[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: max-access: access control model discussion

To: Andy Bierman <ietf@andybierman.com>
Subject: Re: max-access: access control model discussion
From: Balazs Lengyel <balazs.lengyel@ericsson.com>
Date: Mon, 29 May 2006 18:06:04 +0200
Cc: "Netconf (E-mail)" <netconf@ops.ietf.org>
In-reply-to: <447B18D4.9030603@andybierman.com>
References: <446E131D.7080905@andybierman.com> <447B14F7.1000305@ericsson.com> <447B18D4.9030603@andybierman.com>
User-agent: Thunderbird 1.5.0.2 (X11/20060420)

I agree that a detailed mapping of max-access to operations is needed. The recentdiscussion about the operation parameter in edit-config also shows us that much of thecomplexity lies in understanding different access clauses on nested elements.

I would also say that mapping from the SMI-2 max-access clause is needed as we will beborrowing from the modeling work of SNMP.


I see the following main points about the two versions:
Sharon's max-access:

- It is assumed that the read,write,create,delete,execute rights are orthogonal in a senseso the netconf server needs to check only one of them for each operation not the complete set.


Andy's max-access:

_ It is assumed that the set of access possibilities is completely hierarchical so it iseasier to use a smaller list then the 25 possible permutations in Sharon's list.


I believe both solutions could do the job.

Balazs



Andy Bierman wrote:

Balazs Lengyel wrote:
Let's assume we have the following data model:

<if>
  <name>eth0</name>
  <opstate>up</opstate>
</if>

- if can be created/deleted max-access: all
- name must be created together with if max-access: all
- opstate is a read only variable that might be created automaticallyby the managed system max-access: read-only
If I want to create <if> can I create the read-only <opstate> objector do I have to rely on the managed system to automaticaly create it ?
If I want to remove the <if> can I remove the read-only <opstate>? (Ido not want to allow removing <opstate> without removing <if>.)
What are the correct max-access setting ? (The question is the sameboth for Andy's and Sharon's solution.)
I will rewrite my original email to use existing MAX-ACCESS from SMIv2
instead of my extended MAX-ACCESS (based on well-known sub-states in MIBs),
In your example, read-create covers the case where read-write and read-only
data objects are instantiated by the agent, concurrently with the
objects instantiated by the NMS.

IMO, the actual netconf operations need to be explicitly supported
(notify, read, merge, replace, create, delete) with detailed text
explaining the mapping.
Balazs
Andy


--
Balazs Lengyel                       Ericsson Hungary Ltd.
TSP System Manager
ECN: 831 7320                        Fax: +36 1 4377792
Tel: +36-1-437-7320     email: Balazs.Lengyel@ericsson.com

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: max-access: access control model discussion
  - From: Andy Bierman <ietf@andybierman.com>

References:
- max-access: access control model discussion
  - From: Andy Bierman <ietf@andybierman.com>
- Re: max-access: access control model discussion
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: max-access: access control model discussion
  - From: Andy Bierman <ietf@andybierman.com>

Prev by Date: Re: max-access: access control model discussion
Next by Date: Re: max-access: access control model discussion
Previous by thread: Re: max-access: access control model discussion
Next by thread: Re: max-access: access control model discussion
Index(es):
- Date
- Thread