Re: [netconf] NACM read access for actions
"Johan Vikman Lundström (jvikman)" <jvikman@cisco.com> Fri, 26 February 2021 07:35 UTC
Return-Path: <jvikman@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCE0C3A08C5 for <netconf@ietfa.amsl.com>; Thu, 25 Feb 2021 23:35:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=QA1dVSfp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=wtsT67j8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ai9Y8gVVVxUF for <netconf@ietfa.amsl.com>; Thu, 25 Feb 2021 23:35:39 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0DDF3A08BE for <netconf@ietf.org>; Thu, 25 Feb 2021 23:35:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22604; q=dns/txt; s=iport; t=1614324937; x=1615534537; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=jvsbSVrfhfLqJ2Tq6+tDnxfy6ZLPVD+Nw6q538nMa5E=; b=QA1dVSfpUjj5DOnBdNNI8q2nxl1WEerBCrN/BUMsbccb+56vUFOTwhs4 UXj8YhY3NPOEFcahVNR3Gw2I9t8bjTwHXc2qreUrNjCxQsd2q8tBf9eWY Z86IqJvoMBZsjR+ncbdj01jVMdoohkwyOJ/0KX65KO66uuPC22gPqId76 8=;
IronPort-PHdr: 9a23:Reh2FB08Ol7WKGkYsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxWFv6d8kVrAQoLB6OkCgO3T4OjsWm0FtJCGtn1KMJlBTAQMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS9fjYlTNpWex9ngZHRCsfQZwL/7+T4jVicn/3uuu+prVNgNPgjf1Yb57IBis6wvLscxDiop5IaF3wRzM8XY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BEBgDCozhg/5pdJa1iHAEBAQEBAQcBARIBAQQEAQFAgU+BIzBRB3ZaNjEKAYd+A4U5iGWPHooGgUKBEQNUCwEBAQ0BAR0BCgoCBAEBhAlEAoF4AiU4EwIDAQELAQEFAQEBAgEGBHGFYQ2GRQIBAwEBPgEBLAsBDwIBCDgHBycLFBECBAENBQiCaYF+VwMvAQMLpSMCiiV0gTSDBAEBBoUiGIISAwaBOIJ2hAaCVINzJhyCB4ERQ4JXPoJdAQECgSkBEgEIGysJgxSCK4FPCQIPLC+BAj9bJREHFy4KGgIbJ5BAPopNLoMRiRKRQQuDBpw/gzWQR49RlE6dGj4JhDkCBAIEBQIOAQEGgWsjKj1wMyIbFTuCaVAXAg2OH4NvhRSFRXMCNgIGCgEBAwl8iggBgQ4BAQ
X-IronPort-AV: E=Sophos;i="5.81,207,1610409600"; d="scan'208,217";a="865659370"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Feb 2021 07:35:36 +0000
Received: from mail.cisco.com (xbe-aln-004.cisco.com [173.36.7.19]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 11Q7ZbiS009135 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 26 Feb 2021 07:35:37 GMT
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xbe-aln-004.cisco.com (173.36.7.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 26 Feb 2021 01:35:37 -0600
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 26 Feb 2021 01:35:34 -0600
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Fri, 26 Feb 2021 01:35:34 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JAX3OHVC75qLfFQZfo90R0Sg8GNRFxcHMtl/GYijLGQYiNKj4MNSMo5YTNPMaImZw2MeHJ31DPpnCkoeT9u9ioBjH8akXG9sskwZMjVSmOyGVGv0k0SX5Gnr2snMcvqSd8hqCjOVeHNswI0WBKHCWMu5AAYKUpgSGsoTDJJDmfMscsbBfLgE0P00GQGr4D1poBfIk0LOXpyNEHi0CxC9RPQCrR70C6NL6B0C+9foQ42Al/2tXqveApi8v1YU/6baR7lQKxPDl6RsxygEBvV+HkwsiI3o5RxIicoGGDT7HLr/WrzJx89G0fh77j3D9kMoI1Q8lQb7z0DwWsEgVFxHUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oF0qLFaKv4AghSL54DoldLHbqzsGDeRp9BqDrQgtmvs=; b=OZ5y+psO7So+IaOO+lQlelNSnubEHfjcQlPoe/1/NUfMG/u8P+FWl8cpGcyJWRFB0oT3fcP7ryi+n28t4kNrSLy0eBhbuHaB7NoomCiTVA9hYKBg7APCBYnn7kzKhisFMYXtHzSNhl3RLNuUCKCesEJPNPPXmDaxf8ENijmKI2FGlHlLHVXV+cIEvduJg6S3iRhr4sBXRG+Xt6JqXYfsfQ0Mv7dj4ed4L0QZcgPHkuAC5o/4qQmKJtSi5uj7D3wf1veriHpW6lGHkVUlfn45AWfa5HZYu2OpRvoZDvsvkB3BagmNxQXUmvg5kOUtGAPfoimrep+QBNJnvhRoEweAiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oF0qLFaKv4AghSL54DoldLHbqzsGDeRp9BqDrQgtmvs=; b=wtsT67j8hHevWMllF9sMXUZcu5zdacTW3wDNXZf5d1Ln5iy824RDwiLCfG9WYgP1rA9m8txqcEKaMfH4TDke91nyLH9uTBVJtkgiQJ4U0fzduwJXJFWRnjpBaY0OIoTYfLtLT3/6yADfzSIRKKWBuw8F6B2IitT8A9cfJN1rAFA=
Received: from SJ0PR11MB4862.namprd11.prod.outlook.com (2603:10b6:a03:2de::16) by BY5PR11MB3976.namprd11.prod.outlook.com (2603:10b6:a03:187::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.20; Fri, 26 Feb 2021 07:35:31 +0000
Received: from SJ0PR11MB4862.namprd11.prod.outlook.com ([fe80::9c2d:ffbd:1695:c115]) by SJ0PR11MB4862.namprd11.prod.outlook.com ([fe80::9c2d:ffbd:1695:c115%7]) with mapi id 15.20.3890.020; Fri, 26 Feb 2021 07:35:31 +0000
From: "Johan Vikman Lundström (jvikman)" <jvikman@cisco.com>
To: Andy Bierman <andy@yumaworks.com>, Kent Watsen <kent@watsen.net>
CC: "Christofer Tornkvist (ctornkvi)" <ctornkvi=40cisco.com@dmarc.ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] NACM read access for actions
Thread-Index: AQHWyhe8pG7lD1hfBEGgzpuUtjTj9Kpoe7qAgAAc1ACAAfJI8w==
Date: Fri, 26 Feb 2021 07:35:31 +0000
Message-ID: <SJ0PR11MB4862C7E65F306358235D869ABC9D9@SJ0PR11MB4862.namprd11.prod.outlook.com>
References: <BYAPR11MB3573D000CDD08B1CA22C907ED0F10@BYAPR11MB3573.namprd11.prod.outlook.com> <01000177d6745212-37524245-c74e-4de1-922e-53f80dac68e1-000000@email.amazonses.com>, <CABCOCHSRP=Zi3RxULPM3tFMZyeixS9aTUfYMT9MC+BpSd2gacg@mail.gmail.com>
In-Reply-To: <CABCOCHSRP=Zi3RxULPM3tFMZyeixS9aTUfYMT9MC+BpSd2gacg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: yumaworks.com; dkim=none (message not signed) header.d=none;yumaworks.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [31.208.108.100]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 214ac9be-8d64-4d14-f3ca-08d8da291887
x-ms-traffictypediagnostic: BY5PR11MB3976:
x-ms-exchange-minimumurldomainage: ietf.org#9484
x-microsoft-antispam-prvs: <BY5PR11MB3976C0D1024068E4B30CE2B8BC9D9@BY5PR11MB3976.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3a5P6YaR3r+t4FIcWHBFecGAZsGukk4nUhjE9of+vdgAPPFB0rcBccOh7HTsdfDxEkjO+owulF+a4Dgfym0/P4bYsmA3SWbqcqDPy17TIOkimODHsHJJIO3lxQEa6ZEC9L/w+ODieMxdZRzkkFQ8Rh2WuqzJYBKaqZxRxp9vH4suFV9EAvcF7q211TMjlJoFhOnISdk8yGiD7D9YyUUC5evMQoHk88eVelsdWC+//YNpBbShgiTOn3fLHeP/acGtKIJSLwnxAVJQGxpKTNw9+j4DKDzbKzTdjX94h0Vs2ALEHmn/Fprkr7lKeucLiWjsfprHDcT9tzmAVnnSCrF+xPZaWFmTooiUS46B+J5JL3rDSajGjb6a+xcQB0oScjKrxZjdYCEBq05znAtJcQ5GDullXqmaBV6CWqvM0WHjZDbDK9l2Z+o5Jb4klEgaIjdHafSNTiMZkivdMK7LbXUvLnxYBYGgg18uGEt5HQH+r3NEI30pBUB9oronXilHaSbUY56MtBjGZ4gY+uekOKmOzZLJNZqeoD4s/4TH9q1jhrWCKs0szHO81t03AyEfrG0nc+QKYw73Amg3kL5AvXap2OwEsnrFnP3iAcn7f7ZNnDY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR11MB4862.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(39860400002)(396003)(346002)(366004)(376002)(4326008)(64756008)(5660300002)(66446008)(76116006)(66556008)(66476007)(52536014)(66946007)(33656002)(2906002)(186003)(91956017)(26005)(6506007)(54906003)(166002)(7696005)(478600001)(55016002)(8936002)(8676002)(110136005)(9686003)(316002)(966005)(53546011)(86362001)(71200400001)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: +4XpnR/ooaVl5QW7Z+rWG1lFJSkjqJWE/idi+mpiGnrqpwNZssFGxP7y/SRaUZZRdyCj4AZ6X+gAwcyDeZu1YFSQDgkOj8Lw4hMfDi2N9d3+8XzzAhSK1xbYaAtV/nwidd8DywGS3AjlXwsZfo6Mq/Xl4F/JPRXw4Lb4xg1AiVln4M3YSLjAtKn5A6ThcYQtBBBotJ3rnmo1hfT4R+rJlfzQzF0M8AHy3xANfFNmUJZR6YIUpP5ul+GvpElK0pxrz/9x0EeSJbFwZ/hzpo+uYTYBYzC1X6t2zabgBi49ZnreS1oK9cU4GIn3Jrq5hXSBUvgm2lglxDHov1mdIa5aNMdLJaH+9RXVhZt3e5Mohc83Ox+ILyt7QXYqPvBAWznM1R57z1fBHYF8DILFPuXa/XNFsvaHJdZDlNXeh9rltw2w5vJFFCKdodOpc41V5d4PBywMG5rKoL8u3w2jYbGFXaoD3Wt+iq2w4nm4f96CgyFJ1Sljm2/PNWqLvBPzzirNbOmIyifB65yspNA6RNPB9kfbsGMtVaY9qDK5QNHRqRxoz/csGaHmak93inDjJryD5MxxLr/IcNmMK9I9xlq6xJcJOr/lKjpSG7po6lj60OqKqqp7FuBR1oeStujChjM4Md7WgsM0WT8Xn/ZoSywG97MzO89mLmldUsebRj49sOzWdxTtaTdErgBOw17ekh1xHYOkZVX57Jm11UAAo2wWB1J4mfaC0LmCW93Erw/oCd3hleOfMfYjApiwmTR0Csmp6gPKGUmaSLEs0zT2+w9Fqa9hZq9Y3AKUIFr9fhLkKVa2ckB3ZWMZwbZBtbIRe8XaOUsj6tyqNE0FVfRmQdpsOU/mDH6/lfOxQzigOncm76KOYclrnihJk5IH2U4ELU9SKbdO89rVxGTDetckDvvUFKwqJrXkG1hG5780BG5aY7hS3bNV59IFdlgJGzRaB6dKAFaZnsJseda+Hgheu4iQWKXkIRFHDjyocK5QO5oMcoTEpObmROmcMOvIoMVjGFoaPGbD8e6EzvfAifuOSInvYALLjsNYcYXN0o55T6BZr/zO5liYleiyDF5A01gRVX76BUsQ2uS1VluO3xia8EnYqSWM4x64HbjQFYHDpMKQLVUVh8ef2n6u3X2kJRealgZ8RKD6cKxmflUY8i6dCBGgI0ngxE9eEy4gMcP8g/I90n3LDDMXnKuLhstDpxDZ4MnZdOnsbNebvaBH522wGvnVIsb5+jxqrhjk5E8sd2xHxUlnVmQKuiuMKGvJGW8qB4p48IdAN59RnMcK9vE5CkpKqfYQjuGN1RZintKb0sSbJE2ikw1+tb03jm7C8iLjZ0vixe8zgSru6d1QFa1hYg4KWQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR11MB4862C7E65F306358235D869ABC9D9SJ0PR11MB4862namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR11MB4862.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 214ac9be-8d64-4d14-f3ca-08d8da291887
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Feb 2021 07:35:31.1897 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ougF1TnUx1hpegjPXANWJKlFFF2baAmXHIw3FwTyrWN8EmcaJdJBvAa0gNoIHwCapJ31EghXVwou/xOJd6LcDA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB3976
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.19, xbe-aln-004.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/e9Av_bbGgjO_-hPoM_trDuTWqVI>
Subject: Re: [netconf] NACM read access for actions
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 07:35:42 -0000
On Wed, Feb 24, 2021 at 3:52 PM Kent Watsen <kent@watsen.net<mailto:kent@watsen.net>> wrote:
Hi Christofer,
Looking at unread email, I noticed your message didn't receive any responses.
Could someone with familiarity with this NACM-question reply?
I think the question is whether the read access required for exec access exposes
too much data.
I think the original intent of the text is that read access to the container or list
element is required, not the entire subtree. It could be argued that read access to the
key leafs within a list entry is also required.
JV: I agree with your interpretation of the question. Looking at the RFC and the default read being “permit” I think the paragraphs makes sense, reusing the /interfaces/interface/reset-interface example an admin could for instance add a deny on /interfaces for the group and thus stopping the operator from using the action.
When it gets interesting is when the the default read setting is “deny”, it’s not unreasonable to think that the admin wants to deny everything and only open up what is needed. But then adding an explicit rule permit read on /interfaces /interfaces/interface would open up a lot.
Interpreting your thought on original intent, it would be enough to have read access on /interfaces/interface[name=’if0’] OR /interfaces/interface, even if the default read permission was ‘deny’ (which would affect /interface), right?
/Johan
Thanks,
Kent
Andy
On Dec 4, 2020, at 3:40 AM, Christofer Tornkvist (ctornkvi) <ctornkvi=40cisco.com@dmarc.ietf.org<mailto:ctornkvi=40cisco.com@dmarc.ietf.org>> wrote:
Hi,
I read in the NACM RFC 8341 that for actions to not be rejected
they both must have execute access and also read access
for all its parent (instance) nodes along the node hierarchy
up to the top node -described by the path for the action node.
The read access property, is that equivalent of having NACM rules
stating read access for all parent (instance) nodes?
If that is the case, does not that open up the node tree
structure unnecessarily much?
I support the idea of just having to state one NACM rule
containing read and execute access for the action node itself for it
to be able to be run,
and also that all the parent (instance) nodes
will be readable only along the path up to the action node without
any additional NACM rules.
And if there is a read access deny rule on any parent (instance) node
the action will be rejected.
Would appreciate a clarification.
Below are references to RFC 8341.
Regards
/Christofer Tornkvist
References in RFC 8341 are:
Ch. 3.1.3 s.3
The new "pre-read data node acc. ctl" boxes in the diagram below
refer to group read access as it relates to data node ancestors of an
action or notification. As an example, if an action is defined as
/interfaces/interface/reset-interface, the group must be authorized
to (1) read /interfaces and /interfaces/interface and (2) execute on
/interfaces/interface/reset-interface.
Ch. 3.1.3 p.12 bullet 2
o If the <action> operation defined in [RFC7950] is invoked, then
read access is required for all instances in the hierarchy of data
nodes that identifies the specific action in the datastore, and
execute access is required for the action node. If the user is
not authorized to read all the specified data nodes and execute
the action, then the request is rejected with an "access-denied"
error.
_______________________________________________
netconf mailing list
netconf@ietf.org<mailto:netconf@ietf.org>
https://www.ietf.org/mailman/listinfo/netconf
_______________________________________________
netconf mailing list
netconf@ietf.org<mailto:netconf@ietf.org>
https://www.ietf.org/mailman/listinfo/netconf
- [netconf] NACM read access for actions Christofer Tornkvist (ctornkvi)
- Re: [netconf] NACM read access for actions Kent Watsen
- Re: [netconf] NACM read access for actions Andy Bierman
- Re: [netconf] NACM read access for actions Johan Vikman Lundström (jvikman)