IETF Logo Mail Archive

Re: [Netconf] draft-ietf-netconf-rfc6536bis: one week review of a specific change

"t.petch" <ietfc@btconnect.com> Tue, 28 November 2017 10:15 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73A1B1277BB; Tue, 28 Nov 2017 02:15:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SLao7Vk6kwVi; Tue, 28 Nov 2017 02:15:16 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00098.outbound.protection.outlook.com [40.107.0.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB9C6124D85; Tue, 28 Nov 2017 02:15:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector1-btconnect-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ocvVc8RxbM8b0Wrnm3X7BmT2qCP3PTlY5s83WDzghy4=; b=IdE/9FbD9Dw4PYxT66YV9nyHP5oCxNJU9t4zUCzbKSyqUD5Ud2uA6qi5K4NCOIdGRUI9PfdXIVqepjA2dqRv/hLASCBxutWU5WRSPytoWf7XQulJxxLg59++4lDkVUs41pidhGDVuZYzvThVqlFdy7SMQgwFFtIxzpaOCZnJ5VM=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
Received: from pc6 (86.169.153.236) by HE1PR0701MB3004.eurprd07.prod.outlook.com (2603:10a6:3:4d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.3; Tue, 28 Nov 2017 10:15:12 +0000
Message-ID: <013701d36831$4d4db1e0$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Andy Bierman <andy@yumaworks.com>, NETCONF <netconf@ietf.org>, Robert Wilton <rwilton@cisco.com>
Cc: sec-ads@ietf.org
References: <987f0de3-00d3-37f0-c919-4fe4f0f16efc@cisco.com> <3138dace-d750-308f-0169-a26e8abce5d1@cisco.com> <5A05A4A4.3000304@tail-f.com> <CABCOCHT_5zHWf3mdNM+8uUd8sqZMKKiwVtr=O4C4BhNrbygNzw@mail.gmail.com> <4e2ff4c7-70bb-280d-b49d-423e70e7f42d@cisco.com> <CABCOCHSYYFrZxC11v_++adG2uCP7urxR=VOKX-+8zXA-qiBCTA@mail.gmail.com> <60763bcf-47d9-d538-f1b3-6d71e3c80d1d@cisco.com> <CABCOCHTEXwhAq6NzoAGHcC-EE19bXJ0kbqPS0hwJB5_+RtOfyg@mail.gmail.com> <e418e007-fbac-029d-9c77-ed33df3d233b@cisco.com> <c2663103-70c2-0f52-f24f-852462509e27@cisco.com> <e41c2a8f-5ed7-9f3e-6dc1-85182c66adbf@cisco.com> <CABCOCHQrSOgGEAPdz5TdGBCGBSPzgAspGRQkgQDr3=H4Xp9JSQ@mail.gmail.com> <d056fdcd-20a8-5459-24ea-81fcfe53e59b@cisco.com> <015101d36513$bba345e0$4001a8c0@gateway.2wire.net> <CABCOCHTg5x_3=u4fMVtF-Rn1T6+gH2ZLMKeo6z5iekUWNt3RXg@mail.gmail.com> <00a701d365ea$e207f000$4001a8c0@gateway.2wire.net> <CABCOCHQHDB_9vQ0W5uA+u__=sezGrVgNtvt==DQhbK1r2MsPUw@mail.gmail.com> <eef4d5a8-4185-24d7-36a7-0f5958804be2@cisco.co m>
Date: Tue, 28 Nov 2017 10:10:59 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [86.169.153.236]
X-ClientProxiedBy: CWXP265CA0050.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:2c::14) To HE1PR0701MB3004.eurprd07.prod.outlook.com (2603:10a6:3:4d::10)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 9417fea8-9e8a-47cd-15e6-08d53648e9ab
X-Microsoft-Antispam: UriScan:(178726229863574); BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(8989060)(201703031133081)(201702281549075)(8990040)(5600026)(4604075)(2017052603199); SRVR:HE1PR0701MB3004;
X-Microsoft-Exchange-Diagnostics: 1; HE1PR0701MB3004; 3:NhvPpSqbThMavmJ6TF8yLgDPV1E+F1rh9e8LaADQuGbsJlE5c3N8TLH2jnZwB3jIWbfzPLm8lreUmglakYmIxBnFSORVmwtfqE/kCmvCl/ipd3aoqYl84O9Xkhbu0kuVYFwamSXvo8kouDKyuAGTfFRlRdfWLLMLDtj0S9XibaAbTXwajjmFJAGvKM1i11m6tVIHm24OA8MZyz3elk5Z5BygauxWAr82KixytKZiXKC9Sl9rEp7Lx0Cny37kocN8BYbuUjSJ1JXZ5DBr6vRUj2xvp9AWcBiovQVfH5q8z9I=; 25:mEJkcFTWpZrez/hcGPPMtC5Cp7nqKeLhqAwqJTgtQQMLG/l5G7jiig5dV1C+SZL22SZom4X7eUKZVBZGpVkCav/Q5VVblfDSsuZq2Ax8FuceR0r7llRVO/qa8jZwe4xq6C4O3oPj1opOE8o9QvpKJ6dcfYQF7WU6vXNutvJgLxuOg4GMgrJEZ0g5VqWCXl8O+fSC2Ss8ytkO2m9BAhWvjkNkk8L5XQ6OWjvGfMn8VkYw54ul2P3Egv/uyd7yeRPiks8vHwnMWmZRgu13Q+ek7MingHlFEqY2riXTgpau2j8R3hzYEp9zMlvoInpxZD8kmvtquuUQ554KdAUnOhXR1w==; 31:O5XGEJBpweAksc/0jHNOZmWS0Pv7dkFQAJrAY+IBTyi9TMl6JC14Pe1GFK4Ag19BeVame2ONWa3H21sojsYAyrZoHHjHV4AhdvEFUZlq4VWx+lvSIG14KgGLWtfEoLxMHGeijEaHa7X8oChc7jECPMEmon9VEPuxVhtcmnMAcumtF11mnu8phzx9zqATIQMdylkM3gIzeRoztMTB3GWYUZ6R6w6sGgU66Gmsw7epu9E=
X-MS-TrafficTypeDiagnostic: HE1PR0701MB3004:
X-Microsoft-Antispam-PRVS: <HE1PR0701MB3004522C2538C4A9F4350979A03A0@HE1PR0701MB3004.eurprd07.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(178726229863574)(158342451672863)(192374486261705)(95692535739014);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231022)(10201501046)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(20161123560025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(6072148)(201708071742011); SRVR:HE1PR0701MB3004; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:HE1PR0701MB3004;
X-Microsoft-Exchange-Diagnostics: 1; HE1PR0701MB3004; 4:I4cIev/vxUKZWEq/FAgKmLmSreUKisKdE/E+rUgHatxGfqpBKitm7GUxQEHzOlvh7gvjDPqjMwGH2CrFbuAV0LxbZFf7NykBoBaeCdcK7uFKgEtr/PunlRDKB9WTEbJVA/m9PWPz5wyHr1kBiR1i68cpThKXSexK4z5yxVdq9X2bUSUhs0Z7VF0SehNDnW3tO6DaJSlA8SphSr24ojYPGVPZlmhoBulZikgF7Gr4lS9uceBZlTHVfCjlPZN5TvNV4qcKZvWFTCy8UYOed6pnqbk5OIuSi2rzg9YsgALl0XkxFhppH4xMrECNi5AJ+p6iyz/5heC+UvYRyO1GEnx8cjkGLWnc+1w3FIJ0IKatcEsS0jV8Ozrp1dED+IeZLS/LNcOlb+JkXY/U23h30aByLt+aVo6qh5UoFcMisqN72CU=
X-Forefront-PRVS: 0505147DDB
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(366004)(346002)(39860400002)(376002)(199003)(189002)(24454002)(51444003)(13464003)(9686003)(5660300001)(50226002)(53936002)(25786009)(16526018)(229853002)(6666003)(4720700003)(53546010)(1456003)(6486002)(44736005)(81816999)(81686999)(50986999)(76176999)(23676004)(2486003)(52116002)(106356001)(97736004)(189998001)(68736007)(84392002)(5890100001)(33646002)(101416001)(305945005)(6496006)(2906002)(7736002)(61296003)(105586002)(44716002)(3846002)(6116002)(66066001)(8676002)(62236002)(47776003)(81156014)(110136005)(316002)(14496001)(93886005)(81166006)(230700001)(230783001)(116806002)(8936002)(50466002)(6246003)(4326008)(478600001)(86362001)(1556002)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR0701MB3004; H:pc6; FPR:; SPF:None; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;HE1PR0701MB3004;23:dk1IzqVbtxxg5rVPq6R9GaLR156mYmFB9jmakDmsORoc2qs8h+kqHXejgxJkwZBPecbYVXFQ/q+R4YuWCZV7ukfaS0jM8a0c9cc1b7KeUSm2Haryq0IAIhXVDHbqTlVpyMWs7L+UjYUB1aRbgObYNwZeeMPlEL8DyWt1iqmSmlyHeyofpiAsCIMM4f6H5LzpJ19C0QhOGF8CL8NruQ+IojCG0d2u76n0irgO0Xex6ZsnkC02zsP/IC9bVKniHW+nuXiEPmITuf7TlskdfjjqMCXSGn9pITs+4Xpmw8UIOdDqtQQcNORSaGrMAs4o4cRgNszood+pJy1wpgE470zIfTdl2t7yVs3K+rc+zAQgdxsktlRvdW2bblwLxU+3VrIlLMNxqLJtUz7WNo8hxRE5F98V4vvOEqErSKhJosO7N/VYE/7nv5pw1kcSYPKge0uMIqQo1Y2MBPPV79wk6UjfYNwZQDFKkfJcrfsi8NN4bskvnAVaFhjThfWhFaQnZ86zbCcqtjXlOueFXaCaRJFf4kQsUptVf5dLYAE6AbfxzgSptf1Iu0zfTh5TtjfMJpQ2qmlBO3AbKy0I28v3Fy0J3W2K70lq8fnJq2DO7dfvfpPnqK2yq0BAQ8A98/bWN5gbJv1XO1ntRJ7fwP87dquRCJH4luHlWDdHg/u7upyvaORc1XNJSwJf3GCfLijhDIPXtx6QlUrguInNR02TLAW7oeP/NA3PWbqv5MfQceX7//qZ0bV/TG/ukajTBWn4O0v+FOc+02x10HgfVtmT2ghWWvlP/yxINVFQgUy9N4NPpApw61PBpoK7jaEjP2GkAa+GvH/Ffqwg7CvwWTkd7W59FVgc6UJyZrBAH60R78ausA9xqhn00Y6LQUB7CSKQGha+B0KRupRolnLfz/rXEM+wiJFKIWCukc0gDNV7xt0/TvkoY88+wYcQy53W+FODcyl/cJngmteco1msN9qCQ2Cqdi7vR8EPlQrWUHqXxlY+V14D71Mg24cwFY0NIg4JHoV0S6c6fRH8l7aQyEBLbYbmYO7IKGqUhhjQEhMy6Ww8SxGE9NxETm2+g9HVOImylh/rKPLNBTXL6bC3d2dO/QSvVJCFWLGDyWg6vWtyWEOtUKpFQmEjKkjxrvaPtxhzTlLX+EC1rZsXZ8bqGn//zXgrWZxzV766ODCvnEnB949b9iLv3gHwys7p3odQXGvHBV7guMJTDtcEaLPBy0dFdoe7nN3f9PnrTHUR3wg+CoRnj8v6d+9rL/QQA7803kTrLEi8FGVvIKMRb75YzHRiZklCew9za/7w5M8a6P6mA+F+fBbncZhFjgb5qljTo5ZfbvDRufFGVf6JlBh9Z9vlBDn8OTZrlROZzfsFFNYjUPEK6DohqdrpeSwm3kv0rgjSrnZgkqZJPEcdVGHNCqrDdaWh90SMgBt2fvgFalUdEIjuiJafg7tFw1KGmu2fP82XXlQlyD0iGceyBRRlEycTorYGRD7jbg8xPuoTISUrQNSeDp3OZ4WatXgvsVbeswPypzWIrQc44FQvgf3ykKnvyOtCjG9/9qezqtl1netvDmX0hgI=
X-Microsoft-Exchange-Diagnostics: 1; HE1PR0701MB3004; 6:RojEtrbCPaJeuOugOnh2JxzsqpQ1L+BMExQWzpKjG166p8uNJwqNnKKJV4O05QJmfd/kzr0eMoJX8JgjL8u9WmTS9zi6vG7nOqGWf62cP1M2665LFE2rl8dqGG2mErQrDDHD+VLbJbH8NGnT/XPXdR3aXLW6ruw9q2ExREBUlD27nOIcYXZYUj6ZcWKpZYwwamWQ9vr9sEhix/0TJROhvi6lo9Up7KTzEQ/jD+Jm3mv9Jhso7Z2/+ZuQDN3b7vykwdEesbmdedJ/kKiOwkYegGWdcmMgx5v03d115PkeWj5YZ5EFJuKwihHfO7oQHzPIo+ARXcsFWREqtQKlBxMk65xaAK8/TIqLv0UM49kjppI=; 5:BhJJfdR4yMAlBHaAmFFinZQ7TpRrBiUkuYxJJKC8HJ1rmRYk9p/eZDQgYSHWKo/Obu9Vj77sqr2/+HICQgr/NeLP2h0Xn8B6aZ8C/+uyUK/PMhFxw6dOCtmX9qRCHe3sFh/QwHwfsR9uWwPbw0dgvVdZp/aTvwalmmjoleQfUzg=; 24:WttRMf7PTKp6/JCGnSJi6rTS7ATb48G4QFj+e5oOZURiDa8XOyHDsBBe2ac7bTAfct/2+QfbBgx7ozWgWg8zujbOwOqcG10MJlyPXKhBdFQ=; 7:w8Qhsu6v9OiBC/8PKlSeV3TOumZovEmQUNCw2ZmiCesy5qdscFck1iEvO0d/60tD4+ZJ1FUgMKySTLpShZEymMOYtoPK815Rq/tK3WHsZdPqU/O+Gi/hIhdwRnBTctDysqvbB8RqzBuRu/J4CqyM7Gyhq1pFvKDiNm6dO9Fx5/3p0tED8v6W9DlJ15itBsG9n///I8YikwcO+50ONiLGl6dB5aiYCXfblqkG9FBXloJbwbA/dkURHL5H9kPw5FMF
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2017 10:15:12.3016 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9417fea8-9e8a-47cd-15e6-08d53648e9ab
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB3004
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/fNzzzMpAlBgc3-K97DbO2YbfUFg>
Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis: one week review of a specific change
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Nov 2017 10:15:19 -0000

----- Original Message -----
From: "Robert Wilton" <rwilton@cisco.com>
Sent: Monday, November 27, 2017 10:39 AM


> I do get the point that Tom is making here, and have quite a lot of
> sympathy for it. E.g. by automatically allowing the side effects of
> when/choice statements then we are introducing a potential security
hole
> here that operators may find hard to be aware of and mitigate.
>
> It also seems odd to me that a client is allowed to implicitly remove
> some configuration through the side effect of a when/choice statement
> that they are not allowed to delete explicitly.
>
> The alternative of requiring appropriate access for the side-effects,
> seems like an intuitively safer design, but I also get Andy's concern
> that security isn't useful if it become so unwieldy that nobody uses
it.
>
> So, I guess the question here is, do we have some concrete examples
> using real data models where the extra NACM delete rules would be
> required? If not then perhaps requiring the explicit access for side
> effects would be better.

Robert

This is what I was obliquely referring to when I said

" And I
don't know how much 'when' is used in that way in existing YANG
modules - uh huh, more reading required.
"

I did start looking and found that many, if not most, 'when' statements
relate to 'augment', e.g. for a specific interface type, and so are
simpler than the case postulated which can cause an implicit delete (I
have yet to see one such in an actual YANG module).

Then I started wondering what the NACM rules would be like if I wanted
to permit changes to LAN interfaces but not to WAN interfaces, both
specified by 'augment' to the base model.

Then I started wondering if a NACM rule that permitted changes to a LAN
interface would be valid on a server with no LAN interfaces specified.;
and would that change if a LAN card is hot plugged and auto-configured.

Um, more reading required.

As Andy says, NACM needs to be simple else it will not be used.  The
concept is simple - permit LAN, deny WAN - but the NACM rules I am less
clear about.

Tom Petch

>
> Thanks,
> Rob
>
>
> On 25/11/2017 15:53, Andy Bierman wrote:
> >
> >
> > On Sat, Nov 25, 2017 at 4:42 AM, t.petch <ietfc@btconnect.com
> > <mailto:ietfc@btconnect.com>> wrote:
> >
> >     ----- Original Message -----
> >     From: "Andy Bierman" <andy@yumaworks.com
<mailto:andy@yumaworks.com>>
> >     To: "t.petch" <ietfc@btconnect.com <mailto:ietfc@btconnect.com>>
> >
> >
> >     > On Fri, Nov 24, 2017 at 3:02 AM, t.petch <ietfc@btconnect.com
> >     <mailto:ietfc@btconnect.com>> wrote:
> >     >
> >     > > <inline>
> >     > >
> >     > > Tom Petch
> >     > >
> >     > > ----- Original Message -----
> >     > > From: "Robert Wilton" <rwilton@cisco.com
> >     <mailto:rwilton@cisco.com>>
> >     > > Sent: Thursday, November 23, 2017 10:44 AM
> >     > >
> >     > > > Hi Andy,
> >     > > >
> >     > > > On 22/11/2017 18:09, Andy Bierman wrote:
> >     > > > > On Wed, Nov 22, 2017 at 5:41 AM, Benoit Claise wrote:
> >     > > > >
> >     > > > > Hi Rob,
> >     > > > >
> >     > > > > At that points in time, if it clarifies the spec. and
the
> >     > > authors
> >     > > > > agree with this, let's do the right thing.
> >     > > > >
> >     > > > > I will add the new text if that is what the WG wants.
> >     > >
> >     > > > Having read this draft, I was undecided what the intended
> >     behavior
> >     > > > actually should be.
> >     > > >
> >     > > > The way that Yumapro and Tail-f have implemented this is
> >     reasonable,
> >     > > and
> >     > > > is probably also the way that I would implemented it.
> >     > > >
> >     > > > But I also think that it would be a reasonable
> >     implementation for
> >     a
> >     > > > server to calculate the full change set (taking account of
side
> >     > > effects
> >     > > > from when and choice statements) to the datastore before
> >     checking
> >     the
> >     > > > "write data node access control" against the resultant
> >     change set.
> >     > > >
> >     > > > My interpretation is that the RFC text is ambiguous on
what the
> >     > > correct
> >     > > > behavior is, and one could make a reasonable argument that
the
> >     current
> >     > > > RFC actually specifies that the alternative behavior is
correct,
> >     i.e.
> >     > > > requiring delete access even if a node is implicitly
changes
> >     as a
> >     side
> >     > > > effect. E.g. section 3.2.3 of RFC 6536 states:
> >     > > >
> >     > > > If the protocol operation would result in the deletion of
a
> >     > > datastore
> >     > > > node and the user does not have "delete" access
> >     permission for
> >     > > that
> >     > > > node, the protocol operation is rejected with an
> >     "access-denied"
> >     > > > error.
> >     > >
> >     > > Rob
> >     > >
> >     > > I have been reading that paragraph since this thread started
and
> >     > > wondering how it could be thought unclear, what am I
missing:-)
> >     > >
> >     > > To me it clearly states that the user must have the
appropriate
> >     access
> >     > > for the consequences of whatever they do, be that 'when',
'choice'
> >     or
> >     > > anything else! Indeed, I see exactly that behaviour in
operational
> >     > > (non-network) databases of which I am a user with limited
> >     privileges.
> >     > >
> >     > >
> >     >
> >     > This is not correct.
> >     > The server is the entity that is cleaning up false when-stmt
or
> >     unselected
> >     > cases
> >     > for a choice-stmt.
> >     >
> >     > NACM does not prevent the sever from making any changes to the
> >     system.
> >     > It only affects the operations requested by a client.
> >
> >     Andy
> >
> >     My model is slightly different, that the server is a black box,
> >     with an
> >     interface through which I can make authorised changes. If
something I
> >     do causes the deletion of something I am not allowed to delete,
may be
> >     not even to read, well, we part company on the acceptability of
that!
> >
> >     I do accept, as Randy points out, that the situation is
> >     complicated. I
> >     am reminded of the issues that came up relating to the 'when'
> >     statement
> >     when preparing YANG 1.1. Yes, 'when' makes things possible and
is
> >     very
> >     useful but at the same time, its side effects can be
troublesome. I
> >     would like to wrap it up in a conceptual bubble so you could not
have
> >     the sort of fine-grained access control that allows the case
that Rob
> >     postulates to occur but have no idea what that might look like.
And I
> >     don't know how much 'when' is used in that way in existing YANG
> >     modules - uh huh, more reading required.
> >
> >
> >
> > When the access control is too complicated, it does not get used.
> > Instead, the most likely access control is "everybody is the root
user".
> > The server pruning of false when/choice data nodes is considered
cleanup.
> > The pruned data is no longer relevant to the data model. This is the
> > indended
> > use, but when-stmt can easily be abused.
> >
> > The complex tangled web of dependencies is no worse
> > than it has been with CLI for 30 years, where every dependency is
ad-hoc
> > and probably undocumented. The granularity of CLI-based access
control
> > is less granular than NACM.
> >
> > It is possible that vendors and operators are willing to spend hours
> > and days
> > figuring out how to tune the NACM rules to allow a specific edit to
work.
> > Of course the operator will not even be told by the server which
nodes
> > are blocking the edit. That would be a security risk.
> >
> > IMO NACM will be completely unusable if rules are needed to allow
> > server cleanup of dead nodes. The additional NACM rules required
> > might provide more access than intended (unless lots of delete-only
> > rules are added). The huge jump in NACM rule management complexity
is
> > a new security vulnerability, which might even be worse than the
> > vulnerability it is intended to fix.
> >
> >
> >
> >     Tom Petch
> >
> >     >
> >     > Andy
> >     >
> >
> >
> >
> >
> > Andy
> >
> >
> >
> >
> >
> >
> >
> >     > > My other thought was that given all the complexities of
'when'
> >     that
> >     > > emerged during the specification of YANG 1.1, perhaps, were
I an
> >     > > implementor of this, I would take the easy option and ignore
the
> >     side
> >     > > effects of 'when'; but I might feel guilty about doing so.
> >     > >
> >     > > If the new paragraphs go in as proposed, then I think that
the two
> >     > > paragraphs you quote need changing else that section looks
to me
> >     like an
> >     > > oxymoron.
> >     > >
> >     > > Tom Petch
> >     > >
> >     > > > An <edit-data> request that causes a when constraint to
evaluate
> >     > > > differently does result in a deletion of those data nodes
> >     from the
> >     > > > datastore, and hence according to the text above, requires
> >     explicit
> >     > > > "delete" access permission to accomplish that.
> >     > > >
> >     > > > Clearly it would be an interop issue if different servers
> >     implemented
> >     > > > the NACM path based filtering differently.
> >     > > >
> >     > > > Hence why I think that it would be prudent for the draft
to be
> >     more
> >     > > > explicit on when and choice statement handling.
> >     > > >
> >     > > > Rob
> >     > > >
> >     > > > > There have not been any comments on this issue.
> >     > > > >
> >     > > > > Andy
> >     > > > >
> >     > > > > Regards, Benoit.
> >     > > > >>
> >     > > > >> Hi Benoit,
> >     > > > >>
> >     > > > >> There is also one further, unrelated change that I am
> >     proposing
> >     > > > >> is made the draft before it is published, to help
better
> >     > > clarify
> >     > > > >> the expected behavior. It isn't the end of the world if
> >     this
> >     > > > >> doesn't go in, but I think that it prevents sometime
> >     taking
> >     a
> >     > > > >> different, but IMO reasonable, interpretation of how
> >     "when"
> >     > > > >> statements are considered, and then having a future
> >     argument
> >     > > > >> about what behavior it specified in the standard.
> >     > > > >>
> >     > > > >> If we clarify it now, then it closes that door :-)
> >     > > > >>
> >     > > > >> I've proposed text to Andy and Martin on Monday, but
I've
> >     not
> >     > > > >> heard back yet.
> >     > > > >>
> >     > > > >> Netconf email with proposed text attached. The text
> >     doesn't
> >     > > > >> necessarily have to match this, but personally I
> >     think that
> >     it
> >     > > is
> >     > > > >> useful if the draft says something on this.
> >     > > > >>
> >     > > > >> Thanks,
> >     > > > >> Rob
> >     > > > >>
> >     > > > >>
> >     > > > >> On 22/11/2017 13:25, Benoit Claise wrote:
> >     > > > >>> On 11/10/2017 7:23 PM, Andy Bierman wrote:
> >     > > > >>>> Hi,
> >     > > > >>>>
> >     > > > >>>> Here are some proposed edits to make the data rule
> >     consistent
> >     > > > >>>> with the examples.
> >     > > > >>>> Note that this issue is not related to the edit in
the
> >     > > original
> >     > > > >>>> 1-week change.
> >     > > > >>> That's right, but we found a source of
misinterpretation
> >     in
> >     > > the
> >     > > > >>> draft and you have rightly corrected it in the
> >     github v9.
> >     > > > >>>
> >     > > > >>> Regards, Benoit
> >     > > > >>>>
> >     > > > >>>>
> >     > > > >>>> sec. 3.3.5:
> >     > > > >>>>
> >     > > > >>>> OLD:
> >     > > > >>>>
> >     > > > >>>>
> >     > > > >>>> data node rule: controls access for a specific data
> >     > > > >>>> node, identified
> >     > > > >>>> by its path location within the conceptual XML
document
> >     > > > >>>> for the
> >     > > > >>>> data node.
> >     > > > >>>>
> >     > > > >>>>
> >     > > > >>>> NEW:
> >     > > > >>>>
> >     > > > >>>> data node rule: controls access for a specific data
> >     node
> >     > > > >>>> and its descendants,
> >     > > > >>>> identified by its path location within the
> >     conceptual XML
> >     > > > >>>> document for the
> >     > > > >>>> data node.
> >     > > > >>>>
> >     > > > >>>>
> >     > > > >>>> sec 3.4.5, step 6, bullet 2:
> >     > > > >>>>
> >     > > > >>>>
> >     > > > >>>> OLD:
> >     > > > >>>>
> >     > > > >>>> * The rule does not have a "rule-type" defined or the
> >     > > > >>>> "rule-
> >     > > > >>>> type" is "data-node" and the "path" matches the
> >     > > > >>>> requested
> >     > > > >>>> data node, action node, or notification node.
> >     > > > >>>>
> >     > > > >>>> NEW:
> >     > > > >>>> * The rule does not have a "rule-type" defined or the
> >     > > > >>>> "rule-
> >     > > > >>>> type" is "data-node" and the "path" matches the
> >     > > > >>>> requested
> >     > > > >>>> data node, action node, or notification node. A path
is
> >     > > > >>>> considered to match if the current data node is the
> >     > > > >>>> data node
> >     > > > >>>> specified by the path, or is a descendant data node
> >     > > > >>>> of this data node.
> >     > > > >>>> appendix B.4: (2 bugs in explanation)
> >     > > > >>>> OLD:
> >     > > > >>>> deny-nacm: This rule denies the "guest" group any
> >     access
> >     to
> >     > > the
> >     > > > >>>> <nacm> subtree. Note that the default namespace is
only
> >     > > > >>>> applicable because this subtree is defined in the
same
> >     > > > >>>> namespace as the <data-rule> element.
> >     > > > >>>> NEW:
> >     > > > >>>> deny-nacm: This rule denies the "guest" group any
> >     access
> >     to
> >     > > the
> >     > > > >>>> <nacm> subtree.
> >     > > > >>>> Andy
> >     > > > >>>>
> >     > > > >>>> On Fri, Nov 10, 2017 at 9:24 AM, Robert Wilton
> >     > > > >>>> <rwilton@cisco.com <mailto:rwilton@cisco.com>
> >     <mailto:rwilton@cisco.com <mailto:rwilton@cisco.com>>> wrote:
> >     > > > >>>>
> >     > > > >>>>
> >     > > > >>>>
> >     > > > >>>> On 10/11/2017 16:33, Andy Bierman wrote:
> >     > > > >>>>>
> >     > > > >>>>>
> >     > > > >>>>> On Fri, Nov 10, 2017 at 8:16 AM, Robert Wilton
> >     > > > >>>>> <rwilton@cisco.com <mailto:rwilton@cisco.com>
> >     <mailto:rwilton@cisco.com <mailto:rwilton@cisco.com>>>
> >     wrote:
> >     > > > >>>>>
> >     > > > >>>>>
> >     > > > >>>>>
> >     > > > >>>>> On 10/11/2017 15:49, Andy Bierman wrote:
> >     > > > >>>>>>
> >     > > > >>>>>>
> >     > > <snip>
> >     > >
> >     > >
> >     >
> >
> >
>
>

v2.23.0 | Report a Bug | By Email