IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Andy Bierman <andy@yumaworks.com> Tue, 23 May 2017 19:35 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53EA012EADA for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 12:35:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iwsu7eHNeirA for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 12:35:39 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9481512EAB3 for <netconf@ietf.org>; Tue, 23 May 2017 12:35:36 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id e127so43867047wmg.1 for <netconf@ietf.org>; Tue, 23 May 2017 12:35:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lbq0X7esHq0ZD3Sjg+fHQeuBdWztvYfO575Iv6+0xFo=; b=dqb/mdNnUrzHKlX23qsCzg/8lIu1/BsHt5v/AghOoZYPejUsHKNC54e4Zb5DQ3rTX1 dnceKZWrT7WojODhrM98v+IzE6SDj63gkOy3WdaaUFg60H4DirtnkcyY+ruM+IlvpDwT RtlKgT5PKpz0gBw/tOv66mkpv8cpgTG9osrk4y7dJz1YW26sbn8p0vTp/MAKWyatQ2nD Xk7vL7lGObzwlHLhdQAvnuoLZh/OG/ehxI0NGmEGhJOzYLIb3QqSztFW20AeuL5GP/h1 bJGuGcWJGNLdAF6ruaAZ1qM8PgmsGLWoWLYY/Kl3fZSWbYqA0lfJb8CK4wlwx5mtQM6V e0VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lbq0X7esHq0ZD3Sjg+fHQeuBdWztvYfO575Iv6+0xFo=; b=P0KaHZ4EUnNa5RK/vWfjCrYq8WxW7TBkby6JwXJluSih/0KH/KjipxwhhA9FgZcAN3 aRfRF1pe5M8YQyNOzK4pAaRgxzFakG9b9NlBfUHhyKmWRYUgP9xtQJ7exxhiwktpOK+6 VIP2LJB6Cf5QxV9J3Rtfai3TD/D6WIOr1MivSdf9dhF+qEfMp/0uh+7DRc9F5aGGxadh a17x5ADBz74MkyLlygVV1w5oXRdpdoInQTEuJXk97jXMzezTT6AReipkA49mUkhafCgW 16OoMhL44TuoLA9vyk5njTxrPFKRHYuF5vV8plc4c/nwd883NZe9FbLVry9XbyWJ4Qfb /CeA==
X-Gm-Message-State: AODbwcDFDo5nGR9NAe7kn7OA8oij/hSJ2+Snsr6efgTKw+MxiQoJlRqz bx7S5CRFmd6U5l+l4ixSY9ZGuGwNZtf9
X-Received: by 10.28.213.213 with SMTP id m204mr3672001wmg.48.1495568134980; Tue, 23 May 2017 12:35:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Tue, 23 May 2017 12:35:33 -0700 (PDT)
In-Reply-To: <20170523.091519.1988324449434279102.mbj@tail-f.com>
References: <CABCOCHRBXbCfW+=-FsoHS7nUmn8qJ=Rv9vsEf89dSs3273NGbQ@mail.gmail.com> <22F66A24-12AB-4447-AC9A-9D8F9B0BB726@gmail.com> <CABCOCHSGa23SR_soKBurzPWOckf0eE_jp=jRkpoCSXczq_2xSg@mail.gmail.com> <20170523.091519.1988324449434279102.mbj@tail-f.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Tue, 23 May 2017 12:35:33 -0700
Message-ID: <CABCOCHTeTL5g+uv+Q1cE+-_iBJjdu9Dk460JP_-O2+W77sqQZw@mail.gmail.com>
To: Martin Bjorklund <mbj@tail-f.com>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="001a114746266c64b20550361785"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ihVr4p4wmrxFKfZmLwlEz7Ce8gY>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 19:35:42 -0000

On Tue, May 23, 2017 at 12:15 AM, Martin Bjorklund <mbj@tail-f.com> wrote:

> Andy Bierman <andy@yumaworks.com> wrote:
> > Hi,
> >
> > The update is on github.
> > http://github.com/netconf-wg/rfc6536bis
> >
> > I would like Martin to look it over before it is posted.
>
> Done, and the new text looks good.  I moved the new subsection to be
> the first in 3.2, and I also fixed some minor terminology issues.
>
>
OK



> But, I wonder if we shouldn't make the document even less NETCONF
> specific, and align the terminology to revised-datastores.  For
> example, currently the document talks about access to "NETCONF
> datastores".   With the new less protocol-specific terminology this
> would simply be "datastore".
>
>


I would prefer not to make more changes.
I think it is OK for NETCONF, RESTCONF, and any protocols based on them.



> Also, we currently have this:
>
>    A standalone RESTCONF server (i.e., not co-located with a NETCONF
>    server) applies NACM rules to a conceptual datastore, since
>    datastores are not supported in RESTCONF.
>
> I don't think this is quite correct.  Even in a stand-alone RESTCONF
> server there is an underlying conceptual datastore, for which NACM can
> be used to control access.
>
>

I do not agree there is any RESTCONF requirement to implement datastores,
just the ability to apply NACM to the conceptual configuration datastore.

The text says there is an underlying conceptual datastore, so what is the
issue?



>
>
> /martin
>
>

Andy


>
> >
> >
> > Andy
> >
> >
> > On Sun, May 21, 2017 at 10:25 PM, Mahesh Jethanandani <
> > mjethanandani@gmail.com> wrote:
> >
> > > Andy,
> > >
> > > On May 16, 2017, at 2:32 PM, Andy Bierman <andy@yumaworks.com> wrote:
> > >
> > >
> > >
> > > On Tue, May 16, 2017 at 2:02 PM, Mahesh Jethanandani <
> > > mjethanandani@gmail.com> wrote:
> > >
> > >> Having reviewed all the e-mails, I believe that there are few issues
> that
> > >> need to be resolved before we send the draft for publication. We need
> to
> > >> agree on the language, even if we do have the exact text in the draft.
> > >>
> > >> To begin with, do the authors have a response to the suggestions from
> > >> Juergen prompted by the question from Alex? Are we leaving the NACM
> > >> definition of any future datastores to the datastore draft, or are we
> > >> saying NACM applies to all datastores?
> > >>
> > >>
> > > No. IMO the text should say NACM applies to NETCONF and RESTCONF
> > > with the existing datastores.
> > >
> > > NACM MAY be applied to other datastores that have similar operation
> sets.
> > > Any new datastore specification needs to define how it maps to the NACM
> > > CRUDX
> > > model.  The datastore does not need to use NACM (e.g., datastore
> defines
> > > something else
> > > or does not use access control).
> > >
> > >
> > > Can you update the draft with this text.
> > >
> > >
> > >
> > > To the point that Andy raised earlier, we need to have texts around
> > >> datastores that provide more than CRUDX capabilities, including any
> > >> protocol operations, e.g. priority, as something that is out of scope
> of
> > >> this document.
> > >>
> > >>
> > > This would be outside the scope of NACM.
> > > This is part of the RPC input validation.
> > >
> > >
> > > And clarify that operations outside of CRUDX are outside the scope of
> > > NACM. We can them move the document towards publication.
> > >
> > > Thanks.
> > >
> > >
> > >
> > >
> > >> NETCONF WG has moved to redefine its charter beyond NETCONF and
> RESTCONF.
> > >> Therefore there is a real possibility of another protocol being
> discussed
> > >> in the WG. Is there something in the NACM draft that restricts it to
> > >> NETCONF/RESTCONF that other protocols cannot adopt? If so, can they be
> > >> called out?
> > >>
> > >
> > > If NACM needs to be changed in the future because a new or existing
> > > protocol needs new features
> > > then the WG will have to deal with it then.
> > >
> > >
> > >
> > >>
> > >> Thanks.
> > >>
> > >>
> > > Andy
> > >
> > >
> > >> > On May 9, 2017, at 11:46 PM, Juergen Schoenwaelder <
> > >> j.schoenwaelder@jacobs-university.de> wrote:
> > >> >
> > >> > On Tue, May 09, 2017 at 02:50:30PM +0200, Martin Bjorklund wrote:
> > >> >> Andy Bierman <andy@yumaworks.com> wrote:
> > >> >>> On Thu, May 4, 2017 at 11:21 AM, Alexander Clemm <
> > >> alexander.clemm@huawei.com
> > >> >>>> wrote:
> > >> >>>
> > >> >>>> As mentioned in my message, I don’t think specific access control
> > >> will be
> > >> >>>> needed (I am not aware of specific use cases), but specifically
> with
> > >> the
> > >> >>>> revised datastore architecture about to the be introduced, its
> > >> impact or
> > >> >>>> nonimpact and interrelation with NACM should be discussed.  This
> can
> > >> be as
> > >> >>>> simple as a small paragraph or subsection “Revised Datastore
> > >> >>>> Considerations”.
> > >> >>>>
> > >> >>>>
> > >> >>>>
> > >> >>>
> > >> >>> there is no text about candidate vs. running vs. startup.
> > >> >>> The NACM rules apply to all of them the same.
> > >> >>> I could add text that says there is no consideration for specific
> > >> >>> datastores.
> > >> >>
> > >> >> Actually, the document already says:
> > >> >>
> > >> >> 3.2.  Datastore Access
> > >> >>
> > >> >>   The same access control rules apply to all datastores, for
> example,
> > >> >>   the candidate configuration datastore or the running
> configuration
> > >> >>   datastore.
> > >> >>
> > >> >>   Only the standard NETCONF datastores (candidate, running, and
> > >> >>   startup) are controlled by NACM.
> > >> >>
> > >> >>
> > >> >> Somehow this needs to be updated when the revised datastore work is
> > >> >> done.  E.g., I expect read access to intended to follow the same
> NACM
> > >> >> rules.
> > >> >>
> > >> >
> > >> > Yes. NACM likely also applies to the <operational/> datastore (but
> > >> > this follows already from the text that talks about 'state data').
> > >> >
> > >> > My question, however, was about other future yet to be defined
> > >> > 'dynamic' datastores - does NACM make a statement of the form 'once
> an
> > >> > implementation announces NACM, NACM applies to all datastores - no
> > >> > exceptions' or do we leave it to the definition of future datastores
> > >> > to declare whether NACM applies to it. There may be three possible
> > >> > solutions:
> > >> >
> > >> > a) Once an implementation supports NACM, NACM applies to all
> > >> >   datastores (including any datastores defined in the future).
> > >> >
> > >> > b) Once an implementation supports NACM, NACM applies to all
> > >> >   conventional datastores and the operational state datastore.
> Other
> > >> >   datastores must define whether NACM applies to them.
> > >> >
> > >> >   (This means, whenever a new datastore is introduced, the question
> > >> >   whether NACM applies has to answered for the new datastore.)
> > >> >
> > >> > c) Once an implementation supports NACM, NACM applies to all current
> > >> >   and future datastore unless explicitely stated or signaled that
> > >> >   NACM does not apply to a certain future datastore.
> > >> >
> > >> >   (This is essentially b) but with a default that NACM applies
> unless
> > >> >   things are explicitly regulated to be different.)
> > >> >
> > >> > I just thought it is worth to take a moment to think about this
> > >> > question.
> > >> >
> > >> > /js
> > >> >
> > >> > --
> > >> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > >> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen |
> Germany
> > >> > Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
> > >> >
> > >> > _______________________________________________
> > >> > Netconf mailing list
> > >> > Netconf@ietf.org
> > >> > https://www.ietf.org/mailman/listinfo/netconf
> > >>
> > >> Mahesh Jethanandani
> > >> mjethanandani@gmail.com
> > >>
> > >>
> > >>
> > >>
> > >
> > > Mahesh Jethanandani
> > > mjethanandani@gmail.com
> > >
> > >
>

v2.23.0 | Report a Bug | By Email