IETF Logo Mail Archive

Re: [netconf] Identity of an OAM user behind ONAP or NMS

Kent Watsen <kent@watsen.net> Wed, 06 May 2020 15:38 UTC

Return-Path: <01000171eaa35a8f-47fb4c11-764e-4412-a8b3-d6d0a71a3a29-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F07043A0AD1 for <netconf@ietfa.amsl.com>; Wed, 6 May 2020 08:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7wk4PPLOqZZ for <netconf@ietfa.amsl.com>; Wed, 6 May 2020 08:38:28 -0700 (PDT)
Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com [54.240.8.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32A63A0B3B for <netconf@ietf.org>; Wed, 6 May 2020 08:38:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1588779506; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=YizOq5p44F1PYZhfNWrz8wjrzDseSxdMniqnXG29/9E=; b=ZbA0USXQSj1s3R/ek0x03hrusY/zmtIXqLgSQFjWjzasChnkLw/QVFHjhflRTPjN ABjOeZJNEX33ctYa0TgsL7GVW2b5jxscziw2Rk3uHWlcLA0PdLN+GYYFFYSdNc3anzm 177AVNW+7cNcuGYfjO8BbWHOo1GIuL8L1l+99ouY=
From: Kent Watsen <kent@watsen.net>
Message-ID: <01000171eaa35a8f-47fb4c11-764e-4412-a8b3-d6d0a71a3a29-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E3DE9EFA-7CD2-4BE5-AF30-D9DE4FEB8650"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 06 May 2020 15:38:26 +0000
In-Reply-To: <AM0PR07MB4004B4911D306097DE2426FBF0A40@AM0PR07MB4004.eurprd07.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Balázs Lengyel <balazs.lengyel=40ericsson.com@dmarc.ietf.org>
References: <AM0PR07MB4004B4911D306097DE2426FBF0A40@AM0PR07MB4004.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2020.05.06-54.240.8.33
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/3FJ2-fKNIHJ-WjwBsHBd1QMEPOg>
Subject: Re: [netconf] Identity of an OAM user behind ONAP or NMS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 15:38:30 -0000

Hi Balazs,

> We have systems where the Netconf client is actually a bigger management system like ONAP or a Network Management system (NMS). These systems have their own user management and access control with potentially many dozens of OAM users that can handle thousands of nodes. We do not want create and maintain these dozens of users in thousands of nodes. The idea is to have a single NMS user that has superuser rights and leave the access control to the NMS.

This is what I’ve seen mostly: assuming NMS is the master, all AAA happens there.


> However, this presents a problem: The Netconf server does not have the effective user identity who ordered the action in NMS.

At first I thought you were going to say this is an issue because the server can’t implement access control, but it seems it’s more to do with attributing the userid in the audit trail logs...


> Still it would be good to include this effective userId in the audit trail logs on the Netconf server.

Assuming the only goal is to correlate the server-generated audit logs, techniques I’ve seen used include:

1) temporal correlation:  i.e., assume the audit logs generated by a server in some window of time immediately after a configuration update are related to that update event, and hence attributed to the NMS user.  PROs: no device modification required.  CONs: assumes non-overlapping and somewhat infrequent updates.

2) opaque correlation: if the device supports either a) accepting an opaque value in the request or b) generating an UID that it  returns in the RPC-reply that, in other case, it outputs in downstream audit logs.  This value can be used by the NMS to correlate audit-logs to the NMS-update, from which the NMS-user can be determined.  PROs: deterministic.  CONs: requires device support.

3) use remote-auth protocols, mentioned by Jan Lindblad.   PROs: also supports out-of-band updates.  CONs: requires greater network infrastructure access from all the servers.


> IS there some standard way to send such a second effective-user-id to the Netconf server? Would there be interest for defining such a mechanism?

If solely interested in audit-logs generated when <intended> is updated, then it is effectively always a synchronous update. But from the opstate-reqs days, it would be good to know when an update is *applied* (see requirement 2B in draft-ietf-netmod-opstate-reqs-04 <https://tools.ietf.org/html/draft-ietf-netmod-opstate-reqs-04>).  Of course, this consideration is additionally complex in cases, e.g., when a line-card is plugged in.

Nonetheless, for cases where the device knows that the RPC will be processed asynchronously, it might be good to return in the RPC-reply a handle (UID) that can be used in subsequent requests and/or returned in audit-logs for offline correlation.  An I-D along these lines might be generally useful.


Kent // contributor

v2.23.0 | Report a Bug | By Email