Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

Martin Bjorklund <mbj@tail-f.com> Mon, 08 January 2018 15:46 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D3AB129C53 for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 07:46:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBCLug-dTpOY for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 07:46:55 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 2832B129966 for <netmod@ietf.org>; Mon, 8 Jan 2018 07:46:55 -0800 (PST)
Received: from localhost (unknown [173.38.220.56]) by mail.tail-f.com (Postfix) with ESMTPSA id C77151AE0332; Mon, 8 Jan 2018 16:46:52 +0100 (CET)
Date: Mon, 08 Jan 2018 16:45:09 +0100
Message-Id: <20180108.164509.2179320293753239869.mbj@tail-f.com>
To: rwilton@cisco.com
Cc: einarnn@cisco.com, supjps-ietf@jpshallow.com, mjethanandani@gmail.com, netmod@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com>
References: <012301d3886e$f96f08e0$ec4d1aa0$@jpshallow.com> <B0576B62-CB61-45EA-99EF-E5B67545B85C@cisco.com> <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/lWjeqea75tnEMQlVxKHbXTUtAwg>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 15:46:57 -0000

Hi,

Robert Wilton <rwilton@cisco.com> wrote:
> Hi Einar, Jon, Mahesh,
> 
> My gut instinct is that making this a grouping might not be a good
> idea:
> 
> 1) If somebody updates the core ACL model, will then need to check
> that anyone using it should be similarly updated (unless they use
> import-by-revision).
> 
> 2) Does it make sense to define ACLs in separate places.  Would like
> be more simple if ACLs were defined in a central place and then just
> referenced by other protocols as required.
> 
> 3) I think that groupings are probably overused and I think that they
> can detract from the readability of the model.  (I regard the
> OpenConfig YANG models as an extreme example of this, where it is
> necessary to compile the modules together to figure out where
> everything fits together).

I agree with all three statements.  The current acl data model has a
top-level grouping "interface-acl" which probably is not intended to
be "exported".  I think ot should be moved into the
"attachment-points" container, in order to make it local.

If the entire access-list container is defined as a goruping, and is
used in multiple places, how are the multiple interface
attachment-points handled?


/martin



> 
> Having said that, I don't think that this issue is important enough to
> have a long discussion about ...
> 
> Thanks,
> Rob
> 
> 
> On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote:
> > Since this is a 7-line change, I see no harm in it if no-one objects?
> > Mahesh has the token for rolling in updates discussed just prior to
> > the end of 2017.
> >
> > Here’s a possible diff:
> >
> > $ git diff -b
> > diff --git a/src/yang/ietf-access-control-list.yang
> > b/src/yang/ietf-access-control-list.yang
> > index 4d698c9..b1a173f 100644
> > --- a/src/yang/ietf-access-control-list.yang
> > +++ b/src/yang/ietf-access-control-list.yang
> > @@ -402,6 +402,10 @@ module ietf-access-control-list {
> >    /*
> >     * Configuration data nodes
> >     */
> > +  grouping access-lists-top {
> > +    description
> > +      "Grouping to allow reuse of access lists container elsewhere.";
> > +
> >      container access-lists {
> >        description
> >          "This is a top level container for Access Control Lists.
> > @@ -576,6 +580,9 @@ module ietf-access-control-list {
> >          }
> >        }
> >      }
> > +  }
> > +  uses access-lists-top;
> > +
> >    augment "/if:interfaces/if:interface" {
> >      description
> >        "Augment interfaces to allow ACLs to be associated in either
> > the
> >
> > Cheers,
> >
> > Einar
> >
> >
> >> On 8 Jan 2018, at 10:53, Jon Shallow <supjps-ietf@jpshallow.com
> >> <mailto:supjps-ietf@jpshallow.com>> wrote:
> >>
> >> Hi There,
> >> I appreciate that this is late to the table, but is it possible to set
> >> up “access-lists” as a “grouping” in the YANG data model so that
> >> “access-lists” can be included by “uses” in a higher level YANG data
> >> model?
> >> I have raised this as issue #22
> >> athttps://github.com/netmod-wg/acl-model/issues
> >> Regards
> >> Jon
> >> _______________________________________________
> >> netmod mailing list
> >> netmod@ietf.org <mailto:netmod@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/netmod
> >
> >
> >
> > _______________________________________________
> > netmod mailing list
> > netmod@ietf.org
> > https://www.ietf.org/mailman/listinfo/netmod
>