IETF Logo Mail Archive

Re: [Netconf] FW: David Harrington's Discuss on draft-ietf-netconf-access-control-06: (with DISCUSS and COMMENT)

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Sat, 17 December 2011 10:31 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC4621F8BE9 for <netconf@ietfa.amsl.com>; Sat, 17 Dec 2011 02:31:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.14
X-Spam-Level:
X-Spam-Status: No, score=-103.14 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWChf+Hf+Jom for <netconf@ietfa.amsl.com>; Sat, 17 Dec 2011 02:31:26 -0800 (PST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA6F21F8BE8 for <netconf@ietf.org>; Sat, 17 Dec 2011 02:31:25 -0800 (PST)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 72F8020D82; Sat, 17 Dec 2011 11:31:24 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id M7OwqX4bPzUp; Sat, 17 Dec 2011 11:31:23 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id E912C20D7F; Sat, 17 Dec 2011 11:31:20 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id AD82C1C1C963; Sat, 17 Dec 2011 11:31:01 +0100 (CET)
Date: Sat, 17 Dec 2011 11:31:01 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Andy Bierman <andy@netconfcentral.org>
Message-ID: <20111217103101.GA49087@elstar.local>
Mail-Followup-To: Andy Bierman <andy@netconfcentral.org>, David B Harrington <dbharrington@comcast.net>, netconf@ietf.org, netconf-chairs@tools.ietf.org
References: <417E7DB0279844BFA56B8BD3DC0853D3@davidPC> <4EEBDF8B.8020300@netconfcentral.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4EEBDF8B.8020300@netconfcentral.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: David B Harrington <dbharrington@comcast.net>, netconf@ietf.org, netconf-chairs@tools.ietf.org
Subject: Re: [Netconf] FW: David Harrington's Discuss on draft-ietf-netconf-access-control-06: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2011 10:31:27 -0000

On Fri, Dec 16, 2011 at 04:17:15PM -0800, Andy Bierman wrote:

> >I suggest you add text that saya "Since an administrator may define
> >the user-to-group mappings to constrain a user' rights, an
> >administator MUST be able to configure NACM to not consider
> >the dynamically-reported extra user-to-group mappings reported by the
> >underlying NETCONF transport in the detrmination of user permissions."
> >(i.e., a switch that says NACM can consider the INTERSECTION of the
> >pre-configured and dynamic mappings, but not the UNION of the two. The
> >default is to consider the union.)
> >
> >Remember COPS-PR, and its global lock that prevented an admin from
> >overriding the policy server, inclduing with other NM protocols?
> 
> Yes I remember it well.
> NETCONF nor NACM is anything like the all-or-nothing limitations of COPS-PR.
> An admin could hard-wire the user to group mappings in the local tables
> and set the global switch to off.
> 
> But I agree your individual switches are better, so I'm OK with that.

My understanding is that with ISMS, local configured mappings
overwrite mappings obtained from other sources. If that is the
behaviour we want, we should make it so. Switches that turn on/off
_all_ dynamic mappings associated with a given transport are rather
course grained and operationally likely not very helpful to resolve
conflicts.

In VACM, a (security name, security model) pair maps to exactly one
group. This is rather different in NACM where a user name can be in
multiple groups and dynamic group mappings provided by the transport
are currently simply added to the set of groups a user belongs to. As
a consequence, the solution likely needs to be different in that we
might need to be able to configure in NACM

(a) at a course grained level whether dynamically learned groups are
    used at all (global on/off switch)

(b) at the level of a given transport whether we trust all of the
    transport's provided dynamic group mappings (this is what DBH
    suggested I think)

(c) at the fine grained level of specific user entries whether we
    accept dynamically learned group entries

It might be operationally relevant to allow a configuration that
generally rejects dynamic group mappings (for a given transport)
except for a white list of users where we trust the transport to do
the right thing.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email