[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: access control issues

To: Andy Bierman <ietf@andybierman.com>
Subject: Re: access control issues
From: Eliot Lear <lear@cisco.com>
Date: Fri, 20 May 2005 15:05:46 +0200
Cc: netconf <netconf@ops.ietf.org>
Iim-sig: v:"1.1"; h:"imail.cisco.com"; d:"cisco.com"; z:"home"; m:"krs"; t:"1116593702.444455"; x:"432200"; a:"rsa-sha1"; b:"nofws:924"; e:"Iw=="; n:"sQYarK2E51MdcTiUqeif3F7cWdxIfoCiXhdfb9vD5ee/j0jXL15gbFxF2p" "XIweAblu0N6XAgK7k+wrbr7bQDJaCDqOmzqpRUBjIRQAXQ7NzadpmR3pUL6wxaRUtW+c43sl9jC" "50Qg1sXHpPjt8Y+Y16ioyQAQAdSunM4YhevURc="; s:"TgkyPv5dCun3YLUdWY2aqy8kvqlnnjKyJPUzKR3eTKGqzk+PxU1m2d6aoJYXlLbP6ML5uLfr" "9PUdZ4UDUZDY4OMQJD6KIQbAqCs39loMeTo/fJ0srfkPDK9unnu+UWkDGnKZckQvWttnirrVlwL" "7dZIopMZKjrkgiSz15mWoTsI="; c:"Date: Fri, 20 May 2005 15:05:46 +0200"; c:"From: Eliot Lear <lear@cisco.com>"; c:"Subject: Re: access control issues"
Iim-verify: s:"y"; v:"y"; r:"60"; h:"imail.cisco.com"; c:"message from imail.cisco.com verified; "
In-reply-to: <428CCEBA.4070400@andybierman.com>
References: <428CCEBA.4070400@andybierman.com>
User-agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)

Andy,

Please see inline.

Andy Bierman wrote:

We can say when and where access control must be applied, without
specifying an access control model.  (IMO, without a model, we actually
are choosing the "everybody has access to everything" model, which
is known to be broken and obsolete.)

Yes, but nobody is saying that. What we're saying is that we're not standardizing the model. Depending on who you are I might let you change an interface or not. I don't need to standardize a model to do that (although it may help from a robustness perspective).


The document should say somewhere that access control (i.e., user's
ability to access specific portions of particular configurations in
particular ways) MUST be enforced, and error(s) returned (if needed),
instead of other protocol, rpc, or application errors, that would
otherwise be returned.

For example, a user shouldn't be able to issue a <validate> command on
the <candidate>, for config data for which that user has no access.

Arguably a user shouldn't be able to <validate> a <candidate> that was generated by a different user.

Eliot

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: access control issues
  - From: Andy Bierman <ietf@andybierman.com>

References:
- access control issues
  - From: Andy Bierman <ietf@andybierman.com>

Prev by Date: Re: access control issues
Next by Date: Re: access control issues
Previous by thread: Re: access control issues
Next by thread: Re: access control issues
Index(es):
- Date
- Thread