Re: [netmod] ietf-access-control-list@2017-10-03.yang : Can access-lists use a grouping?
Andy Bierman <andy@yumaworks.com> Thu, 02 November 2017 16:37 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D506C13F4F4 for <netmod@ietfa.amsl.com>; Thu, 2 Nov 2017 09:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x31klb0xcIhU for <netmod@ietfa.amsl.com>; Thu, 2 Nov 2017 09:37:31 -0700 (PDT)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A87413B262 for <netmod@ietf.org>; Thu, 2 Nov 2017 09:37:31 -0700 (PDT)
Received: by mail-lf0-x234.google.com with SMTP id e143so123226lfg.12 for <netmod@ietf.org>; Thu, 02 Nov 2017 09:37:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7vEjUllkOGmvVcsvOQYpklPL0IbvvszJXpVinfAAE+s=; b=ZTzRDubaMtdxJ6bMk4uk0QAAXt5Owj/WNqn4ZUXsf9AojSpYaP2Jp/tNFnFUSvqYZB 0C/CZP4YF5YdcxlsdgIQFYDle00ujQP4wSbWuTswGMdFwzLmvhu76V7V//rAt8lkZpGx kiEfthGiMYtdx3o5kefq+jJx/PHdVkF94NbG8BC85h81ZwP8XN3ks+8eEZv3sNA8TlZY Uy2w6XiBuvX6MZgnYlHXTWTiqdGlbd7b4qyC/DSjoInHPcehRFbLCEdDD5N5v6pTeG4b ociQpkBYlhqRvgAADWZENVl7TA1kYJun8heTYyk5QUDwPbJppkxySogF2Rbxe1ExWsbU aofg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7vEjUllkOGmvVcsvOQYpklPL0IbvvszJXpVinfAAE+s=; b=nW8fesK1Jq9VzBSg4G/xJPsKL8LmQ4/mB/+XhWEeXZ2Yo2tAvhVwfaZ+kfoG19kYJy SNabpJf+iPYL6Ey38xSnrxpfpn7xTXW4drKuZzMA7sd9ZHucNIUe6w384SuYKjHxXnze X7bonLzWh6ADND49oN3lupP31DdWPR9Arf4b4kHjrOJ09h46gWdddvJ7qbOXWYm+wsUB DOA2Gq9hP3oXJNp8TJu6h4aigKeUm+Z0772OHPDsw9flH15/yNBluevb1XShqk2rxiJY F+CHl62IYOcMf3fnFT4dscR5R/+XPlgHFYdxiOHzVLU37/o52yeHSKd2cp9QacpPZzkd 4C8w==
X-Gm-Message-State: AMCzsaWnW0EghbXRK+fYnVykjiMJWB8V7tSsCgJeKyTlcC1HoMxHQ54v LhYy/aahp2fCGgQU2vjXzRl6E9j2JGYxrOEXDFCCMA==
X-Google-Smtp-Source: ABhQp+SbUvco1Tpsq+nivdYZRkpCRYl63BJUN82SCGuqERhi02EYDLAmG1vcJ7kOTECXwuPAGZuLi44OkY/jHvfDjvs=
X-Received: by 10.25.23.165 with SMTP id 37mr1502563lfx.202.1509640649491; Thu, 02 Nov 2017 09:37:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.214.9 with HTTP; Thu, 2 Nov 2017 09:37:28 -0700 (PDT)
In-Reply-To: <CAHiu4JMWVziseZ60_OqnSttbLTfvLxTo0mppCKTVpiYb-fVzuw@mail.gmail.com>
References: <CAHiu4JPKNE6eL=P6TSb1NCMGpFvcX4BxTWFRcDR+BDQN9kWj2Q@mail.gmail.com> <6B80D720-C62B-444E-A0D0-E4839F5483D2@gmail.com> <CAHiu4JP2RTamZnfvwimPMAo+03vVn9y2gO+5z=R0DxUzwMOEHg@mail.gmail.com> <a5f545bf-1f1e-188b-be03-eed1fb321e03@cisco.com> <CAHiu4JPAAmBybnjaKO8AGnHaW4nwVXy2Q3QYn0QJSatmPVK=mQ@mail.gmail.com> <CABCOCHSVVJiYa-eNeHoNbsCm_enK9hv28Edo5hvxKrJkp64JLw@mail.gmail.com> <CAHiu4JMWVziseZ60_OqnSttbLTfvLxTo0mppCKTVpiYb-fVzuw@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Thu, 02 Nov 2017 09:37:28 -0700
Message-ID: <CABCOCHSLq1O7MN8C8M9Oa1VGQeDaSpdW181w2QFy8vmK2nHgBQ@mail.gmail.com>
To: "M. Ranganathan" <mranga@gmail.com>
Cc: Robert Wilton <rwilton@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>
Content-Type: multipart/alternative; boundary="001a11401a04a6d7d0055d029a02"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/ufsJzgRwraBkZOyGs8kmHRv22-s>
Subject: Re: [netmod] ietf-access-control-list@2017-10-03.yang : Can access-lists use a grouping?
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2017 16:37:34 -0000
On Thu, Nov 2, 2017 at 9:26 AM, M. Ranganathan <mranga@gmail.com> wrote: > Hi Andy > > On Thu, Nov 2, 2017 at 11:55 AM, Andy Bierman <andy@yumaworks.com> wrote: > >> >> >> On Thu, Nov 2, 2017 at 8:34 AM, M. Ranganathan <mranga@gmail.com> wrote: >> >>> Hi Rob, Mahesh, >>> >>> Thanks for reading. >>> >>> On Thu, Nov 2, 2017 at 11:00 AM, Robert Wilton <rwilton@cisco.com> >>> wrote: >>> >>>> Hi Ranga, >>>> >>>> Presumably another choice would to keep ACLs defined in one place (i.e. >>>> no grouping required), augment with ACL model with your extra MUD + other >>>> mgmt data, and then have a reference to that ACL from your model. >>>> >>>> Thanks, >>>> Rob >>>> >>> >>> In the case of MUD ( which is just a use case driving this need ), >>> there are local references from MUD to the ACL. MUD itself augments the ACL >>> model. >>> >>> Augmentation would make (logical and design) sense if you were adding >>> nodes that are in some way related to the ACL itself. >>> >>> If I wanted to Augment ACL with something that is not directly ACL >>> relevant then Augmentation makes less sense to me from a design perspective >>> (lets say I wanted to define a new YANG model that includes the ACL with >>> some other system-relavant meta-data that has nothing to do with ACLs but >>> is needed by the system in order to install an ACL). >>> >>> Making access-lists into a grouping and then using it in a container >>> does not alter the ACL model as it currently stands but allows designers to >>> use the ACL model with either augmentation or inclusion in other YANG >>> models. Hence it improves the usability of the ACL model without altering >>> the semantics of the current model. It is just a re-structuring but it >>> helps the implementer. >>> >>> >> Loosely coupled tables should use leafref. >> The main concern of the NETMOD WG should be the usability of the primary >> solution. >> >> >> > > Not sure I understand the suggestion of using a leafref (please excuse my > ignorance -- I am not a YANG expert by any stretch). If I used leafref, > what leaf would I be referring to if I wanted to point to the access > control list from another YANG model? > Augment is not the only way to couple data models. You can have another list just define a foreign key (called a leafref in YANG since it does not have to reference a key) > > Also I note from the description of Access Control Lists the following > that would indicate that it is a primary solution that one may like to > re-use in another model. > > description > "This is a top level container for Access Control Lists. > It can have one or more Access Control Lists."; > > > > If the requested change were made, would it result in excessive churn ? > > I never understood why the WG wanted to change the ACL model to its current form with containers. Seems complicated to me. > Thanks > > Regards, > > Ranga. > > Andy > > -- > M. Ranganathan > >> >> >> _______________________________________________ >> netmod mailing listnetmod@ietf.orghttps://www.ietf.org/mailman/listinfo/netmod >> >> >> >>> >>> >>> -- >>> M. Ranganathan >>> >>> _______________________________________________ >>> netmod mailing list >>> netmod@ietf.org >>> https://www.ietf.org/mailman/listinfo/netmod >>> >>> >> > > > -- > M. Ranganathan >
- [netmod] ietf-access-control-list@2017-10-03.yang… M. Ranganathan
- Re: [netmod] ietf-access-control-list@2017-10-03.… Mahesh Jethanandani
- Re: [netmod] ietf-access-control-list@2017-10-03.… M. Ranganathan
- Re: [netmod] ietf-access-control-list@2017-10-03.… Robert Wilton
- Re: [netmod] ietf-access-control-list@2017-10-03.… M. Ranganathan
- Re: [netmod] ietf-access-control-list@2017-10-03.… Andy Bierman
- Re: [netmod] ietf-access-control-list@2017-10-03.… M. Ranganathan
- Re: [netmod] ietf-access-control-list@2017-10-03.… Andy Bierman
- Re: [netmod] ietf-access-control-list@2017-10-03.… M. Ranganathan