Re: Access control

[Martin Bjorklund <mbj@tail-f.com>]

Vincent Cridlig <vincent.cridlig@loria.fr> wrote:
> Andy Bierman a écrit :
> > I suggest that people implement NETCONF, and also implement
> > some kind of ACM, and prove to operators and the WG that the
> > design and feature set is necessary and sufficient.
> 
> 
> We have some kind of implemented ACM which assumes an XML data model.
> I don't know if it is necessary and sufficient ! Here is a quick overview:
> 
> Each permission is expressed with two things:
> - an XPath expression, saying which nodes are concerned,
> - an attribute which can be "r", "w", or "rw".

We have a slightly different approach.  Here's a somewhat simplified
description:

Based on a number of parameters (such as user name, access method,
operation etc), a netconf session is associated with an ordered list
of rules.  Each rule has a "path" and an "action".  A "path" is a
restricted XPath; an absolute expression with instance selection
(e.g. "/interfaces", "/interfaces/interface[name='eth0']/mtu").  An
"action" is "accept" or "reject".

Logically, for each object that the user tries to
read/write/create/delete, the list of rules is searched for a match.
The "action" associated with the first match is the result of the
access control for this object.  If no match is found, the access is
rejected.

We also have read/write only (i.e. no create/delete).

This execution scheme is very similar to how iptables works for ip
packet filtering in linux.

With this scheme it's easy to include/exclude certain subtrees for
access.

Implementation-wise, this can be done pretty efficiently.



/martin

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>