Re: [netconf] NACM read access for actions
Kent Watsen <kent@watsen.net> Wed, 24 February 2021 23:51 UTC
Return-Path: <01000177d6745212-37524245-c74e-4de1-922e-53f80dac68e1-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F95C3A1DE7 for <netconf@ietfa.amsl.com>; Wed, 24 Feb 2021 15:51:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxy29k5Jif2V for <netconf@ietfa.amsl.com>; Wed, 24 Feb 2021 15:51:25 -0800 (PST)
Received: from a48-92.smtp-out.amazonses.com (a48-92.smtp-out.amazonses.com [54.240.48.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E04343A1DDA for <netconf@ietf.org>; Wed, 24 Feb 2021 15:51:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1614210683; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=J/2DCBevF0sC/5HbRX2Rtr0LVA3+wDkAdKV0+d55BvQ=; b=flyEXXf3m2u3zkafSc9BiotSbSPOrWoQZ/RBXDHIa9JLPIACaH7vOp/Z2zmptORX oIS1hC20xyaC7hIJkePrOeuzJi2t2MBAK5qZ28Ayf32igQ/D2YqejoEgcC+cShm4MRZ bNjUEzoDSqbih7ENVQARny00/yDjMBK4NWK/RwgI=
From: Kent Watsen <kent@watsen.net>
Message-ID: <01000177d6745212-37524245-c74e-4de1-922e-53f80dac68e1-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E3B821DE-2DAE-4712-BBF1-F2B0BA1BFD1A"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Wed, 24 Feb 2021 23:51:23 +0000
In-Reply-To: <BYAPR11MB3573D000CDD08B1CA22C907ED0F10@BYAPR11MB3573.namprd11.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: "Christofer Tornkvist (ctornkvi)" <ctornkvi=40cisco.com@dmarc.ietf.org>
References: <BYAPR11MB3573D000CDD08B1CA22C907ED0F10@BYAPR11MB3573.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-SES-Outgoing: 2021.02.24-54.240.48.92
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/4968Q2ApAeDOxdO60nr0xQd0pTU>
Subject: Re: [netconf] NACM read access for actions
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 23:51:33 -0000
Hi Christofer, Looking at unread email, I noticed your message didn't receive any responses. Could someone with familiarity with this NACM-question reply? Thanks, Kent > On Dec 4, 2020, at 3:40 AM, Christofer Tornkvist (ctornkvi) <ctornkvi=40cisco.com@dmarc.ietf.org> wrote: > > Hi, > > I read in the NACM RFC 8341 that for actions to not be rejected > they both must have execute access and also read access > for all its parent (instance) nodes along the node hierarchy > up to the top node -described by the path for the action node. > > The read access property, is that equivalent of having NACM rules > stating read access for all parent (instance) nodes? > > If that is the case, does not that open up the node tree > structure unnecessarily much? > > > I support the idea of just having to state one NACM rule > containing read and execute access for the action node itself for it > to be able to be run, > and also that all the parent (instance) nodes > will be readable only along the path up to the action node without > any additional NACM rules. > And if there is a read access deny rule on any parent (instance) node > the action will be rejected. > > > Would appreciate a clarification. > > Below are references to RFC 8341. > > Regards > /Christofer Tornkvist > > > References in RFC 8341 are: > Ch. 3.1.3 s.3 > The new "pre-read data node acc. ctl" boxes in the diagram below > refer to group read access as it relates to data node ancestors of an > action or notification. As an example, if an action is defined as > /interfaces/interface/reset-interface, the group must be authorized > to (1) read /interfaces and /interfaces/interface and (2) execute on > /interfaces/interface/reset-interface. > > Ch. 3.1.3 p.12 bullet 2 > o If the <action> operation defined in [RFC7950] is invoked, then > read access is required for all instances in the hierarchy of data > nodes that identifies the specific action in the datastore, and > execute access is required for the action node. If the user is > not authorized to read all the specified data nodes and execute > the action, then the request is rejected with an "access-denied" > error. > > > _______________________________________________ > netconf mailing list > netconf@ietf.org <mailto:netconf@ietf.org> > https://www.ietf.org/mailman/listinfo/netconf <https://www.ietf.org/mailman/listinfo/netconf>
- [netconf] NACM read access for actions Christofer Tornkvist (ctornkvi)
- Re: [netconf] NACM read access for actions Kent Watsen
- Re: [netconf] NACM read access for actions Andy Bierman
- Re: [netconf] NACM read access for actions Johan Vikman Lundström (jvikman)