[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Access control [was: action RPC I-D]
On Thu, Nov 02, 2006 at 07:41:13AM -0800, Andy Bierman wrote:
> There are 4 components to implementing an isAccessAllowed internal API:
>
> - maximum access that makes protocol sense
> - SNMP uses read-create to identify table rows that the NMS
> and agent can create, and read-write to identify scalars and
> table rows that only the agent can create.
>
> - access requested in the PDU
>
> - identity or the requester (e.g., user name, group name)
>
> - maximum access allowed for the requester (configured on the agent)
The maximum access that makes protocol sense is IMHO not an input to
isAccessAllowed - there is no runtime decision to make. The maximum
access that makes protocol sense is input for the tools that drive
your implementation; there simply is no write method to call for
read-only objects. In the SNMP processing, you return an error before
you ever get to the isAccessAllowed() function if I remember things
well.
/js
--
Juergen Schoenwaelder International University Bremen
<http://www.eecs.iu-bremen.de/> P.O. Box 750 561, 28725 Bremen, Germany
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>