[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Access control

To: Randy Presuhn <randy_presuhn@mindspring.com>
Subject: Re: Access control
From: Andy Bierman <ietf@andybierman.com>
Date: Mon, 18 Sep 2006 10:13:30 -0700
Cc: "'Netconf (E-mail)'" <netconf@ops.ietf.org>
In-reply-to: <002101c6db42$976c00c0$6501a8c0@oemcomputer>
References: <048201c6d811$45700250$0400a8c0@china.huawei.com> <450A01F6.7070609@andybierman.com> <450E67F4.3030206@ericsson.com> <450E7072.7090605@loria.fr> <450EB000.3010906@andybierman.com> <450EBEA1.20403@ericsson.com> <002101c6db42$976c00c0$6501a8c0@oemcomputer>
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

Randy Presuhn wrote:

Hi -

From: "Balazs Lengyel" <balazs.lengyel@ericsson.com>
To: "Andy Bierman" <ietf@andybierman.com>
Cc: "Vincent Cridlig" <vincent.cridlig@loria.fr>; "'Netconf (E-mail)'" <netconf@ops.ietf.org>
Sent: Monday, September 18, 2006 8:43 AM
Subject: Re: Access control

...

Does this mean, that in your opinion it is NOT Possible to do access control without theinformation: what is stored already in the datastore?

...

Yes, for the example you gave.
This is a direct consequence of the way edit-config merge
is defined, and of the of access control requirement to distinguish
creation of an object instance from the modification of an objects'
attributes.



This depends on the "operation" and how that is represented
in the access control model.

If you wanted a model that uses the NETCONF operation set
(merge, replace, edit, delete) then you have to look at the
datastore during validation at some point anyway to process
an <edit-config> PDU already.

If your access control operation set is simply (read, write)
then you do not need to look at the datastore to enfore access
control.


Randy


Andy



--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>



--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: Access control
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>

References:
- RE: Why Phil is right about <special-set> vs. <edit-config>
  - From: "David B Harrington" <dbharrington@comcast.net>
- Re: Why Phil is right about <special-set> vs. <edit-config>
  - From: Andy Bierman <ietf@andybierman.com>
- Access control
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: Access control
  - From: Vincent Cridlig <vincent.cridlig@loria.fr>
- Re: Access control
  - From: Andy Bierman <ietf@andybierman.com>
- Re: Access control
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: Access control
  - From: "Randy Presuhn" <randy_presuhn@mindspring.com>

Prev by Date: Re: Access control
Next by Date: Re: Access control
Previous by thread: Re: Access control
Next by thread: Re: Access control
Index(es):
- Date
- Thread