Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

["Jon Shallow" <supjps-ietf@jpshallow.com>]

Hi Robert,

 

A good set of points.

 

My particular use case (hence raising the question) is defining a YANG model where there are multiple appliances and where ACLs are defined for each appliance, but there is the likelihood of the different appliances using the same “acl-name”, but the contents of “acl-name” are different.  Having a grouping (using import-by-revision) would help me considerably here.

 

Regards

 

Jon

 

From: Robert Wilton [mailto: rwilton@cisco.com] 
Sent: 08 January 2018 15:31
To: Einar Nilsen-Nygaard (einarnn); Jon Shallow; Mahesh Jethanandani
Cc: netmod@ietf.org
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

 

Hi Einar, Jon, Mahesh,

My gut instinct is that making this a grouping might not be a good idea:

1) If somebody updates the core ACL model, will then need to check that anyone using it should be similarly updated (unless they use import-by-revision).

2) Does it make sense to define ACLs in separate places.  Would like be more simple if ACLs were defined in a central place and then just referenced by other protocols as required.

3) I think that groupings are probably overused and I think that they can detract from the readability of the model.  (I regard the OpenConfig YANG models as an extreme example of this, where it is necessary to compile the modules together to figure out where everything fits together).

Having said that, I don't think that this issue is important enough to have a long discussion about ...

Thanks,
Rob



On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote:

Since this is a 7-line change, I see no harm in it if no-one objects? Mahesh has the token for rolling in updates discussed just prior to the end of 2017. 

 

Here’s a possible diff: 

 

$ git diff -b

diff --git a/src/yang/ietf-access-control-list.yang b/src/yang/ietf-access-control-list.yang

index 4d698c9..b1a173f 100644

--- a/src/yang/ietf-access-control-list.yang

+++ b/src/yang/ietf-access-control-list.yang

@@ -402,6 +402,10 @@ module ietf-access-control-list {

   /*

    * Configuration data nodes

    */

+  grouping access-lists-top {

+    description

+      "Grouping to allow reuse of access lists container elsewhere.";

+

     container access-lists {

       description

         "This is a top level container for Access Control Lists.

@@ -576,6 +580,9 @@ module ietf-access-control-list {

         }

       }

     }

+  }

+  uses access-lists-top;

+

   augment "/if:interfaces/if:interface" {

     description

       "Augment interfaces to allow ACLs to be associated in either the

 

Cheers,

 

Einar

 





On 8 Jan 2018, at 10:53, Jon Shallow <supjps-ietf@jpshallow.com> wrote:

 

Hi There,

 

I appreciate that this is late to the table, but is it possible to set up “access-lists” as a “grouping” in the YANG data model so that “access-lists” can be included by “uses” in a higher level YANG data model?

 

I have raised this as issue #22 at  <https://github.com/netmod-wg/acl-model/issues> https://github.com/netmod-wg/acl-model/issues

 

Regards

 

Jon

_______________________________________________
netmod mailing list
 <mailto:netmod@ietf.org> netmod@ietf.org
 <https://www.ietf.org/mailman/listinfo/netmod> https://www.ietf.org/mailman/listinfo/netmod

 






_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod