IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Andy Bierman <andy@yumaworks.com> Sat, 27 May 2017 02:20 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D683124E15 for <netconf@ietfa.amsl.com>; Fri, 26 May 2017 19:20:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3gDDCtnn8n2d for <netconf@ietfa.amsl.com>; Fri, 26 May 2017 19:20:53 -0700 (PDT)
Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com [IPv6:2a00:1450:400c:c0c::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99363129BF5 for <netconf@ietf.org>; Fri, 26 May 2017 19:20:52 -0700 (PDT)
Received: by mail-wr0-x230.google.com with SMTP id w50so9953868wrc.0 for <netconf@ietf.org>; Fri, 26 May 2017 19:20:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0JiPQSeJ7Y2gG9YYLallbxI/2WWuDiVKvoMX1lDxPgM=; b=lx6j5qsVm2UOmThRW8IvOT0uwojrCF0s/7CrsHEdY/vmxz7wpS6itkx+h2YF+rZMhE 4kF19+pifbqdNAeA4dZ/hnLPZSOrgF+kKisGbjQUlNZ2YhkqemzG9m/XR18DzuDI5Ntp BhgCsPAC+Rk4FrI7K1cuPDeiDyROT6fc24CwNVjCz6Ko2FTc3eokKTeyIuSVQJ6ZVT/T iJCDLhAgPVVWTil26oLXtAy4jEEO3tmxWznxlwCE+aDhlHnZpmT8ee8p1EQlgSFjH3ze R4WcbJgB0R3wcqzgX9fgxltaF8KJN7dXuvuIRTcvo7KtifbGeq6w8l5g/bjzJKYCisjs Guiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0JiPQSeJ7Y2gG9YYLallbxI/2WWuDiVKvoMX1lDxPgM=; b=RMf0luMS3Wjx+4Sxd/LZtPxjSy6MWlgVOOyOzCIIjdgv3Ze9MBbQfAMkjWfJlwdnjl AJMyhvGk759QTuF7UWvUP9p+ilXkHKMBoYkqfL3yNau30LnmHauUpcsK7Bj6tpH/Hzns wZ3lt1ud/Kw+0RPtx3kxrydITwVEWWmxp+UhAcpcWe12HitiBZn5b2sfL5IiKNv58uff atP1xe3yAWW/fbRibdKq/Vkiurfyh6xJK/W+1lbFvhf2BBN0U/c6GIsSMwhqDR+2QaQR xPh4mHpPUY5m1NPu+3qxteb1z13qsA1vya3BoDYhZodn1zBb6EHYeXuPb1MMyWzKhCLQ HZZw==
X-Gm-Message-State: AODbwcBEJ8YbxP0OxIVIJSIIfh5fuzuoXu+w6RhKtNLGbIfk/wz7n+lD uEi/GENP+GX2QRSzeO3NlKn5AZHJpX4y
X-Received: by 10.223.162.150 with SMTP id s22mr3837732wra.88.1495851651074; Fri, 26 May 2017 19:20:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Fri, 26 May 2017 19:20:50 -0700 (PDT)
In-Reply-To: <20170524.091650.1982503698804665659.mbj@tail-f.com>
References: <20170523.091519.1988324449434279102.mbj@tail-f.com> <D13AF5F3-1AE1-4A43-866F-10984114BF2C@gmail.com> <CABCOCHTjLL7bFCVYHwUYEx-gKG=JaiWiftx2wJSce=LjjrbyNQ@mail.gmail.com> <20170524.091650.1982503698804665659.mbj@tail-f.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Fri, 26 May 2017 19:20:50 -0700
Message-ID: <CABCOCHRk05FYXnLDw1eZyXxx=smGoLSPG83vGtUXGWojetugqg@mail.gmail.com>
To: Martin Bjorklund <mbj@tail-f.com>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="f403045ec6584c9ec00550781a80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/xrTQg1pTIsWv20ZQqvz4AjDGNZs>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 May 2017 02:20:56 -0000

On Wed, May 24, 2017 at 12:16 AM, Martin Bjorklund <mbj@tail-f.com> wrote:

> Andy Bierman <andy@yumaworks.com> wrote:
> > On Tue, May 23, 2017 at 12:41 PM, Mahesh Jethanandani <
> > mjethanandani@gmail.com> wrote:
> >
> > >
> > > > On May 23, 2017, at 12:15 AM, Martin Bjorklund <mbj@tail-f.com>
> wrote:
> > > >
> > > > Andy Bierman <andy@yumaworks.com> wrote:
> > > >> Hi,
> > > >>
> > > >> The update is on github.
> > > >> http://github.com/netconf-wg/rfc6536bis
> > > >>
> > > >> I would like Martin to look it over before it is posted.
> > > >
> > > > Done, and the new text looks good.  I moved the new subsection to be
> > > > the first in 3.2, and I also fixed some minor terminology issues.
> > > >
> > > > But, I wonder if we shouldn't make the document even less NETCONF
> > > > specific, and align the terminology to revised-datastores.  For
> > > > example, currently the document talks about access to "NETCONF
> > > > datastores".   With the new less protocol-specific terminology this
> > > > would simply be "datastore”.
> > >
> > > I would prefer this.
> > >
> >
> > OK, but the operations are somewhat NETCONF specific.
> > We will try to make sure we do not create more inconsistencies than we
> > remove ;-)
>
> Yes.  But I think what we should do is not any technical changes, just
> align terminology.
>
>

OK -- the term NETCONF datastore was used twice, now just datastore.
(pushed to github)

The term datastore appears a lot.  There are 3 variants:

    - datastore
    - configuration datastore
    - target datastore

With revised datastores these are not all the same anymore.
We probably need to go through the entire document and check if the
correct variant is used in each instance.

Are there other terms that are needed for alignment?

Does NACM need to reference the revised-datastores draft to import
terminology?




>
> /martin
>
>

Andy


>
>
> >
> >
> > Andy
> >
> >
> > >
> > > >
> > > > Also, we currently have this:
> > > >
> > > >   A standalone RESTCONF server (i.e., not co-located with a NETCONF
> > > >   server) applies NACM rules to a conceptual datastore, since
> > > >   datastores are not supported in RESTCONF.
> > > >
> > > > I don't think this is quite correct.  Even in a stand-alone RESTCONF
> > > > server there is an underlying conceptual datastore, for which NACM
> can
> > > > be used to control access.
> > > >
> > > >
> > > >
> > > > /martin
> > > >
> > > >
> > > >>
> > > >>
> > > >> Andy
> > > >>
> > > >>
> > > >> On Sun, May 21, 2017 at 10:25 PM, Mahesh Jethanandani <
> > > >> mjethanandani@gmail.com> wrote:
> > > >>
> > > >>> Andy,
> > > >>>
> > > >>> On May 16, 2017, at 2:32 PM, Andy Bierman <andy@yumaworks.com>
> wrote:
> > > >>>
> > > >>>
> > > >>>
> > > >>> On Tue, May 16, 2017 at 2:02 PM, Mahesh Jethanandani <
> > > >>> mjethanandani@gmail.com> wrote:
> > > >>>
> > > >>>> Having reviewed all the e-mails, I believe that there are few
> issues
> > > that
> > > >>>> need to be resolved before we send the draft for publication. We
> need
> > > to
> > > >>>> agree on the language, even if we do have the exact text in the
> draft.
> > > >>>>
> > > >>>> To begin with, do the authors have a response to the suggestions
> from
> > > >>>> Juergen prompted by the question from Alex? Are we leaving the
> NACM
> > > >>>> definition of any future datastores to the datastore draft, or
> are we
> > > >>>> saying NACM applies to all datastores?
> > > >>>>
> > > >>>>
> > > >>> No. IMO the text should say NACM applies to NETCONF and RESTCONF
> > > >>> with the existing datastores.
> > > >>>
> > > >>> NACM MAY be applied to other datastores that have similar operation
> > > sets.
> > > >>> Any new datastore specification needs to define how it maps to the
> NACM
> > > >>> CRUDX
> > > >>> model.  The datastore does not need to use NACM (e.g., datastore
> > > defines
> > > >>> something else
> > > >>> or does not use access control).
> > > >>>
> > > >>>
> > > >>> Can you update the draft with this text.
> > > >>>
> > > >>>
> > > >>>
> > > >>> To the point that Andy raised earlier, we need to have texts around
> > > >>>> datastores that provide more than CRUDX capabilities, including
> any
> > > >>>> protocol operations, e.g. priority, as something that is out of
> scope
> > > of
> > > >>>> this document.
> > > >>>>
> > > >>>>
> > > >>> This would be outside the scope of NACM.
> > > >>> This is part of the RPC input validation.
> > > >>>
> > > >>>
> > > >>> And clarify that operations outside of CRUDX are outside the scope
> of
> > > >>> NACM. We can them move the document towards publication.
> > > >>>
> > > >>> Thanks.
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>> NETCONF WG has moved to redefine its charter beyond NETCONF and
> > > RESTCONF.
> > > >>>> Therefore there is a real possibility of another protocol being
> > > discussed
> > > >>>> in the WG. Is there something in the NACM draft that restricts it
> to
> > > >>>> NETCONF/RESTCONF that other protocols cannot adopt? If so, can
> they be
> > > >>>> called out?
> > > >>>>
> > > >>>
> > > >>> If NACM needs to be changed in the future because a new or existing
> > > >>> protocol needs new features
> > > >>> then the WG will have to deal with it then.
> > > >>>
> > > >>>
> > > >>>
> > > >>>>
> > > >>>> Thanks.
> > > >>>>
> > > >>>>
> > > >>> Andy
> > > >>>
> > > >>>
> > > >>>>> On May 9, 2017, at 11:46 PM, Juergen Schoenwaelder <
> > > >>>> j.schoenwaelder@jacobs-university.de> wrote:
> > > >>>>>
> > > >>>>> On Tue, May 09, 2017 at 02:50:30PM +0200, Martin Bjorklund wrote:
> > > >>>>>> Andy Bierman <andy@yumaworks.com> wrote:
> > > >>>>>>> On Thu, May 4, 2017 at 11:21 AM, Alexander Clemm <
> > > >>>> alexander.clemm@huawei.com
> > > >>>>>>>> wrote:
> > > >>>>>>>
> > > >>>>>>>> As mentioned in my message, I don’t think specific access
> control
> > > >>>> will be
> > > >>>>>>>> needed (I am not aware of specific use cases), but
> specifically
> > > with
> > > >>>> the
> > > >>>>>>>> revised datastore architecture about to the be introduced, its
> > > >>>> impact or
> > > >>>>>>>> nonimpact and interrelation with NACM should be discussed.
> This
> > > can
> > > >>>> be as
> > > >>>>>>>> simple as a small paragraph or subsection “Revised Datastore
> > > >>>>>>>> Considerations”.
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>
> > > >>>>>>> there is no text about candidate vs. running vs. startup.
> > > >>>>>>> The NACM rules apply to all of them the same.
> > > >>>>>>> I could add text that says there is no consideration for
> specific
> > > >>>>>>> datastores.
> > > >>>>>>
> > > >>>>>> Actually, the document already says:
> > > >>>>>>
> > > >>>>>> 3.2.  Datastore Access
> > > >>>>>>
> > > >>>>>>  The same access control rules apply to all datastores, for
> example,
> > > >>>>>>  the candidate configuration datastore or the running
> configuration
> > > >>>>>>  datastore.
> > > >>>>>>
> > > >>>>>>  Only the standard NETCONF datastores (candidate, running, and
> > > >>>>>>  startup) are controlled by NACM.
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> Somehow this needs to be updated when the revised datastore
> work is
> > > >>>>>> done.  E.g., I expect read access to intended to follow the same
> > > NACM
> > > >>>>>> rules.
> > > >>>>>>
> > > >>>>>
> > > >>>>> Yes. NACM likely also applies to the <operational/> datastore
> (but
> > > >>>>> this follows already from the text that talks about 'state
> data').
> > > >>>>>
> > > >>>>> My question, however, was about other future yet to be defined
> > > >>>>> 'dynamic' datastores - does NACM make a statement of the form
> 'once
> > > an
> > > >>>>> implementation announces NACM, NACM applies to all datastores -
> no
> > > >>>>> exceptions' or do we leave it to the definition of future
> datastores
> > > >>>>> to declare whether NACM applies to it. There may be three
> possible
> > > >>>>> solutions:
> > > >>>>>
> > > >>>>> a) Once an implementation supports NACM, NACM applies to all
> > > >>>>>  datastores (including any datastores defined in the future).
> > > >>>>>
> > > >>>>> b) Once an implementation supports NACM, NACM applies to all
> > > >>>>>  conventional datastores and the operational state datastore.
> Other
> > > >>>>>  datastores must define whether NACM applies to them.
> > > >>>>>
> > > >>>>>  (This means, whenever a new datastore is introduced, the
> question
> > > >>>>>  whether NACM applies has to answered for the new datastore.)
> > > >>>>>
> > > >>>>> c) Once an implementation supports NACM, NACM applies to all
> current
> > > >>>>>  and future datastore unless explicitely stated or signaled that
> > > >>>>>  NACM does not apply to a certain future datastore.
> > > >>>>>
> > > >>>>>  (This is essentially b) but with a default that NACM applies
> unless
> > > >>>>>  things are explicitly regulated to be different.)
> > > >>>>>
> > > >>>>> I just thought it is worth to take a moment to think about this
> > > >>>>> question.
> > > >>>>>
> > > >>>>> /js
> > > >>>>>
> > > >>>>> --
> > > >>>>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > > >>>>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen |
> > > Germany
> > > >>>>> Fax:   +49 421 200 3103         <http://www.jacobs-university.
> de/>
> > > >>>>>
> > > >>>>> _______________________________________________
> > > >>>>> Netconf mailing list
> > > >>>>> Netconf@ietf.org
> > > >>>>> https://www.ietf.org/mailman/listinfo/netconf
> > > >>>>
> > > >>>> Mahesh Jethanandani
> > > >>>> mjethanandani@gmail.com
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>
> > > >>> Mahesh Jethanandani
> > > >>> mjethanandani@gmail.com
> > > >>>
> > > >>>
> > >
> > > Mahesh Jethanandani
> > > mjethanandani@gmail.com
> > >
> > >
> > >
> > >
>

v2.23.0 | Report a Bug | By Email