Martin Bjorklund wrote:
Andy Bierman <ietf@andybierman.com> wrote:IMO, a clean access control model for NETCONF need to recognize the RPC model and the configuration datastore architecture. First, there is the RPC method, defined by a QName. The user must have access to invoke the RPC method. Completely independent of that is the data access control model applied to all configuration datastores. The NETCONF operations are create, delete, merge, and replace. For access control purposes, merge and replace operations are treated as a 'create' if the target data instance does not exist. The granularity could be a coarse as read/write, but that would totally defeat the purpose of create and delete operations in the edit-config method.Why? The operation 'delete' is needed in order to be able to delete stuff. The access control can still be read/write - if you have write access you're allowed to create/delete.
delete fails if the object is not there to delete create fails if the object is already there. The point of adding these extra enums (besides the CLI style merge and replace) was to make it a bit harder to inappropriately add or delete data to the configuration. It follows that the access control model would distinguish between changing existing data and add/delete operations as well.
NOTE: I'm not saying that it *should* be just read / write, I'm just questioning the logic in the argument.
Andy
/martin -- to unsubscribe send a message to netconf-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/netconf/>
-- to unsubscribe send a message to netconf-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/netconf/>