Re: Access control [was: action RPC I-D]

[Vincent Cridlig <vincent.cridlig@loria.fr>]

Andy Bierman a écrit :
> Balazs Lengyel wrote:
> > Hello,
> > I feel that we should be careful not to make access control to 
> > complicated. While technically it is possible to design a good, fine 
> > grained access control model, I fear the user (operator) will have 
> > difficulties understanding it.
> >
> > I see that read/write (and possibly disturb traffic) are three easy 
> > to understand concepts that might be executed by different people in 
> > the network operator's organization. On the other hand I don't see 
> > who would be the operator who is allowed to modify a route(or a 
> > customer), but not to create a new one.
> >
> > I agree that operationally separating delete, replace, etc. is a 
> > useful notion, but I don't see the need for the same with access 
> > control.
>
> I suggest that people implement NETCONF, and also implement
> some kind of ACM, and prove to operators and the WG that the
> design and feature set is necessary and sufficient.


We have some kind of implemented ACM which assumes an XML data model.
I don't know if it is necessary and sufficient ! Here is a quick overview:

Each permission is expressed with two things:
- an XPath expression, saying which nodes are concerned,
- an attribute which can be "r", "w", or "rw".

In our implementation, having access to one node grants the privilege to 
the whole subtree of this node. Only positive privileges can be 
specified to avoid conflicts.

Also, since we implemented an RBAC model, we define roles like 
SuperManager, RoutingManager, ExteriorRoutingManager, SecurityManager 
and so on... These roles have some permissions, and each manager may 
have some roles. (Roles can be hierarchical if you need.)

For people who think it is not necessary to have such fine-grained ACM, 
they can use the SuperManagerRole and give access to everything. For the 
others, they can specify privileges more carefully.

One of the cool thing is that the scope of operations is limited when 
you have one role active. This decreases misconfigurations risks. There 
are other advantages.

Regards,
Vincent


> > Balazs
>
> Andy
>
>
> --
> to unsubscribe send a message to netconf-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/netconf/>

begin:vcard
fn:Vincent Cridlig
n:Cridlig;Vincent
org:LORIA - INRIA Lorraine, France;Madynes
adr:;;;Nancy;;;France
email;internet:cridligv@loria.fr
title:PhD Student
tel;work:+33 (0)3 83 59 20 48
url:http://www.loria.fr/~cridligv
version:2.1
end:vcard