IETF Logo Mail Archive

Re: [i2rs] topo model use of NACM

Andy Bierman <andy@yumaworks.com> Thu, 16 February 2017 22:36 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 184E6124281 for <i2rs@ietfa.amsl.com>; Thu, 16 Feb 2017 14:36:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ve-2wXNhJrUp for <i2rs@ietfa.amsl.com>; Thu, 16 Feb 2017 14:36:37 -0800 (PST)
Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA5CB129556 for <i2rs@ietf.org>; Thu, 16 Feb 2017 14:36:36 -0800 (PST)
Received: by mail-wr0-x22e.google.com with SMTP id z61so20735592wrc.1 for <i2rs@ietf.org>; Thu, 16 Feb 2017 14:36:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pGJB1xHT/b5UOOdmWMHjajJSeAxBFE43V45PIQOFG1Y=; b=YOskBybUtVTYERa4/OnKCGshm0K5fXpXuynvKl5z3hHsOnxvjalc827QO85mtICHNl ycu/Q6IqWu5QcscKXVSNPd8QMLqtc35khcRWmu0E6oj+IldbNHKIwMlD5LdSvRpKStId GH2gcaHw4eesdHCIc6AmpaXSJFm4IYNGwIUMcOAyV8kl/7CURq25bLyEJ9krm99h6Xec 1/XunpP35d9VIUsFjla8svYu+D6S1Fz3oSBRChLPA9tqn4I32ohoURa78S5sAU2qzrZ2 GZIgcVmZQ24RZuORmFzZpjz2xex3d6oI+Bj8b75Fk9FHII1dHqiRjRgYPA5NWacNlMaC 1v3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pGJB1xHT/b5UOOdmWMHjajJSeAxBFE43V45PIQOFG1Y=; b=sXfZeNWuiYCjTd/oKW1Utnw4IoXipJW6q9OzmF2K/NgFEtFdmbeMbmAqdkKMzH3DjZ NFW7TeXZqTqaDzSCIUA2yEdtr/gZfos1VRHqLek0zZQfMyXHixhAuHDmDCDW9lME/AbK VYdiI52DOKZ9l7r+HvJOi2rFNme2MnsqGD8D2nQ3jOHdpebYY5aNOWc0cz6JEYO3QL8J cJNb9MLf5iq1i+a4bxB7k4bBdPa8zLRVz4/Cc6R6Z0oSsDE+vGbz4Q+PaCBJHQEvdLLz 4gb4C+YT90sR5z++5vXLUeBG0wsm0N/MrwVXO2QMdYk1XHh3wdHX07Z8WCax5l9YxjWo cPMg==
X-Gm-Message-State: AMke39kGE4axiClZe9cW39M5AO9m7CZ6BLE/tmvfuj+AqvzSHcbBiYk9YD+LSit8c3jNinOOql62jVKmTu9ilw==
X-Received: by 10.223.165.17 with SMTP id i17mr4685962wrb.62.1487284594997; Thu, 16 Feb 2017 14:36:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.165.154 with HTTP; Thu, 16 Feb 2017 14:36:34 -0800 (PST)
In-Reply-To: <644DA50AFA8C314EA9BDDAC83BD38A2E0DF809F1@SJCEML703-CHM.china.huawei.com>
References: <CABCOCHT6E=_ojQvDp+iSd3roShFn3E1VhAyP0dFcP3Q7SLNWag@mail.gmail.com> <054b01d2888d$7aa8e120$6ffaa360$@ndzh.com> <CABCOCHQ9QfZY09tWWhu9RhdrgJb3nPc40gj4Atq1EewK4wPfxQ@mail.gmail.com> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF809F1@SJCEML703-CHM.china.huawei.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Thu, 16 Feb 2017 14:36:34 -0800
Message-ID: <CABCOCHRB7YnZiMB1mw=MVCFm3P-PVXa62SEyJvZZ1GfmwoDx+w@mail.gmail.com>
To: Alexander Clemm <alexander.clemm@huawei.com>
Content-Type: multipart/alternative; boundary="f403045f1fb0f72e860548ad6d33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/TkJ42Vfjms0uh-gIiancTQRquNM>
Cc: "i2rs@ietf.org" <i2rs@ietf.org>, Susan Hares <shares@ndzh.com>
Subject: Re: [i2rs] topo model use of NACM
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 22:36:40 -0000

On Thu, Feb 16, 2017 at 2:18 PM, Alexander Clemm <alexander.clemm@huawei.com
> wrote:

> There are actually a number of interesting implications with regards to
> NACM.  NACM could indeed be a key to the solution if it provides sufficient
> flexibility with regards to articulating and enforcing authorization
> rules.  Regarding this, I have a number of questions/comments:
>
>
>
> -          If a subtree contains objects that a client does not have
> write privileges for, will the client be prevented from locking the
> subtree? How about the case when the client does not even have read
> privileges?
>

locking and NACM are 2 different things.
NETCONF has datastore (global) locks and subtree (partial) locks.
There is no mechanism in NACM or elsewhere that constrains the values
that a particular client can use. (NACM controls access to the rpc, with no
control over specific input paramters).



>
> The current NACM-bis draft states in section 3.7.2 that this is not the
> case – i.e. a client is able to lock an entire subtree, even in cases when
> there is not a single object in that subtree that the client actually has
> access privileges to.
>
>
>
> To me, this does not seem right.  It just invites abuse.
>
>
>
> Now, there is still the possibility to restrict access to the operation
> overall.  But again, this means that you have to give a users an
> all-or-nothing choice.  Too inflexible.  By the same token that partial
> locks were supported to avoid requiring anyone who needs the ability to
> conduct a transaction to lock down the entire server, there should be the
> ability to restrict access to the lock and partial-lock operation by
> targeted subtree.  However, this capability is currently missing.
>


NACM was designed to be simple to implement.
Some complex features that were in VACM were intentionally left out of NACM.
NETCONF locking is also intentionally simple.

I would rather have NETCONF 2.0 use a mandatory implicit, optimistic
concurrent
locking model, rather than more band-aids on the optional explicit,
pessimistic
serialized locking model we have now.



>
> -          Where can NACM rules originate from?   The current model seems
> to assume that rules will always be explicitly configured from an external
> client and constitute part of configuration. Now, what about the case when
> rules are to be enforced automatically by the server?   I think NACM should
> allow for that, and having a mix of both.  (The server-provided topologies
> are one potential example where this would be very useful.  In fact, if
> this capability were supported, I don’t think we would be having the
> server-provided discussion in the topology context – NACM would be all we
> need.  However, there are other use cases for this.  Think e.g. an
> intrusion protection component on the server, that you would not want to
> override by an external user administration client application that you
> would still want to allow as well.  Or cases when some authorizations get
> signaled, e.g. in the case of autonomic peer-to-peer type of applications.)
>
>
I don't think any YANG configuration module precludes server-created
entries.
The configuration is created somehow.  The YANG module discusses the data
model
instances without saying how they got there.



>
>
> --- Alex
>


Andy


>
>
> *From:* i2rs [mailto:i2rs-bounces@ietf.org] *On Behalf Of *Andy Bierman
> *Sent:* Thursday, February 16, 2017 12:49 PM
> *To:* Susan Hares <shares@ndzh.com>
> *Cc:* i2rs@ietf.org
> *Subject:* Re: [i2rs] topo model use of NACM
>
>
>
> Hi,
>
>
>
> I am most concerned about getting the architecture right.
>
> We have ignored server-created nodes until now.
>
> I am glad I2RS WG is trying to deal with the problem.
>
> Just make sure we have a reusable solution.
>
>
>
> Also concerned about tool automation.
>
> There was some discussion of a 'server-created' extension at some point I
> think.
>
> This would help, because the server-created leaf is not really
> deterministic.
>
> It is just a convention.
>
>
>
> e.g.
>
>
>
>
>
>   container networks {
>
>      list network {
>
>          i2rs:server-created;
>
>          ...
>
>          leaf server-created { ... }
>
>          ...
>
>      }
>
>   }
>
>
>
>
>
> Andy
>
>
>
>
>
> On Thu, Feb 16, 2017 at 11:47 AM, Susan Hares <shares@ndzh.com> wrote:
>
> Andy:
>
> <chair hat off, individual contributor hat on>
>
>
>
> AFAIK – I believe the revised data store model is right approach.   It is
> an important question to ask whether the ability to have a mixture of
> “server-provided” and “configured” is important for all topology models.  I
> hope Xufeng and other topology models will comment on this point.
>
>
>
>
>
> Does the NETCONF data store in the revised data-store future include the
> control plane data stores? I thought the answer was “no” it does not.
>  Here’s some text from draft-ietf-netconf-rfc6536bis that leads me to
> believe that
>
>
>
> On NACM, draft-ietf-netconf-rfc6536bis it says:
>
>
>
>    It is necessary to control access to specific nodes and subtrees
>
>    within the NETCONF datastore, regardless of which protocol operation,
>
>    standard or proprietary, was used to access the datastore.
>
>
> 3.2
> <https://tools.ietf.org/html/draft-ietf-netconf-rfc6536bis-00#section-3.2>.
> Datastore Access
>
>    The same access control rules apply to all datastores, for example,
>
>    the candidate configuration datastore or the running configuration
>
>    datastore.
>
>
>
>    Only the standard NETCONF datastores (candidate, running, and
>
>    startup) are controlled by NACM.  Local or remote files or datastores
>
>    accessed via the <url> parameter are not controlled by NACM.  A
>
>    standalone RESTCONF server (i.e., not co-located with a NETCONF
>
>    server) applies NACM rules to a conceptual datastore, since
>
>    datastores are not supported in RESTCONF.
>
>
>
>
>
> ===========
>
>
>
> The I2RS security environment actually looks at 3 policies on the server
>
>
>
> Network Access ß-à server ß-à routing-system access
>
>               (aka I2RS agent)
>
>                     |ßà System access
>
>
>
> It also looks at application access to the client
>
>
>
>   Network accessßà client ßà application-access
>
>
>
>
>
> The protocol only needs to consider the NACM Access, but the routing
> infrastructure need to consider the server to/from routing system, and
> server to/from system.  My understanding is that the Routing system access
> control module (RACM) and the system access control module (SACM) functions
> were not in NACM.
>
>
>
> Thanks again for posting,
>
>
>
> Sue
>
>
>
> *From:* i2rs [mailto:i2rs-bounces@ietf.org] *On Behalf Of *Andy Bierman
> *Sent:* Thursday, February 16, 2017 2:00 PM
> *To:* i2rs@ietf.org
> *Subject:* [i2rs] topo model use of NACM
>
>
>
> Hi,
>
>
>
> The use of NACM for server-provided data is under-specified (at best)
>
>
>
>
>
> from sec. 4.1:
>
>
>
>    Finally, there is an object "server-provided".  This object is state
>
>    that indicates how the network came into being.  Network data can
>
>    come into being in one of two ways.  In one way, network data is
>
>    configured by client applications, for example in case of overlay
>
>    networks that are configured by an SDN Controller application.  In
>
>    annother way, it is populated by the server, in case of networks that
>
>    can be discovered.
>
>
>
>    If server-provided is set to false, the network was configured by a
>
>    client application, for example in the case of an overlay network
>
>    that is configured by a controller application.  If server-provided
>
>    is set to true, the network was populated by the server itself,
>
>    respectively an application on the server that is able to discover
>
>    the network.  *Client applications SHOULD NOT modify configurations of*
>
> *   networks for which "server-provided" is true.*  When they do, they
>
>    need to be aware that any modifications they make are subject to be
>
>    reverted by the server.  For servers that support NACM (Netconf
>
>    Access Control Model), *data node rules should ideally prevent* write
>
>    access by other clients to network instances for which server-
>
>    provided is set to true.
>
>
>
> The SHOULD NOT above is really odd, considering is not supported by YANG
>
> or the NC/RC protocols.
>
>
>
> "data node rules should ideally prevent"
>
>
>
> s/should/SHOULD/
>
>
>
> Ideally prevent?
>
> Is that a new engineering term?
>
> Either this new usage of NACM works or it doesn't.
>
>
>
> Also, there is no guidance or examples of the NACM config that the
>
> server is supposed to magically create for server-provided topology data.
>
> There is nothing in NACM at all about server-created data rules.
>
> This is not supported by NACM.
>
>
>
> Does the I2RS text imply that the server-provided property extends
>
> to the NACM sub-trees? They are also subject to replacement by the server?
>
> The client SHOULD NOT change these NACM rules?
>
>
>
> IMO the way this server-provided property is being done is a short-sighted
>
> point solution, but this should be a fundamental part of the revised
> datastores work.
>
> Is there something special about network topology such that
>
> server-provided data for a different module will require a different
>
> solution? If not, is the topo module solution reusable?
>
>
>
>
>
> Andy
>
>
>
>
>
>
>
>
>
> _______________________________________________
> i2rs mailing list
> i2rs@ietf.org
> https://www.ietf.org/mailman/listinfo/i2rs
>
>

v2.23.0 | Report a Bug | By Email