Re: [netconf] NACM read access for actions

Kent Watsen <kent@watsen.net> Wed, 24 February 2021 23:51 UTC

Return-Path: <01000177d6745212-37524245-c74e-4de1-922e-53f80dac68e1-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F95C3A1DE7 for <netconf@ietfa.amsl.com>; Wed, 24 Feb 2021 15:51:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxy29k5Jif2V for <netconf@ietfa.amsl.com>; Wed, 24 Feb 2021 15:51:25 -0800 (PST)
Received: from a48-92.smtp-out.amazonses.com (a48-92.smtp-out.amazonses.com [54.240.48.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E04343A1DDA for <netconf@ietf.org>; Wed, 24 Feb 2021 15:51:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1614210683; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=J/2DCBevF0sC/5HbRX2Rtr0LVA3+wDkAdKV0+d55BvQ=; b=flyEXXf3m2u3zkafSc9BiotSbSPOrWoQZ/RBXDHIa9JLPIACaH7vOp/Z2zmptORX oIS1hC20xyaC7hIJkePrOeuzJi2t2MBAK5qZ28Ayf32igQ/D2YqejoEgcC+cShm4MRZ bNjUEzoDSqbih7ENVQARny00/yDjMBK4NWK/RwgI=
From: Kent Watsen <kent@watsen.net>
Message-ID: <01000177d6745212-37524245-c74e-4de1-922e-53f80dac68e1-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E3B821DE-2DAE-4712-BBF1-F2B0BA1BFD1A"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Wed, 24 Feb 2021 23:51:23 +0000
In-Reply-To: <BYAPR11MB3573D000CDD08B1CA22C907ED0F10@BYAPR11MB3573.namprd11.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: "Christofer Tornkvist (ctornkvi)" <ctornkvi=40cisco.com@dmarc.ietf.org>
References: <BYAPR11MB3573D000CDD08B1CA22C907ED0F10@BYAPR11MB3573.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-SES-Outgoing: 2021.02.24-54.240.48.92
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/4968Q2ApAeDOxdO60nr0xQd0pTU>
Subject: Re: [netconf] NACM read access for actions
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 23:51:33 -0000

Hi Christofer,

Looking at unread email, I noticed your message didn't receive any responses.

Could someone with familiarity with this NACM-question reply?

Thanks,
Kent


> On Dec 4, 2020, at 3:40 AM, Christofer Tornkvist (ctornkvi) <ctornkvi=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hi,
>  
> I read in the NACM RFC 8341 that for actions to not be rejected
> they both must have execute access and also read access
> for all its parent (instance) nodes along the node hierarchy
> up to the top node -described by the path for the action node.
>  
> The read access property, is that equivalent of having NACM rules
> stating read access for all parent (instance) nodes?
>  
> If that is the case, does not that open up the node tree
> structure unnecessarily much?
>  
>  
> I support the idea of just having to state one NACM rule
> containing read and execute access for the action node itself for it
> to be able to be run,
> and also that all the parent (instance) nodes
> will be readable only along the path up to the action node without
> any additional NACM rules.
> And if there is a read access deny rule on any parent (instance) node
> the action will be rejected.
>  
>  
> Would appreciate a clarification.
>  
> Below are references to RFC 8341.
>  
> Regards
> /Christofer Tornkvist
>  
>  
> References in RFC 8341 are:
> Ch. 3.1.3 s.3
>    The new "pre-read data node acc. ctl" boxes in the diagram below
>    refer to group read access as it relates to data node ancestors of an
>    action or notification.  As an example, if an action is defined as
>    /interfaces/interface/reset-interface, the group must be authorized
>    to (1) read /interfaces and /interfaces/interface and (2) execute on
>    /interfaces/interface/reset-interface.
>  
> Ch. 3.1.3 p.12 bullet 2
>    o  If the <action> operation defined in [RFC7950] is invoked, then
>       read access is required for all instances in the hierarchy of data
>       nodes that identifies the specific action in the datastore, and
>       execute access is required for the action node.  If the user is
>       not authorized to read all the specified data nodes and execute
>       the action, then the request is rejected with an "access-denied"
>       error.
>  
>  
> _______________________________________________
> netconf mailing list
> netconf@ietf.org <mailto:netconf@ietf.org>
> https://www.ietf.org/mailman/listinfo/netconf <https://www.ietf.org/mailman/listinfo/netconf>