IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Andy Bierman <andy@yumaworks.com> Wed, 24 May 2017 03:25 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D00B41292C5 for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 20:25:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCP83bvEurQV for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 20:25:28 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A4F9126DED for <netconf@ietf.org>; Tue, 23 May 2017 20:25:27 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id d127so50457032wmf.0 for <netconf@ietf.org>; Tue, 23 May 2017 20:25:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ASSXMANHWbET2xFwVBGoRqZ0nDoUJNn4yr6frWRTuNw=; b=oyJzNfMEdaqAPRLvfFEPhrafNe+KJXDXSnGac5Uh3Nb7OjMPUUeqMvBE23tXutP8bZ PEbwv0fu00JJCm775S8CdJj4PLgVj1x3iUoDnMKDesfoJY+rIcBMJxR/lEHwEutD8rXA 5gZ1fk73nardRv3hBsXHx2adpimojTZa9h7f5S7T1Kvu8tmBr/nvFnAunJWoEg2JDrvf a9VpeOAa+MQyngu9yhoKOkC0GCsb+T0Ss2shIJJZq9EjkC6RAGhSvkSHstsP59zNH0c5 b8gYVDG4lIj066D6VJ+7Kh12i2lNGbapnZwjZVY6Vl/mUfGrLYja3/iwVJ+YvAsaqgvh sxbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ASSXMANHWbET2xFwVBGoRqZ0nDoUJNn4yr6frWRTuNw=; b=Zu9pAIugJuDIG4vmMFqO81HEuCJhSWp3u5VVkrncZkJWCZGGjpz4lCEuvuZYvWhCDz 3Tsa1hzixtW2T37p59idhGLnyrv4oJBonTh4BdzAwJh9iJifrHm91SwdSFXx6pUMMbn0 MmupeUOwjgyn/PGlsH//jxg7lvdlbStY1/VnW0tayFm+Z3GPhBpm/W+O5JPG0EF9u5Jm N85yrapROkhF/zVfYHU/ehuBTzNIz4WXbm7o/PShyKcPw6qfGYfHaZMiXutnp5SkgI4Q Ld2YLBhSraLbUINg6jg9dslZYF0UBlxw/dtxWWNqeK+cs+pVfMHKlepygzPD2XWBQuPv 0pRg==
X-Gm-Message-State: AODbwcAYfbT14IUOzh/UFz0Ieh3+OLQXm3WnIpmRzWy3VAYFzkW6ul8X m/g3Q86t3N7beB7YZAVKRdCR+HoWkzOy
X-Received: by 10.223.162.150 with SMTP id s22mr20208501wra.88.1495596326051; Tue, 23 May 2017 20:25:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Tue, 23 May 2017 20:25:24 -0700 (PDT)
In-Reply-To: <D13AF5F3-1AE1-4A43-866F-10984114BF2C@gmail.com>
References: <CABCOCHRBXbCfW+=-FsoHS7nUmn8qJ=Rv9vsEf89dSs3273NGbQ@mail.gmail.com> <22F66A24-12AB-4447-AC9A-9D8F9B0BB726@gmail.com> <CABCOCHSGa23SR_soKBurzPWOckf0eE_jp=jRkpoCSXczq_2xSg@mail.gmail.com> <20170523.091519.1988324449434279102.mbj@tail-f.com> <D13AF5F3-1AE1-4A43-866F-10984114BF2C@gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Tue, 23 May 2017 20:25:24 -0700
Message-ID: <CABCOCHTjLL7bFCVYHwUYEx-gKG=JaiWiftx2wJSce=LjjrbyNQ@mail.gmail.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: Martin Bjorklund <mbj@tail-f.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="f403045ec658bdf5ef05503ca7ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/9GxF8lHqr61u8VOK1v36tFl-UF4>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 03:25:31 -0000

On Tue, May 23, 2017 at 12:41 PM, Mahesh Jethanandani <
mjethanandani@gmail.com> wrote:

>
> > On May 23, 2017, at 12:15 AM, Martin Bjorklund <mbj@tail-f.com> wrote:
> >
> > Andy Bierman <andy@yumaworks.com> wrote:
> >> Hi,
> >>
> >> The update is on github.
> >> http://github.com/netconf-wg/rfc6536bis
> >>
> >> I would like Martin to look it over before it is posted.
> >
> > Done, and the new text looks good.  I moved the new subsection to be
> > the first in 3.2, and I also fixed some minor terminology issues.
> >
> > But, I wonder if we shouldn't make the document even less NETCONF
> > specific, and align the terminology to revised-datastores.  For
> > example, currently the document talks about access to "NETCONF
> > datastores".   With the new less protocol-specific terminology this
> > would simply be "datastore”.
>
> I would prefer this.
>

OK, but the operations are somewhat NETCONF specific.
We will try to make sure we do not create more inconsistencies than we
remove ;-)


Andy


>
> >
> > Also, we currently have this:
> >
> >   A standalone RESTCONF server (i.e., not co-located with a NETCONF
> >   server) applies NACM rules to a conceptual datastore, since
> >   datastores are not supported in RESTCONF.
> >
> > I don't think this is quite correct.  Even in a stand-alone RESTCONF
> > server there is an underlying conceptual datastore, for which NACM can
> > be used to control access.
> >
> >
> >
> > /martin
> >
> >
> >>
> >>
> >> Andy
> >>
> >>
> >> On Sun, May 21, 2017 at 10:25 PM, Mahesh Jethanandani <
> >> mjethanandani@gmail.com> wrote:
> >>
> >>> Andy,
> >>>
> >>> On May 16, 2017, at 2:32 PM, Andy Bierman <andy@yumaworks.com> wrote:
> >>>
> >>>
> >>>
> >>> On Tue, May 16, 2017 at 2:02 PM, Mahesh Jethanandani <
> >>> mjethanandani@gmail.com> wrote:
> >>>
> >>>> Having reviewed all the e-mails, I believe that there are few issues
> that
> >>>> need to be resolved before we send the draft for publication. We need
> to
> >>>> agree on the language, even if we do have the exact text in the draft.
> >>>>
> >>>> To begin with, do the authors have a response to the suggestions from
> >>>> Juergen prompted by the question from Alex? Are we leaving the NACM
> >>>> definition of any future datastores to the datastore draft, or are we
> >>>> saying NACM applies to all datastores?
> >>>>
> >>>>
> >>> No. IMO the text should say NACM applies to NETCONF and RESTCONF
> >>> with the existing datastores.
> >>>
> >>> NACM MAY be applied to other datastores that have similar operation
> sets.
> >>> Any new datastore specification needs to define how it maps to the NACM
> >>> CRUDX
> >>> model.  The datastore does not need to use NACM (e.g., datastore
> defines
> >>> something else
> >>> or does not use access control).
> >>>
> >>>
> >>> Can you update the draft with this text.
> >>>
> >>>
> >>>
> >>> To the point that Andy raised earlier, we need to have texts around
> >>>> datastores that provide more than CRUDX capabilities, including any
> >>>> protocol operations, e.g. priority, as something that is out of scope
> of
> >>>> this document.
> >>>>
> >>>>
> >>> This would be outside the scope of NACM.
> >>> This is part of the RPC input validation.
> >>>
> >>>
> >>> And clarify that operations outside of CRUDX are outside the scope of
> >>> NACM. We can them move the document towards publication.
> >>>
> >>> Thanks.
> >>>
> >>>
> >>>
> >>>
> >>>> NETCONF WG has moved to redefine its charter beyond NETCONF and
> RESTCONF.
> >>>> Therefore there is a real possibility of another protocol being
> discussed
> >>>> in the WG. Is there something in the NACM draft that restricts it to
> >>>> NETCONF/RESTCONF that other protocols cannot adopt? If so, can they be
> >>>> called out?
> >>>>
> >>>
> >>> If NACM needs to be changed in the future because a new or existing
> >>> protocol needs new features
> >>> then the WG will have to deal with it then.
> >>>
> >>>
> >>>
> >>>>
> >>>> Thanks.
> >>>>
> >>>>
> >>> Andy
> >>>
> >>>
> >>>>> On May 9, 2017, at 11:46 PM, Juergen Schoenwaelder <
> >>>> j.schoenwaelder@jacobs-university.de> wrote:
> >>>>>
> >>>>> On Tue, May 09, 2017 at 02:50:30PM +0200, Martin Bjorklund wrote:
> >>>>>> Andy Bierman <andy@yumaworks.com> wrote:
> >>>>>>> On Thu, May 4, 2017 at 11:21 AM, Alexander Clemm <
> >>>> alexander.clemm@huawei.com
> >>>>>>>> wrote:
> >>>>>>>
> >>>>>>>> As mentioned in my message, I don’t think specific access control
> >>>> will be
> >>>>>>>> needed (I am not aware of specific use cases), but specifically
> with
> >>>> the
> >>>>>>>> revised datastore architecture about to the be introduced, its
> >>>> impact or
> >>>>>>>> nonimpact and interrelation with NACM should be discussed.  This
> can
> >>>> be as
> >>>>>>>> simple as a small paragraph or subsection “Revised Datastore
> >>>>>>>> Considerations”.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>> there is no text about candidate vs. running vs. startup.
> >>>>>>> The NACM rules apply to all of them the same.
> >>>>>>> I could add text that says there is no consideration for specific
> >>>>>>> datastores.
> >>>>>>
> >>>>>> Actually, the document already says:
> >>>>>>
> >>>>>> 3.2.  Datastore Access
> >>>>>>
> >>>>>>  The same access control rules apply to all datastores, for example,
> >>>>>>  the candidate configuration datastore or the running configuration
> >>>>>>  datastore.
> >>>>>>
> >>>>>>  Only the standard NETCONF datastores (candidate, running, and
> >>>>>>  startup) are controlled by NACM.
> >>>>>>
> >>>>>>
> >>>>>> Somehow this needs to be updated when the revised datastore work is
> >>>>>> done.  E.g., I expect read access to intended to follow the same
> NACM
> >>>>>> rules.
> >>>>>>
> >>>>>
> >>>>> Yes. NACM likely also applies to the <operational/> datastore (but
> >>>>> this follows already from the text that talks about 'state data').
> >>>>>
> >>>>> My question, however, was about other future yet to be defined
> >>>>> 'dynamic' datastores - does NACM make a statement of the form 'once
> an
> >>>>> implementation announces NACM, NACM applies to all datastores - no
> >>>>> exceptions' or do we leave it to the definition of future datastores
> >>>>> to declare whether NACM applies to it. There may be three possible
> >>>>> solutions:
> >>>>>
> >>>>> a) Once an implementation supports NACM, NACM applies to all
> >>>>>  datastores (including any datastores defined in the future).
> >>>>>
> >>>>> b) Once an implementation supports NACM, NACM applies to all
> >>>>>  conventional datastores and the operational state datastore.  Other
> >>>>>  datastores must define whether NACM applies to them.
> >>>>>
> >>>>>  (This means, whenever a new datastore is introduced, the question
> >>>>>  whether NACM applies has to answered for the new datastore.)
> >>>>>
> >>>>> c) Once an implementation supports NACM, NACM applies to all current
> >>>>>  and future datastore unless explicitely stated or signaled that
> >>>>>  NACM does not apply to a certain future datastore.
> >>>>>
> >>>>>  (This is essentially b) but with a default that NACM applies unless
> >>>>>  things are explicitly regulated to be different.)
> >>>>>
> >>>>> I just thought it is worth to take a moment to think about this
> >>>>> question.
> >>>>>
> >>>>> /js
> >>>>>
> >>>>> --
> >>>>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> >>>>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen |
> Germany
> >>>>> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Netconf mailing list
> >>>>> Netconf@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/netconf
> >>>>
> >>>> Mahesh Jethanandani
> >>>> mjethanandani@gmail.com
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>> Mahesh Jethanandani
> >>> mjethanandani@gmail.com
> >>>
> >>>
>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>
>
>

v2.23.0 | Report a Bug | By Email