Re: [Netconf] FW: David Harrington's Discuss on draft-ietf-netconf-access-control-06: (with DISCUSS and COMMENT)
Martin Bjorklund <mbj@tail-f.com> Sat, 17 December 2011 11:49 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87F1821F85C7 for <netconf@ietfa.amsl.com>; Sat, 17 Dec 2011 03:49:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0N6g5GjOo2fg for <netconf@ietfa.amsl.com>; Sat, 17 Dec 2011 03:49:07 -0800 (PST)
Received: from mail.tail-f.com (de-2007.d.ipeer.se [213.180.74.102]) by ietfa.amsl.com (Postfix) with ESMTP id CF62421F8586 for <netconf@ietf.org>; Sat, 17 Dec 2011 03:49:06 -0800 (PST)
Received: from localhost (c213-100-166-57.cust.tele2.se [213.100.166.57]) by mail.tail-f.com (Postfix) with ESMTPSA id D2B4F1200045; Sat, 17 Dec 2011 12:49:04 +0100 (CET)
Date: Sat, 17 Dec 2011 12:49:04 +0100
Message-Id: <20111217.124904.64889221.mbj@tail-f.com>
To: j.schoenwaelder@jacobs-university.de
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <20111217103101.GA49087@elstar.local>
References: <417E7DB0279844BFA56B8BD3DC0853D3@davidPC> <4EEBDF8B.8020300@netconfcentral.org> <20111217103101.GA49087@elstar.local>
X-Mailer: Mew version 6.3.51 on Emacs 23.3 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: netconf@ietf.org, netconf-chairs@tools.ietf.org, dbharrington@comcast.net
Subject: Re: [Netconf] FW: David Harrington's Discuss on draft-ietf-netconf-access-control-06: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2011 11:49:07 -0000
Hi, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote: > (a) at a course grained level whether dynamically learned groups are > used at all (global on/off switch) This was what dbh suggested, and we believe this is a good idea. So we propose we add this. Furthermore, Andy suggested that the entire concept of "allow dynamically learned groups" should be a YANG feature. I.e., optional to implement. > (b) at the level of a given transport whether we trust all of the > transport's provided dynamic group mappings (this is what DBH > suggested I think) This is what I personally think makes most sense; since it depends on the transport if you trust it to do the right thing or not. In any case, this is outside the scope of NACM. > (c) at the fine grained level of specific user entries whether we > accept dynamically learned group entries Hmm. I was thinking it might be useful to do this on a group basis. I.e. maybe you don't want the "superuser" group to be added dynamically. /martin > It might be operationally relevant to allow a configuration that > generally rejects dynamic group mappings (for a given transport) > except for a white list of users where we trust the transport to do > the right thing. > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf >
- [Netconf] FW: David Harrington's Discuss on draft… David B Harrington
- Re: [Netconf] FW: David Harrington's Discuss on d… Andy Bierman
- Re: [Netconf] FW: David Harrington's Discuss on d… Juergen Schoenwaelder
- Re: [Netconf] FW: David Harrington's Discuss on d… Martin Bjorklund