Re: [netmod] js review of draft-ietf-netmod-schema-mount-09

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 10 April 2018 12:46 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CB6F1241F5 for <netmod@ietfa.amsl.com>; Tue, 10 Apr 2018 05:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hDJNAgdv66CZ for <netmod@ietfa.amsl.com>; Tue, 10 Apr 2018 05:46:46 -0700 (PDT)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 463B81270A7 for <netmod@ietf.org>; Tue, 10 Apr 2018 05:46:46 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 17DADDCF; Tue, 10 Apr 2018 14:46:45 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id ewRo9vaVKWoL; Tue, 10 Apr 2018 14:46:43 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Tue, 10 Apr 2018 14:46:44 +0200 (CEST)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id E62F220035; Tue, 10 Apr 2018 14:46:44 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id hDIPGMjcpIsT; Tue, 10 Apr 2018 14:46:44 +0200 (CEST)
Received: from elstar.local (unknown [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 38AE220031; Tue, 10 Apr 2018 14:46:44 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 19D8842AE702; Tue, 10 Apr 2018 14:46:44 +0200 (CEST)
Date: Tue, 10 Apr 2018 14:46:43 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Martin Bjorklund <mbj@tail-f.com>
Cc: netmod@ietf.org
Message-ID: <20180410124643.mnywxuxrnyaahttv@elstar.local>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Martin Bjorklund <mbj@tail-f.com>, netmod@ietf.org
References: <20180329090305.eqshcqvqo33r5bsf@elstar.local> <20180405.143340.1930670144610383537.mbj@tail-f.com> <20180406122406.wdba43mr3bxsnyce@elstar.local> <20180406.152710.818971844955208858.mbj@tail-f.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180406.152710.818971844955208858.mbj@tail-f.com>
User-Agent: NeoMutt/20171215
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/xfPRzeTiScvQIw7aCTR15V-0nKI>
Subject: Re: [netmod] js review of draft-ietf-netmod-schema-mount-09
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 12:46:48 -0000

On Fri, Apr 06, 2018 at 03:27:10PM +0200, Martin Bjorklund wrote:
> 
> Ok.  I tweaked it to:
> 
>   This document defines a mechanism to add the schema trees defined
>   by a set of YANG modules onto a mount point defined in the schema
>   tree in some YANG module.
>

Works for me.

> > OK. It seems that for a client capable to support a 'shared schema',
> > the 'inline' schema really is just a special case without parent
> > references. (I wonder whether anything should be said to YANG library
> > version numbers, whether they are always scoped by the mount point
> > or have meaning across mount points; if two YANG library instances
> > in mounted schemas have the same version number, does this imply
> > that these YANG library instances are identical or is this just a
> > version number clash? But then this probably goes across the spirit
> > of not talking about YANG library too much.)
> 
> When you say "version number" do you mean the YANG library checksum?
> I don't think the YL document guarantees that there can never be
> clashes.

Yes, the checksum (which I think is actually a version identifier).
Anyway, the question is whether a client can draw any conclusions from
seeing YANG library instances with the same checksum and whether a
client must simpy treat this as a clash. If multiple mounted schemas
have the same YANG library, then reading one of them would be
sufficient. The question is whether the checksum is a tool for
deciding whether a YANG library is similar to an already known one or
whether a client must not make this assumption, i.e., a checksum is
always scoped to the YANG library instance and you have to read them
all.

> > This helps. Can I also mount NACM into a mount point? If yes, what if
> > both are present?
> 
> Yes you can mount NACM.  To keep things simple, I think the inner NACM
> should not affect the access control done in the parent.  Consider the
> use cases for this.  In a NI situation, it doesn't make much sense to
> mount NACM.  In an LNE (or in a "peer mount") situation, it may make
> sense to mount NACM if the LNE (or device) supports it.  In this case,
> if I try to access any mounted data in the parent, access is
> controlled by the parent.  If I have access, the parent may send a
> request over to the mounted device to read/write the data.  That
> device will use its local copy of NACM to control access, or some
> other mechanism.

In this scenarios, if the parent NACM grants access but the inner NACM
does not grant access, I assume I will not have access, right? So how
does this line up with "the inner NACM should not affect the access
control done in the parent"? Frankly, this is all a bit hypothetical
since we have no standards for doing peer mounts - and clearly not for
writable peer mounts. So probably the truth is that it is undefined
whether the inner NACM applies or not. Hm.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>