Re: [netconf] NACM read access for actions
"Johan Vikman Lundström (jvikman)" <jvikman@cisco.com> Fri, 26 February 2021 07:35 UTC
Return-Path: <jvikman@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCE0C3A08C5 for <netconf@ietfa.amsl.com>; Thu, 25 Feb 2021 23:35:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=QA1dVSfp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=wtsT67j8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ai9Y8gVVVxUF for <netconf@ietfa.amsl.com>; Thu, 25 Feb 2021 23:35:39 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0DDF3A08BE for <netconf@ietf.org>; Thu, 25 Feb 2021 23:35:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22604; q=dns/txt; s=iport; t=1614324937; x=1615534537; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=jvsbSVrfhfLqJ2Tq6+tDnxfy6ZLPVD+Nw6q538nMa5E=; b=QA1dVSfpUjj5DOnBdNNI8q2nxl1WEerBCrN/BUMsbccb+56vUFOTwhs4 UXj8YhY3NPOEFcahVNR3Gw2I9t8bjTwHXc2qreUrNjCxQsd2q8tBf9eWY Z86IqJvoMBZsjR+ncbdj01jVMdoohkwyOJ/0KX65KO66uuPC22gPqId76 8=;
IronPort-PHdr: 9a23:Reh2FB08Ol7WKGkYsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxWFv6d8kVrAQoLB6OkCgO3T4OjsWm0FtJCGtn1KMJlBTAQMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS9fjYlTNpWex9ngZHRCsfQZwL/7+T4jVicn/3uuu+prVNgNPgjf1Yb57IBis6wvLscxDiop5IaF3wRzM8XY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BEBgDCozhg/5pdJa1iHAEBAQEBAQcBARIBAQQEAQFAgU+BIzBRB3ZaNjEKAYd+A4U5iGWPHooGgUKBEQNUCwEBAQ0BAR0BCgoCBAEBhAlEAoF4AiU4EwIDAQELAQEFAQEBAgEGBHGFYQ2GRQIBAwEBPgEBLAsBDwIBCDgHBycLFBECBAENBQiCaYF+VwMvAQMLpSMCiiV0gTSDBAEBBoUiGIISAwaBOIJ2hAaCVINzJhyCB4ERQ4JXPoJdAQECgSkBEgEIGysJgxSCK4FPCQIPLC+BAj9bJREHFy4KGgIbJ5BAPopNLoMRiRKRQQuDBpw/gzWQR49RlE6dGj4JhDkCBAIEBQIOAQEGgWsjKj1wMyIbFTuCaVAXAg2OH4NvhRSFRXMCNgIGCgEBAwl8iggBgQ4BAQ
X-IronPort-AV: E=Sophos;i="5.81,207,1610409600"; d="scan'208,217";a="865659370"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Feb 2021 07:35:36 +0000
Received: from mail.cisco.com (xbe-aln-004.cisco.com [173.36.7.19]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 11Q7ZbiS009135 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 26 Feb 2021 07:35:37 GMT
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xbe-aln-004.cisco.com (173.36.7.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 26 Feb 2021 01:35:37 -0600
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 26 Feb 2021 01:35:34 -0600
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Fri, 26 Feb 2021 01:35:34 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JAX3OHVC75qLfFQZfo90R0Sg8GNRFxcHMtl/GYijLGQYiNKj4MNSMo5YTNPMaImZw2MeHJ31DPpnCkoeT9u9ioBjH8akXG9sskwZMjVSmOyGVGv0k0SX5Gnr2snMcvqSd8hqCjOVeHNswI0WBKHCWMu5AAYKUpgSGsoTDJJDmfMscsbBfLgE0P00GQGr4D1poBfIk0LOXpyNEHi0CxC9RPQCrR70C6NL6B0C+9foQ42Al/2tXqveApi8v1YU/6baR7lQKxPDl6RsxygEBvV+HkwsiI3o5RxIicoGGDT7HLr/WrzJx89G0fh77j3D9kMoI1Q8lQb7z0DwWsEgVFxHUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oF0qLFaKv4AghSL54DoldLHbqzsGDeRp9BqDrQgtmvs=; b=OZ5y+psO7So+IaOO+lQlelNSnubEHfjcQlPoe/1/NUfMG/u8P+FWl8cpGcyJWRFB0oT3fcP7ryi+n28t4kNrSLy0eBhbuHaB7NoomCiTVA9hYKBg7APCBYnn7kzKhisFMYXtHzSNhl3RLNuUCKCesEJPNPPXmDaxf8ENijmKI2FGlHlLHVXV+cIEvduJg6S3iRhr4sBXRG+Xt6JqXYfsfQ0Mv7dj4ed4L0QZcgPHkuAC5o/4qQmKJtSi5uj7D3wf1veriHpW6lGHkVUlfn45AWfa5HZYu2OpRvoZDvsvkB3BagmNxQXUmvg5kOUtGAPfoimrep+QBNJnvhRoEweAiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oF0qLFaKv4AghSL54DoldLHbqzsGDeRp9BqDrQgtmvs=; b=wtsT67j8hHevWMllF9sMXUZcu5zdacTW3wDNXZf5d1Ln5iy824RDwiLCfG9WYgP1rA9m8txqcEKaMfH4TDke91nyLH9uTBVJtkgiQJ4U0fzduwJXJFWRnjpBaY0OIoTYfLtLT3/6yADfzSIRKKWBuw8F6B2IitT8A9cfJN1rAFA=
Received: from SJ0PR11MB4862.namprd11.prod.outlook.com (2603:10b6:a03:2de::16) by BY5PR11MB3976.namprd11.prod.outlook.com (2603:10b6:a03:187::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.20; Fri, 26 Feb 2021 07:35:31 +0000
Received: from SJ0PR11MB4862.namprd11.prod.outlook.com ([fe80::9c2d:ffbd:1695:c115]) by SJ0PR11MB4862.namprd11.prod.outlook.com ([fe80::9c2d:ffbd:1695:c115%7]) with mapi id 15.20.3890.020; Fri, 26 Feb 2021 07:35:31 +0000
From: "Johan Vikman Lundström (jvikman)" <jvikman@cisco.com>
To: Andy Bierman <andy@yumaworks.com>, Kent Watsen <kent@watsen.net>
CC: "Christofer Tornkvist (ctornkvi)" <ctornkvi=40cisco.com@dmarc.ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] NACM read access for actions
Thread-Index: AQHWyhe8pG7lD1hfBEGgzpuUtjTj9Kpoe7qAgAAc1ACAAfJI8w==
Date: Fri, 26 Feb 2021 07:35:31 +0000
Message-ID: <SJ0PR11MB4862C7E65F306358235D869ABC9D9@SJ0PR11MB4862.namprd11.prod.outlook.com>
References: <BYAPR11MB3573D000CDD08B1CA22C907ED0F10@BYAPR11MB3573.namprd11.prod.outlook.com> <01000177d6745212-37524245-c74e-4de1-922e-53f80dac68e1-000000@email.amazonses.com>, <CABCOCHSRP=Zi3RxULPM3tFMZyeixS9aTUfYMT9MC+BpSd2gacg@mail.gmail.com>
In-Reply-To: <CABCOCHSRP=Zi3RxULPM3tFMZyeixS9aTUfYMT9MC+BpSd2gacg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: yumaworks.com; dkim=none (message not signed) header.d=none;yumaworks.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [31.208.108.100]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 214ac9be-8d64-4d14-f3ca-08d8da291887
x-ms-traffictypediagnostic: BY5PR11MB3976:
x-ms-exchange-minimumurldomainage: ietf.org#9484
x-microsoft-antispam-prvs: <BY5PR11MB3976C0D1024068E4B30CE2B8BC9D9@BY5PR11MB3976.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3a5P6YaR3r+t4FIcWHBFecGAZsGukk4nUhjE9of+vdgAPPFB0rcBccOh7HTsdfDxEkjO+owulF+a4Dgfym0/P4bYsmA3SWbqcqDPy17TIOkimODHsHJJIO3lxQEa6ZEC9L/w+ODieMxdZRzkkFQ8Rh2WuqzJYBKaqZxRxp9vH4suFV9EAvcF7q211TMjlJoFhOnISdk8yGiD7D9YyUUC5evMQoHk88eVelsdWC+//YNpBbShgiTOn3fLHeP/acGtKIJSLwnxAVJQGxpKTNw9+j4DKDzbKzTdjX94h0Vs2ALEHmn/Fprkr7lKeucLiWjsfprHDcT9tzmAVnnSCrF+xPZaWFmTooiUS46B+J5JL3rDSajGjb6a+xcQB0oScjKrxZjdYCEBq05znAtJcQ5GDullXqmaBV6CWqvM0WHjZDbDK9l2Z+o5Jb4klEgaIjdHafSNTiMZkivdMK7LbXUvLnxYBYGgg18uGEt5HQH+r3NEI30pBUB9oronXilHaSbUY56MtBjGZ4gY+uekOKmOzZLJNZqeoD4s/4TH9q1jhrWCKs0szHO81t03AyEfrG0nc+QKYw73Amg3kL5AvXap2OwEsnrFnP3iAcn7f7ZNnDY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR11MB4862.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(39860400002)(396003)(346002)(366004)(376002)(4326008)(64756008)(5660300002)(66446008)(76116006)(66556008)(66476007)(52536014)(66946007)(33656002)(2906002)(186003)(91956017)(26005)(6506007)(54906003)(166002)(7696005)(478600001)(55016002)(8936002)(8676002)(110136005)(9686003)(316002)(966005)(53546011)(86362001)(71200400001)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: +4XpnR/ooaVl5QW7Z+rWG1lFJSkjqJWE/idi+mpiGnrqpwNZssFGxP7y/SRaUZZRdyCj4AZ6X+gAwcyDeZu1YFSQDgkOj8Lw4hMfDi2N9d3+8XzzAhSK1xbYaAtV/nwidd8DywGS3AjlXwsZfo6Mq/Xl4F/JPRXw4Lb4xg1AiVln4M3YSLjAtKn5A6ThcYQtBBBotJ3rnmo1hfT4R+rJlfzQzF0M8AHy3xANfFNmUJZR6YIUpP5ul+GvpElK0pxrz/9x0EeSJbFwZ/hzpo+uYTYBYzC1X6t2zabgBi49ZnreS1oK9cU4GIn3Jrq5hXSBUvgm2lglxDHov1mdIa5aNMdLJaH+9RXVhZt3e5Mohc83Ox+ILyt7QXYqPvBAWznM1R57z1fBHYF8DILFPuXa/XNFsvaHJdZDlNXeh9rltw2w5vJFFCKdodOpc41V5d4PBywMG5rKoL8u3w2jYbGFXaoD3Wt+iq2w4nm4f96CgyFJ1Sljm2/PNWqLvBPzzirNbOmIyifB65yspNA6RNPB9kfbsGMtVaY9qDK5QNHRqRxoz/csGaHmak93inDjJryD5MxxLr/IcNmMK9I9xlq6xJcJOr/lKjpSG7po6lj60OqKqqp7FuBR1oeStujChjM4Md7WgsM0WT8Xn/ZoSywG97MzO89mLmldUsebRj49sOzWdxTtaTdErgBOw17ekh1xHYOkZVX57Jm11UAAo2wWB1J4mfaC0LmCW93Erw/oCd3hleOfMfYjApiwmTR0Csmp6gPKGUmaSLEs0zT2+w9Fqa9hZq9Y3AKUIFr9fhLkKVa2ckB3ZWMZwbZBtbIRe8XaOUsj6tyqNE0FVfRmQdpsOU/mDH6/lfOxQzigOncm76KOYclrnihJk5IH2U4ELU9SKbdO89rVxGTDetckDvvUFKwqJrXkG1hG5780BG5aY7hS3bNV59IFdlgJGzRaB6dKAFaZnsJseda+Hgheu4iQWKXkIRFHDjyocK5QO5oMcoTEpObmROmcMOvIoMVjGFoaPGbD8e6EzvfAifuOSInvYALLjsNYcYXN0o55T6BZr/zO5liYleiyDF5A01gRVX76BUsQ2uS1VluO3xia8EnYqSWM4x64HbjQFYHDpMKQLVUVh8ef2n6u3X2kJRealgZ8RKD6cKxmflUY8i6dCBGgI0ngxE9eEy4gMcP8g/I90n3LDDMXnKuLhstDpxDZ4MnZdOnsbNebvaBH522wGvnVIsb5+jxqrhjk5E8sd2xHxUlnVmQKuiuMKGvJGW8qB4p48IdAN59RnMcK9vE5CkpKqfYQjuGN1RZintKb0sSbJE2ikw1+tb03jm7C8iLjZ0vixe8zgSru6d1QFa1hYg4KWQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR11MB4862C7E65F306358235D869ABC9D9SJ0PR11MB4862namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR11MB4862.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 214ac9be-8d64-4d14-f3ca-08d8da291887
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Feb 2021 07:35:31.1897 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ougF1TnUx1hpegjPXANWJKlFFF2baAmXHIw3FwTyrWN8EmcaJdJBvAa0gNoIHwCapJ31EghXVwou/xOJd6LcDA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB3976
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.19, xbe-aln-004.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/e9Av_bbGgjO_-hPoM_trDuTWqVI>
Subject: Re: [netconf] NACM read access for actions
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 07:35:42 -0000
On Wed, Feb 24, 2021 at 3:52 PM Kent Watsen <kent@watsen.net<mailto:kent@watsen.net>> wrote: Hi Christofer, Looking at unread email, I noticed your message didn't receive any responses. Could someone with familiarity with this NACM-question reply? I think the question is whether the read access required for exec access exposes too much data. I think the original intent of the text is that read access to the container or list element is required, not the entire subtree. It could be argued that read access to the key leafs within a list entry is also required. JV: I agree with your interpretation of the question. Looking at the RFC and the default read being “permit” I think the paragraphs makes sense, reusing the /interfaces/interface/reset-interface example an admin could for instance add a deny on /interfaces for the group and thus stopping the operator from using the action. When it gets interesting is when the the default read setting is “deny”, it’s not unreasonable to think that the admin wants to deny everything and only open up what is needed. But then adding an explicit rule permit read on /interfaces /interfaces/interface would open up a lot. Interpreting your thought on original intent, it would be enough to have read access on /interfaces/interface[name=’if0’] OR /interfaces/interface, even if the default read permission was ‘deny’ (which would affect /interface), right? /Johan Thanks, Kent Andy On Dec 4, 2020, at 3:40 AM, Christofer Tornkvist (ctornkvi) <ctornkvi=40cisco.com@dmarc.ietf.org<mailto:ctornkvi=40cisco.com@dmarc.ietf.org>> wrote: Hi, I read in the NACM RFC 8341 that for actions to not be rejected they both must have execute access and also read access for all its parent (instance) nodes along the node hierarchy up to the top node -described by the path for the action node. The read access property, is that equivalent of having NACM rules stating read access for all parent (instance) nodes? If that is the case, does not that open up the node tree structure unnecessarily much? I support the idea of just having to state one NACM rule containing read and execute access for the action node itself for it to be able to be run, and also that all the parent (instance) nodes will be readable only along the path up to the action node without any additional NACM rules. And if there is a read access deny rule on any parent (instance) node the action will be rejected. Would appreciate a clarification. Below are references to RFC 8341. Regards /Christofer Tornkvist References in RFC 8341 are: Ch. 3.1.3 s.3 The new "pre-read data node acc. ctl" boxes in the diagram below refer to group read access as it relates to data node ancestors of an action or notification. As an example, if an action is defined as /interfaces/interface/reset-interface, the group must be authorized to (1) read /interfaces and /interfaces/interface and (2) execute on /interfaces/interface/reset-interface. Ch. 3.1.3 p.12 bullet 2 o If the <action> operation defined in [RFC7950] is invoked, then read access is required for all instances in the hierarchy of data nodes that identifies the specific action in the datastore, and execute access is required for the action node. If the user is not authorized to read all the specified data nodes and execute the action, then the request is rejected with an "access-denied" error. _______________________________________________ netconf mailing list netconf@ietf.org<mailto:netconf@ietf.org> https://www.ietf.org/mailman/listinfo/netconf _______________________________________________ netconf mailing list netconf@ietf.org<mailto:netconf@ietf.org> https://www.ietf.org/mailman/listinfo/netconf
- [netconf] NACM read access for actions Christofer Tornkvist (ctornkvi)
- Re: [netconf] NACM read access for actions Kent Watsen
- Re: [netconf] NACM read access for actions Andy Bierman
- Re: [netconf] NACM read access for actions Johan Vikman Lundström (jvikman)