[Netconf] NACM and "when" statements
Robert Wilton <rwilton@cisco.com> Mon, 20 November 2017 10:28 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB0A6129527 for <netconf@ietfa.amsl.com>; Mon, 20 Nov 2017 02:28:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rh7QvaJKlOHK for <netconf@ietfa.amsl.com>; Mon, 20 Nov 2017 02:28:31 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32E55120046 for <netconf@ietf.org>; Mon, 20 Nov 2017 02:28:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1125; q=dns/txt; s=iport; t=1511173711; x=1512383311; h=to:from:subject:message-id:date:mime-version: content-transfer-encoding; bh=IZhogxJzFzk7u9qgMReAKRuXrmWNkcJRfr9jZv2chro=; b=jOuJkUxPo7W3lGuZirlsAKwSxWmfs5m/124LUDX0Cpxn8RdWeYyIZCZJ Yab+CsCvnX+cPYfKuwJI9zCVgv/faY+Juxo1VDXej45rbjq/nqrVBAL8k nmTVWGlSmbZR1r87EDetA8BHFDyaVfjeQCZPgrqkgWR2gRnP83TJQgcNZ o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BeAgDIrRJa/xbLJq1bGgEBAQEBAgEBAQEIAQEBAYMOggKEJosTkAqXCIIRCoptFwEBAQEBAQEBAWsohUgPAQV2AiYCXwEMCAEBiiGoUYIninQBAQEHAgElgQ+CJYNcgWkpC4sngmMFikyJGo5YlQyMBIdIjj6HdIE6IQI1gXQ0IQgdFYMuhF5BjAYBAQE
X-IronPort-AV: E=Sophos;i="5.44,426,1505779200"; d="scan'208";a="374923"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Nov 2017 10:28:29 +0000
Received: from [10.63.23.168] (dhcp-ensft1-uk-vla370-10-63-23-168.cisco.com [10.63.23.168]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id vAKASSiY029839; Mon, 20 Nov 2017 10:28:28 GMT
To: Andy Bierman <andy@yumaworks.com>, Martin Bjorklund <mbj@tail-f.com>, "netconf@ietf.org" <netconf@ietf.org>
From: Robert Wilton <rwilton@cisco.com>
Message-ID: <ba8bb455-d115-7034-9563-d4791bae9ea6@cisco.com>
Date: Mon, 20 Nov 2017 10:28:28 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/NO7vI4gpvpJKGU5SfYiPiO8GARE>
Subject: [Netconf] NACM and "when" statements
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2017 10:28:33 -0000
Hi Andy, Martin,
I've got a question about 'when' statement handling related to NACM.
Due to when statements, it is possible that a client could implicitly
cause a change to a part of the data tree that they have no write access
to because they cause a when condition to evaluate to a different
answer. Am I correct in presuming that this implicit change is allowed?
E.g. in the following example, a user may only have write access to
"baz" but not "bar". If they create "baz" then that may implicitly cause
"bar" to be deleted. Further, even if this implicit delete to "bar" is
allowed, I presume that the equivalent explicit change or creating "baz"
and deleting "bar" would still be rejected because there is no explicit
write access to bar.
container foo {
leaf bar {
when "not(../baz)";
}
leaf baz {
}
}
Should this be mentioned in the NACM draft at all? I'm not convinced
that the draft makes the correct behaviour for handling 'when'
statements obvious.
Similar considerations could also apply when writing to choice statements.
Thanks,
Rob
- [Netconf] NACM and "when" statements Robert Wilton
- Re: [Netconf] NACM and "when" statements Andy Bierman
- Re: [Netconf] NACM and "when" statements Martin Bjorklund
- Re: [Netconf] NACM and "when" statements Robert Wilton