Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 23 May 2017 19:42 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A920212EAED for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 12:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5t5fkDRi7R-l for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 12:42:10 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFC1A12EAF2 for <netconf@ietf.org>; Tue, 23 May 2017 12:42:00 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id b204so215395611oii.1 for <netconf@ietf.org>; Tue, 23 May 2017 12:42:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FzDar1Urli+4e51jyDp4SpnJ17Oo6CSS2HEpYh3J5tI=; b=hcXfllXQUUNE6Bt9WhcQIy6z+BBtLgb8nt5ozYXM+zGg0wMYUeVD8MdBXVxBevHdBa U4P5q55Sk3d/tnaHEuI9yBKwDARdfwv2hddnq2YLJVxjvLMphszGPR3W08SG7AU9AB11 B24shkq6fyOvbZeiIbbEuXEk3oAty5hyp8cAp47qjp/UUXmQvM2pQAZSyQBU2inzOnBQ oJ6HJiOtt3MC1lgek+3/A3SVjk4VfWeJY9bksxJdOsV2HGwVftjed0w5gnkhSqKRZgrQ xEt6oq+BI6ARq1XNZDe0jM5+wrNgeK6YnoLaUap0hqkeaG9BstqQMMCgWXvtt6QR7a2J MADA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FzDar1Urli+4e51jyDp4SpnJ17Oo6CSS2HEpYh3J5tI=; b=PyId8NqRbxjOvnQkJPlj8K7pQaQMruYbM4oGur7HLeaS8zPtcWSUeXJB3ZguwIw7p3 MVwuui9FjReQA3H8PBChkLEdNb18vA5orgcyOylwibzPg5NrWC0xq5pUOAN/9AfGofnB RgFRDOkYakDQjbXXfl0iso95fcosL7kWRMZaJnqHddt5cmTAL1VswMfdTHV7UZSQ1CWl 62mF/XGLlbOKCOxSaXnmpcy1iUd7+u5e8V6g48joO0DN2Nqn7ePcKxXrziGDo3f5zYU3 4lWSm0t7yqUMYTAltzavaozvhd/3DNKi12PhT4d2aOGehROHZmz4+wuII0PmMX4ZTscj jtWg==
X-Gm-Message-State: AODbwcBiho0XwvHMVH+2Sw6Zz7OIdGf6qGVQETL5o+YAzUTeRrB01Npa 4NM/L61SDPCijw==
X-Received: by 10.157.21.39 with SMTP id u36mr2389567otf.187.1495568520088; Tue, 23 May 2017 12:42:00 -0700 (PDT)
Received: from ?IPv6:2001:420:30d:1320:4da2:f54:c85e:a54? ([2001:420:30d:1320:4da2:f54:c85e:a54]) by smtp.gmail.com with ESMTPSA id j60sm704373otc.50.2017.05.23.12.41.58 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 May 2017 12:41:59 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <20170523.091519.1988324449434279102.mbj@tail-f.com>
Date: Tue, 23 May 2017 12:41:58 -0700
Cc: Andy Bierman <andy@yumaworks.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, netconf@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D13AF5F3-1AE1-4A43-866F-10984114BF2C@gmail.com>
References: <CABCOCHRBXbCfW+=-FsoHS7nUmn8qJ=Rv9vsEf89dSs3273NGbQ@mail.gmail.com> <22F66A24-12AB-4447-AC9A-9D8F9B0BB726@gmail.com> <CABCOCHSGa23SR_soKBurzPWOckf0eE_jp=jRkpoCSXczq_2xSg@mail.gmail.com> <20170523.091519.1988324449434279102.mbj@tail-f.com>
To: Martin Bjorklund <mbj@tail-f.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/O1Unw26BFDhJcXfH6bGdxI6YEUw>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 19:42:13 -0000
> On May 23, 2017, at 12:15 AM, Martin Bjorklund <mbj@tail-f.com> wrote: > > Andy Bierman <andy@yumaworks.com> wrote: >> Hi, >> >> The update is on github. >> http://github.com/netconf-wg/rfc6536bis >> >> I would like Martin to look it over before it is posted. > > Done, and the new text looks good. I moved the new subsection to be > the first in 3.2, and I also fixed some minor terminology issues. > > But, I wonder if we shouldn't make the document even less NETCONF > specific, and align the terminology to revised-datastores. For > example, currently the document talks about access to "NETCONF > datastores". With the new less protocol-specific terminology this > would simply be "datastore”. I would prefer this. > > Also, we currently have this: > > A standalone RESTCONF server (i.e., not co-located with a NETCONF > server) applies NACM rules to a conceptual datastore, since > datastores are not supported in RESTCONF. > > I don't think this is quite correct. Even in a stand-alone RESTCONF > server there is an underlying conceptual datastore, for which NACM can > be used to control access. > > > > /martin > > >> >> >> Andy >> >> >> On Sun, May 21, 2017 at 10:25 PM, Mahesh Jethanandani < >> mjethanandani@gmail.com> wrote: >> >>> Andy, >>> >>> On May 16, 2017, at 2:32 PM, Andy Bierman <andy@yumaworks.com> wrote: >>> >>> >>> >>> On Tue, May 16, 2017 at 2:02 PM, Mahesh Jethanandani < >>> mjethanandani@gmail.com> wrote: >>> >>>> Having reviewed all the e-mails, I believe that there are few issues that >>>> need to be resolved before we send the draft for publication. We need to >>>> agree on the language, even if we do have the exact text in the draft. >>>> >>>> To begin with, do the authors have a response to the suggestions from >>>> Juergen prompted by the question from Alex? Are we leaving the NACM >>>> definition of any future datastores to the datastore draft, or are we >>>> saying NACM applies to all datastores? >>>> >>>> >>> No. IMO the text should say NACM applies to NETCONF and RESTCONF >>> with the existing datastores. >>> >>> NACM MAY be applied to other datastores that have similar operation sets. >>> Any new datastore specification needs to define how it maps to the NACM >>> CRUDX >>> model. The datastore does not need to use NACM (e.g., datastore defines >>> something else >>> or does not use access control). >>> >>> >>> Can you update the draft with this text. >>> >>> >>> >>> To the point that Andy raised earlier, we need to have texts around >>>> datastores that provide more than CRUDX capabilities, including any >>>> protocol operations, e.g. priority, as something that is out of scope of >>>> this document. >>>> >>>> >>> This would be outside the scope of NACM. >>> This is part of the RPC input validation. >>> >>> >>> And clarify that operations outside of CRUDX are outside the scope of >>> NACM. We can them move the document towards publication. >>> >>> Thanks. >>> >>> >>> >>> >>>> NETCONF WG has moved to redefine its charter beyond NETCONF and RESTCONF. >>>> Therefore there is a real possibility of another protocol being discussed >>>> in the WG. Is there something in the NACM draft that restricts it to >>>> NETCONF/RESTCONF that other protocols cannot adopt? If so, can they be >>>> called out? >>>> >>> >>> If NACM needs to be changed in the future because a new or existing >>> protocol needs new features >>> then the WG will have to deal with it then. >>> >>> >>> >>>> >>>> Thanks. >>>> >>>> >>> Andy >>> >>> >>>>> On May 9, 2017, at 11:46 PM, Juergen Schoenwaelder < >>>> j.schoenwaelder@jacobs-university.de> wrote: >>>>> >>>>> On Tue, May 09, 2017 at 02:50:30PM +0200, Martin Bjorklund wrote: >>>>>> Andy Bierman <andy@yumaworks.com> wrote: >>>>>>> On Thu, May 4, 2017 at 11:21 AM, Alexander Clemm < >>>> alexander.clemm@huawei.com >>>>>>>> wrote: >>>>>>> >>>>>>>> As mentioned in my message, I don’t think specific access control >>>> will be >>>>>>>> needed (I am not aware of specific use cases), but specifically with >>>> the >>>>>>>> revised datastore architecture about to the be introduced, its >>>> impact or >>>>>>>> nonimpact and interrelation with NACM should be discussed. This can >>>> be as >>>>>>>> simple as a small paragraph or subsection “Revised Datastore >>>>>>>> Considerations”. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> there is no text about candidate vs. running vs. startup. >>>>>>> The NACM rules apply to all of them the same. >>>>>>> I could add text that says there is no consideration for specific >>>>>>> datastores. >>>>>> >>>>>> Actually, the document already says: >>>>>> >>>>>> 3.2. Datastore Access >>>>>> >>>>>> The same access control rules apply to all datastores, for example, >>>>>> the candidate configuration datastore or the running configuration >>>>>> datastore. >>>>>> >>>>>> Only the standard NETCONF datastores (candidate, running, and >>>>>> startup) are controlled by NACM. >>>>>> >>>>>> >>>>>> Somehow this needs to be updated when the revised datastore work is >>>>>> done. E.g., I expect read access to intended to follow the same NACM >>>>>> rules. >>>>>> >>>>> >>>>> Yes. NACM likely also applies to the <operational/> datastore (but >>>>> this follows already from the text that talks about 'state data'). >>>>> >>>>> My question, however, was about other future yet to be defined >>>>> 'dynamic' datastores - does NACM make a statement of the form 'once an >>>>> implementation announces NACM, NACM applies to all datastores - no >>>>> exceptions' or do we leave it to the definition of future datastores >>>>> to declare whether NACM applies to it. There may be three possible >>>>> solutions: >>>>> >>>>> a) Once an implementation supports NACM, NACM applies to all >>>>> datastores (including any datastores defined in the future). >>>>> >>>>> b) Once an implementation supports NACM, NACM applies to all >>>>> conventional datastores and the operational state datastore. Other >>>>> datastores must define whether NACM applies to them. >>>>> >>>>> (This means, whenever a new datastore is introduced, the question >>>>> whether NACM applies has to answered for the new datastore.) >>>>> >>>>> c) Once an implementation supports NACM, NACM applies to all current >>>>> and future datastore unless explicitely stated or signaled that >>>>> NACM does not apply to a certain future datastore. >>>>> >>>>> (This is essentially b) but with a default that NACM applies unless >>>>> things are explicitly regulated to be different.) >>>>> >>>>> I just thought it is worth to take a moment to think about this >>>>> question. >>>>> >>>>> /js >>>>> >>>>> -- >>>>> Juergen Schoenwaelder Jacobs University Bremen gGmbH >>>>> Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany >>>>> Fax: +49 421 200 3103 <http://www.jacobs-university.de/> >>>>> >>>>> _______________________________________________ >>>>> Netconf mailing list >>>>> Netconf@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/netconf >>>> >>>> Mahesh Jethanandani >>>> mjethanandani@gmail.com >>>> >>>> >>>> >>>> >>> >>> Mahesh Jethanandani >>> mjethanandani@gmail.com >>> >>> Mahesh Jethanandani mjethanandani@gmail.com
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- [Netconf] WG LC for draft-ietf-netconf-rfc6536bis Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… t.petch
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund