[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Access control [was: action RPC I-D]

To: Andy Bierman <ietf@andybierman.com>
Subject: Re: Access control [was: action RPC I-D]
From: Balazs Lengyel <balazs.lengyel@ericsson.com>
Date: Fri, 03 Nov 2006 08:50:32 +0100
Cc: Vincent Cridlig <vincent.cridlig@loria.fr>, Martin Bjorklund <mbj@tail-f.com>, netconf@ops.ietf.org
In-reply-to: <454A451E.6080609@andybierman.com>
References: <C1555612.21B37%sberl@cisco.com> <45300CC0.60203@andybierman.com> <4533466E.9080103@ericsson.com> <20061016.125830.90119364.mbj@tail-f.com> <45338A0B.8020306@andybierman.com> <45421D60.2080909@ericsson.com> <454227B7.8060801@andybierman.com> <4549CF2E.6000308@ericsson.com> <454A0415.4010508@andybierman.com> <454A1D02.3080602@loria.fr> <454A451E.6080609@andybierman.com>
User-agent: Thunderbird 1.5.0.7 (X11/20060909)

Hello,

Andy Bierman wrote:

Vincent Cridlig wrote:

There seems to be WG consensus that actions should not
be modeled as data, but rather as RPC methods.  Therefore,
restricting access to certain RPC methods (<delete-config>,
<reset-device>, etc.) is going to be important.

Each permission is expressed with two things:
- an XPath expression, saying which nodes are concerned,
- an attribute which can be "r", "w", or "rw".


What happens if Xpath expressions overlap (i.e. 1 or more nodes
are selected by more than 1 Xpath expression)?  Do you just
execute the list in order, like an ACL on a router?

I am giving in on the "create/delete" feature in the ACM.
The fact is that this is more effort to implement and
takes more runtime cycles, because you have to check the
actual configuration database to know if a merge or replace
is really a create or delete.

If the ACM allows for read/write, then you only have to check
the PDU, not the configuration target as well.

[BALAZS]: Sadly even with read/write, for a merge operation you still need the database,the PDU is not enough. Just from the PDU you do not know if an XML element is just apointer to a lower level element or if it is actually a create order.


Balazs

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- Re: action RPC I-D
  - From: "Steven Berl \(sberl\)" <sberl@cisco.com>
- Re: action RPC I-D
  - From: Andy Bierman <ietf@andybierman.com>
- Re: action RPC I-D
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: action RPC I-D
  - From: Martin Bjorklund <mbj@tail-f.com>
- Re: action RPC I-D
  - From: Andy Bierman <ietf@andybierman.com>
- Re: action RPC I-D
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: action RPC I-D
  - From: Andy Bierman <ietf@andybierman.com>
- Access control [was: action RPC I-D]
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: Access control [was: action RPC I-D]
  - From: Andy Bierman <ietf@andybierman.com>
- Re: Access control [was: action RPC I-D]
  - From: Vincent Cridlig <vincent.cridlig@loria.fr>
- Re: Access control [was: action RPC I-D]
  - From: Andy Bierman <ietf@andybierman.com>

Prev by Date: Re: Access control [was: action RPC I-D]
Next by Date: [no subject]
Previous by thread: Re: Access control [was: action RPC I-D]
Next by thread: RE: Access control
Index(es):
- Date
- Thread