Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
Martin Bjorklund <mbj@tail-f.com> Tue, 23 May 2017 19:41 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1570812EAD5 for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 12:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvqBAA1Y8t4G for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 12:41:14 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 4F7EA12EAC4 for <netconf@ietf.org>; Tue, 23 May 2017 12:41:14 -0700 (PDT)
Received: from localhost (h-13-81.a165.priv.bahnhof.se [155.4.13.81]) by mail.tail-f.com (Postfix) with ESMTPSA id BBE581AE0335; Tue, 23 May 2017 21:41:12 +0200 (CEST)
Date: Tue, 23 May 2017 21:41:12 +0200
Message-Id: <20170523.214112.307680055258062474.mbj@tail-f.com>
To: andy@yumaworks.com
Cc: mjethanandani@gmail.com, j.schoenwaelder@jacobs-university.de, netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <CABCOCHTeTL5g+uv+Q1cE+-_iBJjdu9Dk460JP_-O2+W77sqQZw@mail.gmail.com>
References: <CABCOCHSGa23SR_soKBurzPWOckf0eE_jp=jRkpoCSXczq_2xSg@mail.gmail.com> <20170523.091519.1988324449434279102.mbj@tail-f.com> <CABCOCHTeTL5g+uv+Q1cE+-_iBJjdu9Dk460JP_-O2+W77sqQZw@mail.gmail.com>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/9WdmbZYbwzcqQnArKYAqQKp0wjI>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 19:41:17 -0000
Andy Bierman <andy@yumaworks.com> wrote: > On Tue, May 23, 2017 at 12:15 AM, Martin Bjorklund <mbj@tail-f.com> wrote: > > > Andy Bierman <andy@yumaworks.com> wrote: > > > Hi, > > > > > > The update is on github. > > > http://github.com/netconf-wg/rfc6536bis > > > > > > I would like Martin to look it over before it is posted. > > > > Done, and the new text looks good. I moved the new subsection to be > > the first in 3.2, and I also fixed some minor terminology issues. > > > > > OK > > > > > But, I wonder if we shouldn't make the document even less NETCONF > > specific, and align the terminology to revised-datastores. For > > example, currently the document talks about access to "NETCONF > > datastores". With the new less protocol-specific terminology this > > would simply be "datastore". > > > > > > > I would prefer not to make more changes. > I think it is OK for NETCONF, RESTCONF, and any protocols based on them. > > > > > Also, we currently have this: > > > > A standalone RESTCONF server (i.e., not co-located with a NETCONF > > server) applies NACM rules to a conceptual datastore, since > > datastores are not supported in RESTCONF. > > > > I don't think this is quite correct. Even in a stand-alone RESTCONF > > server there is an underlying conceptual datastore, for which NACM can > > be used to control access. > > > > > > I do not agree there is any RESTCONF requirement to implement datastores, > just the ability to apply NACM to the conceptual configuration datastore. > > The text says there is an underlying conceptual datastore, so what is the > issue? All datastores are conceptual. The problem is that the text is contradictory - it says that RC applies NACM to a datastore, since RC doesn't support datastores. This doesn't make sense. Maybe we can simply remove this sentence. /martin > > > > > > > > > /martin > > > > > > Andy > > > > > > > > > > > > > Andy > > > > > > > > > On Sun, May 21, 2017 at 10:25 PM, Mahesh Jethanandani < > > > mjethanandani@gmail.com> wrote: > > > > > > > Andy, > > > > > > > > On May 16, 2017, at 2:32 PM, Andy Bierman <andy@yumaworks.com> wrote: > > > > > > > > > > > > > > > > On Tue, May 16, 2017 at 2:02 PM, Mahesh Jethanandani < > > > > mjethanandani@gmail.com> wrote: > > > > > > > >> Having reviewed all the e-mails, I believe that there are few issues > > that > > > >> need to be resolved before we send the draft for publication. We need > > to > > > >> agree on the language, even if we do have the exact text in the draft. > > > >> > > > >> To begin with, do the authors have a response to the suggestions from > > > >> Juergen prompted by the question from Alex? Are we leaving the NACM > > > >> definition of any future datastores to the datastore draft, or are we > > > >> saying NACM applies to all datastores? > > > >> > > > >> > > > > No. IMO the text should say NACM applies to NETCONF and RESTCONF > > > > with the existing datastores. > > > > > > > > NACM MAY be applied to other datastores that have similar operation > > sets. > > > > Any new datastore specification needs to define how it maps to the NACM > > > > CRUDX > > > > model. The datastore does not need to use NACM (e.g., datastore > > defines > > > > something else > > > > or does not use access control). > > > > > > > > > > > > Can you update the draft with this text. > > > > > > > > > > > > > > > > To the point that Andy raised earlier, we need to have texts around > > > >> datastores that provide more than CRUDX capabilities, including any > > > >> protocol operations, e.g. priority, as something that is out of scope > > of > > > >> this document. > > > >> > > > >> > > > > This would be outside the scope of NACM. > > > > This is part of the RPC input validation. > > > > > > > > > > > > And clarify that operations outside of CRUDX are outside the scope of > > > > NACM. We can them move the document towards publication. > > > > > > > > Thanks. > > > > > > > > > > > > > > > > > > > >> NETCONF WG has moved to redefine its charter beyond NETCONF and > > RESTCONF. > > > >> Therefore there is a real possibility of another protocol being > > discussed > > > >> in the WG. Is there something in the NACM draft that restricts it to > > > >> NETCONF/RESTCONF that other protocols cannot adopt? If so, can they be > > > >> called out? > > > >> > > > > > > > > If NACM needs to be changed in the future because a new or existing > > > > protocol needs new features > > > > then the WG will have to deal with it then. > > > > > > > > > > > > > > > >> > > > >> Thanks. > > > >> > > > >> > > > > Andy > > > > > > > > > > > >> > On May 9, 2017, at 11:46 PM, Juergen Schoenwaelder < > > > >> j.schoenwaelder@jacobs-university.de> wrote: > > > >> > > > > >> > On Tue, May 09, 2017 at 02:50:30PM +0200, Martin Bjorklund wrote: > > > >> >> Andy Bierman <andy@yumaworks.com> wrote: > > > >> >>> On Thu, May 4, 2017 at 11:21 AM, Alexander Clemm < > > > >> alexander.clemm@huawei.com > > > >> >>>> wrote: > > > >> >>> > > > >> >>>> As mentioned in my message, I don’t think specific access control > > > >> will be > > > >> >>>> needed (I am not aware of specific use cases), but specifically > > with > > > >> the > > > >> >>>> revised datastore architecture about to the be introduced, its > > > >> impact or > > > >> >>>> nonimpact and interrelation with NACM should be discussed. This > > can > > > >> be as > > > >> >>>> simple as a small paragraph or subsection “Revised Datastore > > > >> >>>> Considerations”. > > > >> >>>> > > > >> >>>> > > > >> >>>> > > > >> >>> > > > >> >>> there is no text about candidate vs. running vs. startup. > > > >> >>> The NACM rules apply to all of them the same. > > > >> >>> I could add text that says there is no consideration for specific > > > >> >>> datastores. > > > >> >> > > > >> >> Actually, the document already says: > > > >> >> > > > >> >> 3.2. Datastore Access > > > >> >> > > > >> >> The same access control rules apply to all datastores, for > > example, > > > >> >> the candidate configuration datastore or the running > > configuration > > > >> >> datastore. > > > >> >> > > > >> >> Only the standard NETCONF datastores (candidate, running, and > > > >> >> startup) are controlled by NACM. > > > >> >> > > > >> >> > > > >> >> Somehow this needs to be updated when the revised datastore work is > > > >> >> done. E.g., I expect read access to intended to follow the same > > NACM > > > >> >> rules. > > > >> >> > > > >> > > > > >> > Yes. NACM likely also applies to the <operational/> datastore (but > > > >> > this follows already from the text that talks about 'state data'). > > > >> > > > > >> > My question, however, was about other future yet to be defined > > > >> > 'dynamic' datastores - does NACM make a statement of the form 'once > > an > > > >> > implementation announces NACM, NACM applies to all datastores - no > > > >> > exceptions' or do we leave it to the definition of future datastores > > > >> > to declare whether NACM applies to it. There may be three possible > > > >> > solutions: > > > >> > > > > >> > a) Once an implementation supports NACM, NACM applies to all > > > >> > datastores (including any datastores defined in the future). > > > >> > > > > >> > b) Once an implementation supports NACM, NACM applies to all > > > >> > conventional datastores and the operational state datastore. > > Other > > > >> > datastores must define whether NACM applies to them. > > > >> > > > > >> > (This means, whenever a new datastore is introduced, the question > > > >> > whether NACM applies has to answered for the new datastore.) > > > >> > > > > >> > c) Once an implementation supports NACM, NACM applies to all current > > > >> > and future datastore unless explicitely stated or signaled that > > > >> > NACM does not apply to a certain future datastore. > > > >> > > > > >> > (This is essentially b) but with a default that NACM applies > > unless > > > >> > things are explicitly regulated to be different.) > > > >> > > > > >> > I just thought it is worth to take a moment to think about this > > > >> > question. > > > >> > > > > >> > /js > > > >> > > > > >> > -- > > > >> > Juergen Schoenwaelder Jacobs University Bremen gGmbH > > > >> > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | > > Germany > > > >> > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > > > >> > > > > >> > _______________________________________________ > > > >> > Netconf mailing list > > > >> > Netconf@ietf.org > > > >> > https://www.ietf.org/mailman/listinfo/netconf > > > >> > > > >> Mahesh Jethanandani > > > >> mjethanandani@gmail.com > > > >> > > > >> > > > >> > > > >> > > > > > > > > Mahesh Jethanandani > > > > mjethanandani@gmail.com > > > > > > > > > >
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- [Netconf] WG LC for draft-ietf-netconf-rfc6536bis Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… t.petch
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund