[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Access control
Vincent Cridlig <vincent.cridlig@loria.fr> wrote:
> Andy Bierman a écrit :
> > I suggest that people implement NETCONF, and also implement
> > some kind of ACM, and prove to operators and the WG that the
> > design and feature set is necessary and sufficient.
>
>
> We have some kind of implemented ACM which assumes an XML data model.
> I don't know if it is necessary and sufficient ! Here is a quick overview:
>
> Each permission is expressed with two things:
> - an XPath expression, saying which nodes are concerned,
> - an attribute which can be "r", "w", or "rw".
We have a slightly different approach. Here's a somewhat simplified
description:
Based on a number of parameters (such as user name, access method,
operation etc), a netconf session is associated with an ordered list
of rules. Each rule has a "path" and an "action". A "path" is a
restricted XPath; an absolute expression with instance selection
(e.g. "/interfaces", "/interfaces/interface[name='eth0']/mtu"). An
"action" is "accept" or "reject".
Logically, for each object that the user tries to
read/write/create/delete, the list of rules is searched for a match.
The "action" associated with the first match is the result of the
access control for this object. If no match is found, the access is
rejected.
We also have read/write only (i.e. no create/delete).
This execution scheme is very similar to how iptables works for ip
packet filtering in linux.
With this scheme it's easy to include/exclude certain subtrees for
access.
Implementation-wise, this can be done pretty efficiently.
/martin
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>