Balazs Lengyel wrote:
Hello, Draft-12 writes Tag: access-denied Error-type: rpc, protocol, application Severity: error Error-info: none Description: Access to the requested RPC, protocol operation, or data model is denied because authorization failedThis does not specify which part of an operation is denied. Now imagine that we have an edit-config operation that touches the configuration in 10 different places from which only one is denied.How will the operator find out which part is rejected ? Do we need a get-config operation ? Wouldn't it be better to include in the error-info the rejected part ?
This has traditionally been a no-no in the security world. You don't tell attackers anything that might help them get further. The agent doesn't know the difference between a buggy manager and an attack.
Balazs
Andy
-- to unsubscribe send a message to netconf-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/netconf/>
-- to unsubscribe send a message to netconf-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/netconf/>