Re: [netmod] js review of draft-ietf-netmod-schema-mount-09

[Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>]

On Tue, Apr 10, 2018 at 04:15:46PM +0200, Martin Bjorklund wrote:
> > 
> > Yes, the checksum (which I think is actually a version identifier).
> > Anyway, the question is whether a client can draw any conclusions from
> > seeing YANG library instances with the same checksum and whether a
> > client must simpy treat this as a clash. If multiple mounted schemas
> > have the same YANG library, then reading one of them would be
> > sufficient. The question is whether the checksum is a tool for
> > deciding whether a YANG library is similar to an already known one or
> > whether a client must not make this assumption, i.e., a checksum is
> > always scoped to the YANG library instance and you have to read them
> > all.
> 
> Options:
> 
> 1.  Be silent about the YL checksum in this document.
> 
> 2.  State that the server MUST ensure that if two mounted YL
>     instances have the same checksum, then the YL contents MUST be
>     the same.
> 
> 3.  State that just b/c the YL checksum is the same in two mounted
>     instances, it does not mean that the YL contents is the same.
> 
> 4.  State that for use-schema, the YL contents and YL checksum MUST be
>     the samem but for inline, equal YL checksum is no guarantee for
>     equal YL contents.
> 
> From a client perspective, 2 is preferrable.  It is probably not
> difficult to implement on a server either; except in the peer mount
> case where the data is just read from some device.

The more I think about it, it seems option 4. is the right thing to
do.
 
> > > Yes you can mount NACM.  To keep things simple, I think the inner NACM
> > > should not affect the access control done in the parent.  Consider the
> > > use cases for this.  In a NI situation, it doesn't make much sense to
> > > mount NACM.  In an LNE (or in a "peer mount") situation, it may make
> > > sense to mount NACM if the LNE (or device) supports it.  In this case,
> > > if I try to access any mounted data in the parent, access is
> > > controlled by the parent.  If I have access, the parent may send a
> > > request over to the mounted device to read/write the data.  That
> > > device will use its local copy of NACM to control access, or some
> > > other mechanism.
> > 
> > In this scenarios, if the parent NACM grants access but the inner NACM
> > does not grant access, I assume I will not have access, right? So how
> > does this line up with "the inner NACM should not affect the access
> > control done in the parent"? Frankly, this is all a bit hypothetical
> > since we have no standards for doing peer mounts - and clearly not for
> > writable peer mounts. So probably the truth is that it is undefined
> > whether the inner NACM applies or not. Hm.
> 
> But maybe this is something that needs to be handled when we define
> peer mount?  The question is if we need to add any text to this
> document?
>

I think it is sufficient to say that the server's NACM rules apply to
mounted data. (In the peer mount case, it should not matter whether
the peer's NACM is mounted or not, the peer's NACM applies anyway when
the peer is accessed - but it may be accessed a username identity that
is different from the username identity used to access the mounted
data.)

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>