and error(s) returned (if needed),
instead of other protocol, rpc, or application errors, that would
otherwise be returned.
...
It sounds like this would be different from the SNMP approach, which
doesn't leak information about the existence of objects to which access
is denied when responding to a get/next/bulk request. Are you proposing
that the error would identify the specific element(s) in the configuration to
which access was denied, or would it be more of a blanket response that
*something* *somewhere* in the request ran afoul of the rules?
the latter -- blanket response - a generic access-denied is fine.
Randy
Andy
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>