[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed Update to Netconf Charter

To: j.schoenwaelder@iu-bremen.de
Subject: Re: Proposed Update to Netconf Charter
From: Andy Bierman <ietf@andybierman.com>
Date: Tue, 05 Jul 2005 16:40:30 -0700
Cc: netconf@ops.ietf.org
In-reply-to: <20050705224356.GA6147@boskop.local>
References: <200507051851.j65Ipqi7027356@ns-mr6.netsolmail.com> <42CB065C.6050306@andybierman.com> <20050705224356.GA6147@boskop.local>
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Juergen Schoenwaelder wrote:

On Tue, Jul 05, 2005 at 03:14:52PM -0700, Andy Bierman wrote:
3) tier 2 is data model access, and defined by the tuple:
{ operation-list, data-namespace, data-path, group-list }
where:
operation-list is zero or more of the following strings: { notify, read, create, merge, replace, delete } [Shorthand: the term 'write' == create, merge, replace, delete] data-namespace is the URI identifying the data model namespace data-path is an absolute XPATH expression identifying the top-level data model node that this access applies group-list is a list of group names granted access
While all this sounds reasonable, I am really surprised that you propose XPATH expressions given the lengthy discussion in the past that XPATH expressions are too expensive for filtering. Or is it because you expect access control on the 2nd tier not to be mandatory to implement and an optional feature like XPATH filtering?


I am envisioning that a simple absolute path expression be the mandatory
requirement and full XPATH expressions would be optional.  This restricted
XPATH is what we have within the 'rpc-error' structure, and the WG
already agreed on this simple string format which happens to be a
particular subset of XPATH.

Sorry, I could not resist to ask this question. But despite this somewhat polemic question, I do like the 2 tier approach that you have outlined.


I didn't really clarify the XPATH usage, but since you brought it up,
it would be a powerful way to specify access control filters.

I think this 2-tier approach makes sense because NETCONF is extensible,
and we can't hard-wire the tier-1 configuration.  Even though the document
seems to make a special case out of NETCONF operations, all the protocol
really has are RPC methods defined within specific namespaces.  We
need to deal with vendor (and maybe later standard) RPC extensions anyway.

/js


Andy

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: Proposed Update to Netconf Charter
  - From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>

References:
- Re: Proposed Update to Netconf Charter
  - From: Andy Bierman <ietf@andybierman.com>
- Re: Proposed Update to Netconf Charter
  - From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>

Prev by Date: Re: Proposed Update to Netconf Charter
Next by Date: Re: Proposed Update to Netconf Charter
Previous by thread: Re: Proposed Update to Netconf Charter
Next by thread: Re: Proposed Update to Netconf Charter
Index(es):
- Date
- Thread