[netconf] NACM read access for actions

"Christofer Tornkvist (ctornkvi)" <ctornkvi@cisco.com> Fri, 04 December 2020 08:40 UTC

Return-Path: <ctornkvi@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FBB73A15C7 for <netconf@ietfa.amsl.com>; Fri, 4 Dec 2020 00:40:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=BI6B7kTW; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=vY8Jhp5+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nJx8y0NGuKVl for <netconf@ietfa.amsl.com>; Fri, 4 Dec 2020 00:40:07 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EE923A0B3B for <netconf@ietf.org>; Fri, 4 Dec 2020 00:40:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15606; q=dns/txt; s=iport; t=1607071207; x=1608280807; h=from:to:subject:date:message-id:mime-version; bh=dK12XpldbFoFbcIbrrxv/GKB3Guvi8LSFcI3fAAMlbo=; b=BI6B7kTW6L6EQEw81fUNbyKvF6nS7Isu7GaiJNqB4BFW4OuUu+lObJKh Gvo5LP83VStA/hvzLu2fJTwo4a0ZovSztEbQZgoEj+0xpRsNMnjq3Zt/5 Aye2A9cpR3dFBDKkVvWUjtkfiUKVlIeiCGDQbhjMSpdUG8a1IOBLH/iUQ E=;
X-IPAS-Result: =?us-ascii?q?A0ApAgDH9MlfmIwNJK1igQmBT4EjL1F8Wy8uCod6A41Zl?= =?us-ascii?q?BqEcYEuFIERA1QLAQEBDQEBLQIEAQGESgKCFQIlNAkOAgMBAQEDAgMBAQEBB?= =?us-ascii?q?QEBAQIBBgQUAQEBAQEBAQGGNgELhgsuAQE4EQGBACcEGxqDBAGBflcDLgEDo?= =?us-ascii?q?D0CgTyIaXSBNIMEAQEFhTYYghAJgTiCc4pNG4FBP4ERQ4c4G4NIgiyBTwk6L?= =?us-ascii?q?32BTnEbJY9BPoongzKIdpEwCoJym1eDIY92jw6TcpwfPQmEMAIEAgQFAg4BA?= =?us-ascii?q?QWBVjgsgS1wFYMkUBcCDY47g1eKWHQ3AgYKAQEDCXyOLwGBEAEB?=
IronPort-PHdr: =?us-ascii?q?9a23=3AuLdRiha1SjtLzLCNMJLzAF7/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el21QaTD4TW9/wCjPDZ4OjsWm0FtJCGtn1KMJlBTA?= =?us-ascii?q?QMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8fze1OUpWe9vnYeHx?= =?us-ascii?q?zlPl9zIeL4UofZk8Ww0bW0/JveKwVFjTawe/V8NhKz+A7QrcIRx4BlL/U8?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,392,1599523200"; d="scan'208,217";a="608257655"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 04 Dec 2020 08:40:06 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B48e5GL023666 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <netconf@ietf.org>; Fri, 4 Dec 2020 08:40:06 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 4 Dec 2020 02:40:05 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 4 Dec 2020 03:40:04 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 4 Dec 2020 02:40:04 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P7QCUUjerGy2dlhSiME5dUS+GBnOICR8VKpHt+ym3u4ckMdb3u5I5BRMKJrwmQ43C9RL6J8cg+V/xXir6a6tmMc+ZjoMI8KO87Z/ywZFEgv8UqAf0t7kPq+Pet8TwnHvF8UxYtPUqUIQat1KSMkMJ0mIiR8eANGIU1WcxD/VKF63XdpUvVErqQq4bCrSsrywmMNGC3F4xBbF4QHzJWuEyM2sSwvdZqfH7QBOaMiwZGAvPQAmub6qEfBAIWcr1zaWQW3yNxnRHNqUxb1i9QZjsni2zzY8fRNkQKQ3hzrChU8IiOgsRkbrMrgjeqzKV2SFi7TqOjr4Lz14CJgACFSFOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tfs4V/p6fwbXlPQZzOTahik7Iso9ZU9k1UKRdMFSseI=; b=hkIKN11W93b4JdwBHriYrk5xpOG2+ARUOUaaewuMUYEUyy7RMiIMOKd4p0is5CQeUelmJoPD5UcPFK/kf3VStvglhFkvhDP8nbGoOgrCCUI2OxBQhG9ie/VYVYSkveDGSQ0x2NHF0ezYRkBSWTL7uK9q/5cQHpIEh3aMT2VMSPlKdoxXeLCnbn7Rv/paZWDJ0SCsu+lLCOQPq/7EaOeLQwVQ/kT4JVeRsjkSuZRtUNSVGe2BAsbwMulDEX1rTOGBOxo3iNbCxQ2sl3258QR4iiAz4kYgOWAv1M90Hg+gziR5uKSVHb5flD0O96OXsz7VFJudWsxpudc/v1CntuTKJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tfs4V/p6fwbXlPQZzOTahik7Iso9ZU9k1UKRdMFSseI=; b=vY8Jhp5+bWHx7z+F4eIeV8W3l5TjxHzrvDn8CgyMFN70+ORIkC7gZu8u7RwaoNWwE+Ih0l4OVMlOclm7LOz0G5lbR8BI64CXaq+UkLNa9m33l0I8ZAi4p3HZaKrdou7/fGq2UTYdk0lHKqG1pq83uLB6pZQIvwmsGoSCoMyYt8A=
Received: from BYAPR11MB3573.namprd11.prod.outlook.com (2603:10b6:a03:fe::33) by BYAPR11MB2614.namprd11.prod.outlook.com (2603:10b6:a02:cc::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.21; Fri, 4 Dec 2020 08:40:03 +0000
Received: from BYAPR11MB3573.namprd11.prod.outlook.com ([fe80::880c:73b9:2be3:2031]) by BYAPR11MB3573.namprd11.prod.outlook.com ([fe80::880c:73b9:2be3:2031%5]) with mapi id 15.20.3632.021; Fri, 4 Dec 2020 08:40:03 +0000
From: "Christofer Tornkvist (ctornkvi)" <ctornkvi@cisco.com>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: NACM read access for actions
Thread-Index: AQHWyhe8pG7lD1hfBEGgzpuUtjTj9A==
Date: Fri, 4 Dec 2020 08:40:03 +0000
Message-ID: <BYAPR11MB3573D000CDD08B1CA22C907ED0F10@BYAPR11MB3573.namprd11.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: sv-SE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [195.84.96.183]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 56a55f79-670c-4e7b-88eb-08d8983031af
x-ms-traffictypediagnostic: BYAPR11MB2614:
x-microsoft-antispam-prvs: <BYAPR11MB2614A5058238AC62A0C81A00D0F10@BYAPR11MB2614.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MxKt5FV66HKkDDgTloep01uZAYQ1S4n6HnG98l7PyLrACV62f8DKO65qfA9xbJnu4YHddiJcxtfyMRZm9hSWnNq4Qjv6EHK/LaUYJPFHNYJP4n2CaqLFlqRpzBJMBC1zXelwc1mrt77DqB9kUtVdM4zDT2CpeY9apedlioEEicSemMBj3TksPys6N03oZimudvO2vKm9MR5CsUXzGDuydvqbqJkfRbIxNDPSYxqlAg1CskxjbGGpqwfCpgV3BW1lvbrA/l2KfoRb5z8q/iM2KSfLI/2GmJvRU+NnhdUa9xRRWM6N09Mf81weACR1ipwnprM2wTRPZTTSzhOTJxuGsQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3573.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(39860400002)(376002)(366004)(136003)(346002)(64756008)(9686003)(66446008)(66556008)(83380400001)(55016002)(66476007)(91956017)(66946007)(7696005)(316002)(76116006)(478600001)(2906002)(33656002)(6506007)(6916009)(26005)(86362001)(52536014)(8936002)(5660300002)(186003)(71200400001)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?phdZ/HJpVAsaElJ17xbCDcSHmNrho31hJYiwOxUOrql4SxcItP9PY+JSBalH?= =?us-ascii?Q?lNfqBy2MfPhCSawBPDqEAFrAr2EWM6wP2MuHdsHZSHd+tDIwOCWwLRTwv4W+?= =?us-ascii?Q?FfeJyRjHZ2/4eus29lkSh/NniactbrvcQTIpg4oIQodIMoyyCjBWbqCdS6fM?= =?us-ascii?Q?efpIJ7wznf5Zz+FitfsCDT4ciCWc9H8/rlxQaCDFJPjSDty2Di8M2EeCdrWn?= =?us-ascii?Q?3a04WSlghKYAM15fqgU7MBW536yVviiSqOwhjstu9CKBGRA342QOCObb6iTv?= =?us-ascii?Q?pT85e5LePVHM/E/M+TL/othLPfhg/QAny43q2hHO504dhqcDrHXTa7IP4mSo?= =?us-ascii?Q?oQnVdVrIMGxDh+LajT49N2oUZ4Ecy3kC+M7wVwnchWvQW9Uo2Ewy028vRr6k?= =?us-ascii?Q?p1Ql1EH+TDqLpMIFiCgU8BEwhBRWL3X3+1BjPsKwvl+lFSDdR5pNLSb/s/ee?= =?us-ascii?Q?IA6i5oJxvUOweJV2bngy4jhK17Fcytrqgw2JfGiwmjPoGwVNpJQ8u/nxdDI1?= =?us-ascii?Q?atHcMPXO0Oc3O51mt+Ntk8bT7vJCSNPFRA4y9pHP3AcR2t1pRWEn15YtzY/h?= =?us-ascii?Q?USkNvb76xbLLDuOGYxycHmVos7UM1oJBtE4h8FUcW6LNjYJWSs/e9X94KGPT?= =?us-ascii?Q?yFwUz+AFGa5MOGPZj9Q6ZGCqeZEv+HJSRiZ10lU7eIXl5QkdzaJluuUyjtDF?= =?us-ascii?Q?jwJdfp3GljJOw06Z/2AdghFZKjJ5Z5o6VIFs05oUqB4oGs5t+FlJ+UDoW57Y?= =?us-ascii?Q?cgkGMBt/B442v2pfJh5RhGUQLktSzMOoQx6VLBmQjC28C77GdkSb5oOjh8ae?= =?us-ascii?Q?FEUeSJ3Z0QeW5qfUtG+B8cqWNprKgl2n0OsmDW52zzd2rKyaqgb0bg5Psspg?= =?us-ascii?Q?FPc8KhuPW4Gqqh3I8clfNfK54zGdib4RO0VNrxYnch2tJBpm6XZtA+Sc56rO?= =?us-ascii?Q?8SqsYeiKAFdJSjHoSPuDXlrNgHIOwscKIYzPRA5zGsBFgXbQC78utRureBv/?= =?us-ascii?Q?+Uum?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR11MB3573D000CDD08B1CA22C907ED0F10BYAPR11MB3573namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3573.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 56a55f79-670c-4e7b-88eb-08d8983031af
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2020 08:40:03.1755 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6/IkZw9EbrvdtA1ajVFB6N3DRZo++vV897ob/d88sdqBuDOtNrRkJiWoMwRPW/lLJP3X6Jw+zPhcjF2tkbO/Dg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2614
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: alln-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/a5WcYBw1qn3ZsttQx9BZPEA9d20>
Subject: [netconf] NACM read access for actions
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 08:40:10 -0000

Hi,

I read in the NACM RFC 8341 that for actions to not be rejected
they both must have execute access and also read access
for all its parent (instance) nodes along the node hierarchy
up to the top node -described by the path for the action node.

The read access property, is that equivalent of having NACM rules
stating read access for all parent (instance) nodes?

If that is the case, does not that open up the node tree
structure unnecessarily much?


I support the idea of just having to state one NACM rule
containing read and execute access for the action node itself for it
to be able to be run,
and also that all the parent (instance) nodes
will be readable only along the path up to the action node without
any additional NACM rules.
And if there is a read access deny rule on any parent (instance) node
the action will be rejected.


Would appreciate a clarification.

Below are references to RFC 8341.

Regards
/Christofer Tornkvist


References in RFC 8341 are:
Ch. 3.1.3 s.3
   The new "pre-read data node acc. ctl" boxes in the diagram below
   refer to group read access as it relates to data node ancestors of an
   action or notification.  As an example, if an action is defined as
   /interfaces/interface/reset-interface, the group must be authorized
   to (1) read /interfaces and /interfaces/interface and (2) execute on
   /interfaces/interface/reset-interface.

Ch. 3.1.3 p.12 bullet 2
   o  If the <action> operation defined in [RFC7950] is invoked, then
      read access is required for all instances in the hierarchy of data
      nodes that identifies the specific action in the datastore, and
      execute access is required for the action node.  If the user is
      not authorized to read all the specified data nodes and execute
      the action, then the request is rejected with an "access-denied"
      error.