Re: [Netconf] Question on NACM usage
Martin Bjorklund <mbj@tail-f.com> Wed, 14 December 2016 11:22 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FBE2129D87 for <netconf@ietfa.amsl.com>; Wed, 14 Dec 2016 03:22:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.797
X-Spam-Level:
X-Spam-Status: No, score=-4.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQaZMZHvrbo8 for <netconf@ietfa.amsl.com>; Wed, 14 Dec 2016 03:22:31 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 85751129D8F for <netconf@ietf.org>; Wed, 14 Dec 2016 03:22:07 -0800 (PST)
Received: from localhost (unknown [173.38.220.36]) by mail.tail-f.com (Postfix) with ESMTPSA id 8CB711AE03EE; Wed, 14 Dec 2016 12:22:06 +0100 (CET)
Date: Wed, 14 Dec 2016 12:22:05 +0100
Message-Id: <20161214.122205.1943287191256158009.mbj@tail-f.com>
To: bart.bogaert@nokia.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <D62E05768DBAFF42A72B9F4954476D65010EB15BAB@FR712WXCHMBA09.zeu.alcatel-lucent.com>
References: <D62E05768DBAFF42A72B9F4954476D65010EB15BAB@FR712WXCHMBA09.zeu.alcatel-lucent.com>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Ztnjo2fei-E43UNYCJmuetpdfN4>
Cc: netconf@ietf.org
Subject: Re: [Netconf] Question on NACM usage
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2016 11:22:33 -0000
"Bogaert, Bart (Nokia - BE)" <bart.bogaert@nokia.com> wrote: > Hi > > > > I would like to continue on one of the examples given in the appendix of the > NACM RFC: > > > > <rule> > > <name>permit-dummy-interface</name> > > <path xmlns:acme="http://example.com/ns/itf"> > > /acme:interfaces/acme:interface[acme:name='dummy'] > > </path> > > <access-operations>read update</access-operations> > > <action>permit</action> > > <comment> > > Allow the limited and guest groups read > > and update access to the dummy interface. > > </comment> > > </rule> > > > > I am assuming that this rule allows read and update access to all leaves of > the data node identified by the path, so it would allow to update a specific > leaf of that data node. Is my understanding correct? Yes. (not just leafs but also leaf-lists and containers and lists). > Another question I have is related to the XPATH itself. In the above > example I think that the name leaf is the key of the list. Can we use > another leaf to identify a data node and allow specific access to that data > node? No. > Assume that there would be a leaf called 'pool-id' which can take values > from 1 to 10, could the XPATH look like below? > > > > <path xmlns:acme="http://example.com/ns/itf"> > > /acme:interfaces/acme:interface[acme:pool-id=5] > > </path> > > > > We would like to allow/deny access to data nodes (and the leafs of that data > node) to groups based on the value of the pool-id. Is the above the correct > way to express the access control? No this is not possible. The reason is that if we allow any XPath expression here, the complexity of implementing this increases dramatically. Also the complexity of using this and understanding how rules interact will increase, thus increasing the risk of mis-configuration (which would be security impacting). /martin
- [Netconf] Question on NACM usage Bogaert, Bart (Nokia - BE)
- Re: [Netconf] Question on NACM usage Martin Bjorklund
- Re: [Netconf] Question on NACM usage Per Hedeland