Re: [netconf] NACM read access for actions

Andy Bierman <andy@yumaworks.com> Thu, 25 February 2021 01:34 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F058F3A0B59 for <netconf@ietfa.amsl.com>; Wed, 24 Feb 2021 17:34:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vrS2RmU4IS6A for <netconf@ietfa.amsl.com>; Wed, 24 Feb 2021 17:34:48 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F2763A0B56 for <netconf@ietf.org>; Wed, 24 Feb 2021 17:34:47 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id x22so315977lfc.6 for <netconf@ietf.org>; Wed, 24 Feb 2021 17:34:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GScu1K8EFdFuIjGmyFlPA6lWEJ4PLacVvZwCks8HQUc=; b=w9wVK5jhRZGio0U0gqaoIVnxjmgBfJ4O1dU0McciGE3tP3kC+FbvQqWOQZD9LXYOtP 4nqStIxpQgg5wRobhcecRLZgiBEK8ScBH9o8jIYiW99S/yfMXp22HHmsz2jVz1TysBW8 n1rwmzRu0eFwemq0ZcfmQKSRjjzLR07U9vzlbQ/zTIA563EbpmR2zrbq9IxYNTiaXyeD hYbBK8/Qqf9wgiu5LPiTKQZqIOqhKH3YWZ3CuJwGo2Ng8f+qc8lwJYOOn9wlDM+iC5UP SeEP61RvOCUBPP0gkdFIJJhEel7hstmV6tmnpc1Gd37PBeY9HpVMgWgZrKn1g0po0Zjv +bYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GScu1K8EFdFuIjGmyFlPA6lWEJ4PLacVvZwCks8HQUc=; b=hgmgLsvjwOUyqaz/udIGKqm4GZvp/fK9c4bWg9d9nDkj+9VzBuwW/46kHC62FTbM80 zFkHrI50UxDplyYOUzRoPTNgsLXr1EO9xIj1pY1wd/ECPdNZ8Y2hSEYDCMur9op9s1Bl S3Zv8iKRmMEVRCZYyG3eubN/N/rA4pHNDhRK8sloRtDdClMTnfs1ZbpSvIU9kphqGa0Y 0ZF6EX3Q+XhWCAMufi1Lkihm9E6avlJFfcyeUL16z6FlPFdd6u39wss+0y45GufePxzB EFpGIc24DVJh5T63mBHJ6nEolnnngFJWs/z9VeC49ibk1h1HEleNO7a8gOu1RtazFafF HMRQ==
X-Gm-Message-State: AOAM5310wWjgZ434L4oVGgx81ImR0aozaBoOrFFbRWWCRdLMlhG5JpCX 78TzthaW33ggXUcU7FqzHZcwJq1NWwB9YsQqWpNowg==
X-Google-Smtp-Source: ABdhPJyCt6qaJJ+b6aiSdDIxvOE/X1WsdUe5wHZ1T3+fxQb/gSkX/wE4Hog3cLTLJEUjO/EHu9x/xcskEBaCYsv/hZ4=
X-Received: by 2002:a19:8186:: with SMTP id c128mr428200lfd.377.1614216885360; Wed, 24 Feb 2021 17:34:45 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR11MB3573D000CDD08B1CA22C907ED0F10@BYAPR11MB3573.namprd11.prod.outlook.com> <01000177d6745212-37524245-c74e-4de1-922e-53f80dac68e1-000000@email.amazonses.com>
In-Reply-To: <01000177d6745212-37524245-c74e-4de1-922e-53f80dac68e1-000000@email.amazonses.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Wed, 24 Feb 2021 17:34:34 -0800
Message-ID: <CABCOCHSRP=Zi3RxULPM3tFMZyeixS9aTUfYMT9MC+BpSd2gacg@mail.gmail.com>
To: Kent Watsen <kent@watsen.net>
Cc: "Christofer Tornkvist (ctornkvi)" <ctornkvi=40cisco.com@dmarc.ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000aeba205bc1f2880"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/VLhLMZeHm0zj4klTpKe8-IAJXhg>
Subject: Re: [netconf] NACM read access for actions
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 01:34:50 -0000

On Wed, Feb 24, 2021 at 3:52 PM Kent Watsen <kent@watsen.net> wrote:

> Hi Christofer,
>
> Looking at unread email, I noticed your message didn't receive any
> responses.
>
> Could someone with familiarity with this NACM-question reply?
>
>
I think the question is whether the read access required for exec access
exposes
too much data.

I think the original intent of the text is that read access to the
container or list
element is required, not the entire subtree.  It could be argued that read
access to the
key leafs within a list entry is also required.


Thanks,
> Kent
>
>
Andy


>
> On Dec 4, 2020, at 3:40 AM, Christofer Tornkvist (ctornkvi) <
> ctornkvi=40cisco.com@dmarc.ietf.org> wrote:
>
> Hi,
>
> I read in the *NACM* RFC 8341 that for actions to not be rejected
> they both must have execute access and also read access
> for all its parent (instance) nodes along the node hierarchy
> up to the top node -described by the path for the action node.
>
> The read access property, is that equivalent of having *NACM* rules
> stating read access for all parent (instance) nodes?
>
> If that is the case, does not that open up the node tree
> structure unnecessarily much?
>
>
> I support the idea of just having to state one *NACM* rule
> containing read and execute access for the action node itself for it
> to be able to be run,
> and also that all the parent (instance) nodes
> will be readable only along the path up to the action node without
> any additional *NACM* rules.
> And if there is a read access deny rule on any parent (instance) node
> the action will be rejected.
>
>
> Would appreciate a clarification.
>
> Below are references to RFC 8341.
>
> Regards
> /*Christofer* *Tornkvist*
>
>
> References in RFC 8341 are:
> Ch. 3.1.3 s.3
>    The new "*pre*-read data node acc. ctl" boxes in the diagram below
>    refer to group read access as it relates to data node ancestors of an
>    action or notification.  As an example, if an action is defined as
>    /interfaces/interface/reset-interface, the group must be authorized
>    to (1) read /interfaces and /interfaces/interface and (2) execute on
>    /interfaces/interface/reset-interface.
>
> Ch. 3.1.3 p.12 bullet 2
>    o  If the <action> operation defined in [RFC7950] is invoked, then
>       read access is required for all instances in the hierarchy of data
>       nodes that identifies the specific action in the datastore, and
>       execute access is required for the action node.  If the user is
>       not authorized to read all the specified data nodes and execute
>       the action, then the request is rejected with an "access-denied"
>       error.
>
>
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
>
>
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
>