Re: [Netconf] LC on subscribed-notifications-10

["Eric Voit (evoit)" <evoit@cisco.com>]

Per below, updated text now at:
https://github.com/netconf-wg/rfc5277bis/blob/master/draft-ietf-netconf-subscribed-notifications-11.txt

Specifically:

Section 2.1.

   Access control permissions may be used to silently exclude event
   records from within a stream for which the subscriber has no read
   access.  As an example of how this might be accomplished, see
   [RFC6536bis] section 3.4.6.  Note that per Section 2.7 of this 
   document, subscription state change notifications are never 
   filtered out.

   If no access control permissions are in place for stream content,
   then a receiver MUST be allowed access to all the event records on
   the stream.


Also I modified the definition of:

          leaf excluded-notifications {
            type yang:counter64;
            config false;
            description
              "Operational data which provides the number of event
               records from a stream explicitly removed either via a 
               stream filter or an access control filter so that they 
               are not passed to a receiver.";
            }

It is likely sufficient to have a single counter here.  But if people would prefer independent counters for stream filter exclusions and access control exclusions, that can easily be included.

Eric


> -----Original Message-----
> From: Eric Voit (evoit)
> Sent: Wednesday, March 14, 2018 1:14 PM
> To: 'Andy Bierman' <andy@yumaworks.com>
> Cc: Martin Bjorklund <mbj@tail-f.com>; alex@clemm.org; Robert Wilton -X
> (rwilton - ENSOFT LIMITED at Cisco) <rwilton@cisco.com>;
> kwatsen@juniper.net; netconf@ietf.org; draft-ietf-netconf-subscribed-
> notifications@ietf.org
> Subject: RE: [Netconf] LC on subscribed-notifications-10
> 
> (Look for <Eric2>  trying to keep things legible for those using text only email
> clients)
> 
> From: Andy Bierman, March 14, 2018 12:53 PM
> 
> On Wed, Mar 14, 2018 at 8:35 AM, Eric Voit (evoit) <mailto:evoit@cisco.com>
> wrote:
> (reducing to the single open item, and adding Andy + Alex to the "to")
> 
> > From: Martin Bjorklund, March 14, 2018 9:59 AM
> >
> > Hi,
> >
> > "Eric Voit (evoit)" <mailto:evoit@cisco.com> wrote:
> > > Hi Martin,
> > >
> > > But for
> > > subscription to event streams, it is assumed that any event records
> > > placed on a stream permitted for that receiver is authorized content
> > > (just like RFC-5277).
> >
> > Hmm.  This is not how it is defined in RFC 5277:
> 
> Agree.   I should not have said "just like 5277".   More below.
> 
> >    After generation of the <notification> element, access control is
> >    applied by the server.  If a session does not have permission to
> >    receive the <notification>, then it is discarded for that session,
> >    and processing of the internal event is completed for that session.
> >
> > Also, NACM is designed to drop notifications that the client doesn't
> > have access to.
> 
> A few years ago during early discussions, Alex and I remember Andy asking that
> per receiver access control not be applied to traffic coming out of a
> stream.    We took that to mean that a receiver should get all the event records
> on a stream, without any per-notification filtering.  This is what drove the
> current text.
> 
> Per RFC-6536, section 3.4.6., the outgoing <notification> authorization is able
> to look at the notification event type, and if a receiver is authorized to receive
> the notification event type, then it is also authorized to receive any data it
> contains.
> 
> Reconsidering this, perhaps Alex and I interpreted Andy's intent wrong.  And
> Andy actually requested the current event type behavior which NACM can
> currently perform on the RFC-5277 NETCONF event stream, but no other
> filtering of event records beyond that.
> 
> I think the notification event type filtering is still applicable.
> 
> <Eric2>  Based on this, I will add the relevant RFC-5277 text into subscribed
> notifications.  Look for a link to a draft version on github shortly.  Will send link
> to this thread.
> </Eric2>
> 
> I remember some discussions about applying NACM to YANG Push
> subscriptions.
> Of course the client needs permission to receive <push-update> events.
> The issue for YP is that this is the only access control provided.
> 
> In order to support NACM for the contents of <push-update> events, the client
> MUST have permission to read every data node specified in the filters for a
> subscription. This is checked when the subscription is configured or activated.
> If a filter-ref filter is changed so this is no longer true, then the server MUST
> suspend or terminate the subscription.
> 
> IMO even this is quite an implementation burden, but less than having the
> server check NACM rules for every descendant node of every edited node for
> every <push-update>.
> 
> <Eric2> Agree that either is a valid method of achieving the requirements of
> yang-push.
> </Eric2>
> 
> Eric2
> 
> If that is the case, and this capability is desired by the WG, Alex and I would be
> happy to replicate the relevant text from RFC-5277 section 3.2 to draft-ietf-
> netconf-subscribed-notifications to cover this.
> 
> Thanks,
> Eric
> 
> Andy
> 
> 
> > > Effects like this are why the two drafts, as well as the YANG model
> > > targets and filters for datastores and to streams have been separated.
> > >
> > > > Your statement:
> > > >
> > > >   Access control is to the stream rather than the content.
> > > >
> > > > seems to imply that in order to subscribe to changes to the
> > > > datastore, you need full access to all nodes covered by the filter.
> > >
> > > As a stream and a datastore are different, hopefully my comment
> > > above clears this up.
> > >
> > > Eric
> > > > /martin
> >
> >
> > /martin