[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Access control [was: action RPC I-D]

To: Andy Bierman <ietf@andybierman.com>
Subject: Re: Access control [was: action RPC I-D]
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
Date: Thu, 2 Nov 2006 17:25:43 +0100
Cc: Balazs Lengyel <balazs.lengyel@ericsson.com>, Martin Bjorklund <mbj@tail-f.com>, netconf@ops.ietf.org
In-reply-to: <454A1199.5090008@andybierman.com>
Mail-followup-to: Andy Bierman <ietf@andybierman.com>, Balazs Lengyel <balazs.lengyel@ericsson.com>, Martin Bjorklund <mbj@tail-f.com>, netconf@ops.ietf.org
References: <C1555612.21B37%sberl@cisco.com> <45300CC0.60203@andybierman.com> <4533466E.9080103@ericsson.com> <20061016.125830.90119364.mbj@tail-f.com> <45338A0B.8020306@andybierman.com> <45421D60.2080909@ericsson.com> <454227B7.8060801@andybierman.com> <4549CF2E.6000308@ericsson.com> <454A1199.5090008@andybierman.com>
Reply-to: j.schoenwaelder@iu-bremen.de
User-agent: Mutt/1.5.10i

On Thu, Nov 02, 2006 at 07:41:13AM -0800, Andy Bierman wrote:

> There are 4 components to implementing an isAccessAllowed internal API:
> 
>   - maximum access that makes protocol sense
>     - SNMP uses read-create to identify table rows that the NMS
>       and agent can create, and read-write to identify scalars and
>       table rows that only the agent can create.
> 
>   - access requested in the PDU
> 
>   - identity or the requester (e.g., user name, group name)
> 
>   - maximum access allowed for the requester (configured on the agent)

The maximum access that makes protocol sense is IMHO not an input to
isAccessAllowed - there is no runtime decision to make. The maximum
access that makes protocol sense is input for the tools that drive
your implementation; there simply is no write method to call for
read-only objects. In the SNMP processing, you return an error before
you ever get to the isAccessAllowed() function if I remember things
well.

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: Access control [was: action RPC I-D]
  - From: Andy Bierman <ietf@andybierman.com>

References:
- Re: action RPC I-D
  - From: "Steven Berl \(sberl\)" <sberl@cisco.com>
- Re: action RPC I-D
  - From: Andy Bierman <ietf@andybierman.com>
- Re: action RPC I-D
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: action RPC I-D
  - From: Martin Bjorklund <mbj@tail-f.com>
- Re: action RPC I-D
  - From: Andy Bierman <ietf@andybierman.com>
- Re: action RPC I-D
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: action RPC I-D
  - From: Andy Bierman <ietf@andybierman.com>
- Access control [was: action RPC I-D]
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: Access control [was: action RPC I-D]
  - From: Andy Bierman <ietf@andybierman.com>

Prev by Date: Re: Access control [was: action RPC I-D]
Next by Date: Re: Access control [was: action RPC I-D]
Previous by thread: Re: Access control [was: action RPC I-D]
Next by thread: Re: Access control [was: action RPC I-D]
Index(es):
- Date
- Thread