IETF Logo Mail Archive

Re: [netconf] Identity of an OAM user behind ONAP or NMS

Jan Lindblad <janl@tail-f.com> Wed, 06 May 2020 10:12 UTC

Return-Path: <janl@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDE1C3A08AF for <netconf@ietfa.amsl.com>; Wed, 6 May 2020 03:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h14V8jEkv-S8 for <netconf@ietfa.amsl.com>; Wed, 6 May 2020 03:12:17 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 4A9E63A08AC for <netconf@ietf.org>; Wed, 6 May 2020 03:12:17 -0700 (PDT)
Received: from [192.168.1.121] (213-67-237-150-no99.tbcn.telia.com [213.67.237.150]) by mail.tail-f.com (Postfix) with ESMTPSA id E411D1AE0290; Wed, 6 May 2020 12:12:15 +0200 (CEST)
From: Jan Lindblad <janl@tail-f.com>
Message-Id: <D8097E94-15DA-4C23-A050-C187044E8B04@tail-f.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2B1DC335-F32E-4C03-B84C-DBB96F645F78"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 06 May 2020 12:12:15 +0200
In-Reply-To: <AM0PR07MB4004B4911D306097DE2426FBF0A40@AM0PR07MB4004.eurprd07.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Balázs Lengyel <balazs.lengyel=40ericsson.com@dmarc.ietf.org>
References: <AM0PR07MB4004B4911D306097DE2426FBF0A40@AM0PR07MB4004.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/4wGKoSrVSNashOsd5TvdR1k9R70>
Subject: Re: [netconf] Identity of an OAM user behind ONAP or NMS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 10:12:19 -0000

Balász,

> Hello,
> We have systems where the Netconf client is actually a bigger management system like ONAP or a Network Management system (NMS). These systems have their own user management and access control with potentially many dozens of OAM users that can handle thousands of nodes. We do not want create and maintain these dozens of users in thousands of nodes. The idea is to have a single NMS user that has superuser rights and leave the access control to the NMS.
> However, this presents a problem: The Netconf server does not have the effective user identity who ordered the action in NMS. Still it would be good to include this effective userId in the audit trail logs on the Netconf server.
>  
> IS there some standard way to send such a second effective-user-id to the Netconf server? Would there be interest for defining such a mechanism?

This is one of the areas where operators' choices vary greatly, in my experience. The most common basic approach, as far as I have seen, is to actually use the real user id towards devices. If nothing else, so for auditing purposes. In order not to have to store user credentials on thousands of nodes, which as you say would be a problem, remote authentication protocols like Radius, LDAP or TACACS+ are configured on the nodes.

Best Regards,
/jan

v2.23.0 | Report a Bug | By Email