Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
Andy Bierman <andy@yumaworks.com> Tue, 23 May 2017 02:29 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BDC21294A1 for <netconf@ietfa.amsl.com>; Mon, 22 May 2017 19:29:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IH4gXvCXXF_p for <netconf@ietfa.amsl.com>; Mon, 22 May 2017 19:29:35 -0700 (PDT)
Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A06821270B4 for <netconf@ietf.org>; Mon, 22 May 2017 19:29:34 -0700 (PDT)
Received: by mail-wr0-x22c.google.com with SMTP id l50so48239365wrc.3 for <netconf@ietf.org>; Mon, 22 May 2017 19:29:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nL/AtjT499aFTBB3sPreChGHxrvexFs5FIAh62axP7A=; b=Y8Ef5UU+q1EW212pIur4F8aApnKA4Tzn0J5dQKVgL+93r8/8FUgT9sQdalx2GyNwpH J1BKA8SxZB5pVi07KFzaensKLb673p9vId9tZKdVF3SKx038UeRNs5FaPVJW6Ld59kO8 vukx6DRWgPDrg1koFadVzJ2YL9AdthDW1YBGrFOW/vcpQNVskpUR0oXNpaMmBtHjjcEf CNsuVPD0MPiyKppFDhPKIPf784j4WecjLC5UWIrB9PbzE63T7OpmBHdr0V6PQpkr52eJ RO6uw0iMmbue9xsMRDH3IcWgxO5sQI2oZKgFtRxKj9GohcnKiUGZJRL2qmtu8LIEVH0O pQMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nL/AtjT499aFTBB3sPreChGHxrvexFs5FIAh62axP7A=; b=tVbkKSS97YGc+Ek0HFGLewGX8MGIPHoMb16H05TSrNAMN2JYPKHK1ToFH4bnjwXskf vNkJkb5NatBKI8aUrTW/l++2t+tiG7FdPdymSGbqYxNMH8fpPv0g9JDM4TogHf9rts1r Z/cpPaI9vmWq18ZQIluCGtaV29sye12mXjXcARMiehQzl3qbX22DLvQGswkEpyyHlFqH b/3zfBJG/2sxo6iAHp6jGeoFXxgL5Tj2pN/BcMy3RfExApHOwhNnwniIdyK/O5oXAuRK gw70DbyKreCpG8EvNaHci7PH394I1G+d8HeoIbupEzrPe4Dr/klSzbdwE6FEE97jQmOk cujg==
X-Gm-Message-State: AODbwcCqQ1nA0we2WH196Qt4wpDl7+h8pZzhfc8jkZU5p9WqjLQiWJ+q VnWDsEx1UKGPDcUaHW/K6sgogCSsaAN+
X-Received: by 10.223.161.70 with SMTP id r6mr12896345wrr.65.1495506573169; Mon, 22 May 2017 19:29:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Mon, 22 May 2017 19:29:32 -0700 (PDT)
In-Reply-To: <22F66A24-12AB-4447-AC9A-9D8F9B0BB726@gmail.com>
References: <CABCOCHT9fNKHn=qgFsQ0mznByArCpqsAz4m4jjjPE7M243UjeA@mail.gmail.com> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF9584C@SJCEML701-CHM.china.huawei.com> <CABCOCHRgaTpxXJ0nOgbHx4Hbz6FgfTahN3T2OedfC6gnbnAN0A@mail.gmail.com> <20170509.145030.58029732242199759.mbj@tail-f.com> <20170510064608.GA14838@elstar.local> <04623446-36C5-4ABE-81C3-9E6B1F0BC39A@gmail.com> <CABCOCHRBXbCfW+=-FsoHS7nUmn8qJ=Rv9vsEf89dSs3273NGbQ@mail.gmail.com> <22F66A24-12AB-4447-AC9A-9D8F9B0BB726@gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Mon, 22 May 2017 19:29:32 -0700
Message-ID: <CABCOCHSGa23SR_soKBurzPWOckf0eE_jp=jRkpoCSXczq_2xSg@mail.gmail.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: Martin Bjorklund <mbj@tail-f.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="f403045e274a0dbac9055027c225"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Cga_dpZn-7GVft8Q6DLzhjx9Z8s>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 02:29:37 -0000
Hi, The update is on github. http://github.com/netconf-wg/rfc6536bis I would like Martin to look it over before it is posted. Andy On Sun, May 21, 2017 at 10:25 PM, Mahesh Jethanandani < mjethanandani@gmail.com> wrote: > Andy, > > On May 16, 2017, at 2:32 PM, Andy Bierman <andy@yumaworks.com> wrote: > > > > On Tue, May 16, 2017 at 2:02 PM, Mahesh Jethanandani < > mjethanandani@gmail.com> wrote: > >> Having reviewed all the e-mails, I believe that there are few issues that >> need to be resolved before we send the draft for publication. We need to >> agree on the language, even if we do have the exact text in the draft. >> >> To begin with, do the authors have a response to the suggestions from >> Juergen prompted by the question from Alex? Are we leaving the NACM >> definition of any future datastores to the datastore draft, or are we >> saying NACM applies to all datastores? >> >> > No. IMO the text should say NACM applies to NETCONF and RESTCONF > with the existing datastores. > > NACM MAY be applied to other datastores that have similar operation sets. > Any new datastore specification needs to define how it maps to the NACM > CRUDX > model. The datastore does not need to use NACM (e.g., datastore defines > something else > or does not use access control). > > > Can you update the draft with this text. > > > > To the point that Andy raised earlier, we need to have texts around >> datastores that provide more than CRUDX capabilities, including any >> protocol operations, e.g. priority, as something that is out of scope of >> this document. >> >> > This would be outside the scope of NACM. > This is part of the RPC input validation. > > > And clarify that operations outside of CRUDX are outside the scope of > NACM. We can them move the document towards publication. > > Thanks. > > > > >> NETCONF WG has moved to redefine its charter beyond NETCONF and RESTCONF. >> Therefore there is a real possibility of another protocol being discussed >> in the WG. Is there something in the NACM draft that restricts it to >> NETCONF/RESTCONF that other protocols cannot adopt? If so, can they be >> called out? >> > > If NACM needs to be changed in the future because a new or existing > protocol needs new features > then the WG will have to deal with it then. > > > >> >> Thanks. >> >> > Andy > > >> > On May 9, 2017, at 11:46 PM, Juergen Schoenwaelder < >> j.schoenwaelder@jacobs-university.de> wrote: >> > >> > On Tue, May 09, 2017 at 02:50:30PM +0200, Martin Bjorklund wrote: >> >> Andy Bierman <andy@yumaworks.com> wrote: >> >>> On Thu, May 4, 2017 at 11:21 AM, Alexander Clemm < >> alexander.clemm@huawei.com >> >>>> wrote: >> >>> >> >>>> As mentioned in my message, I don’t think specific access control >> will be >> >>>> needed (I am not aware of specific use cases), but specifically with >> the >> >>>> revised datastore architecture about to the be introduced, its >> impact or >> >>>> nonimpact and interrelation with NACM should be discussed. This can >> be as >> >>>> simple as a small paragraph or subsection “Revised Datastore >> >>>> Considerations”. >> >>>> >> >>>> >> >>>> >> >>> >> >>> there is no text about candidate vs. running vs. startup. >> >>> The NACM rules apply to all of them the same. >> >>> I could add text that says there is no consideration for specific >> >>> datastores. >> >> >> >> Actually, the document already says: >> >> >> >> 3.2. Datastore Access >> >> >> >> The same access control rules apply to all datastores, for example, >> >> the candidate configuration datastore or the running configuration >> >> datastore. >> >> >> >> Only the standard NETCONF datastores (candidate, running, and >> >> startup) are controlled by NACM. >> >> >> >> >> >> Somehow this needs to be updated when the revised datastore work is >> >> done. E.g., I expect read access to intended to follow the same NACM >> >> rules. >> >> >> > >> > Yes. NACM likely also applies to the <operational/> datastore (but >> > this follows already from the text that talks about 'state data'). >> > >> > My question, however, was about other future yet to be defined >> > 'dynamic' datastores - does NACM make a statement of the form 'once an >> > implementation announces NACM, NACM applies to all datastores - no >> > exceptions' or do we leave it to the definition of future datastores >> > to declare whether NACM applies to it. There may be three possible >> > solutions: >> > >> > a) Once an implementation supports NACM, NACM applies to all >> > datastores (including any datastores defined in the future). >> > >> > b) Once an implementation supports NACM, NACM applies to all >> > conventional datastores and the operational state datastore. Other >> > datastores must define whether NACM applies to them. >> > >> > (This means, whenever a new datastore is introduced, the question >> > whether NACM applies has to answered for the new datastore.) >> > >> > c) Once an implementation supports NACM, NACM applies to all current >> > and future datastore unless explicitely stated or signaled that >> > NACM does not apply to a certain future datastore. >> > >> > (This is essentially b) but with a default that NACM applies unless >> > things are explicitly regulated to be different.) >> > >> > I just thought it is worth to take a moment to think about this >> > question. >> > >> > /js >> > >> > -- >> > Juergen Schoenwaelder Jacobs University Bremen gGmbH >> > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany >> > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> >> > >> > _______________________________________________ >> > Netconf mailing list >> > Netconf@ietf.org >> > https://www.ietf.org/mailman/listinfo/netconf >> >> Mahesh Jethanandani >> mjethanandani@gmail.com >> >> >> >> > > Mahesh Jethanandani > mjethanandani@gmail.com > >
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- [Netconf] WG LC for draft-ietf-netconf-rfc6536bis Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… t.petch
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund