IETF Logo Mail Archive

Re: [OPSAWG] re opsawg-tacacs-yang & ietf-system user-authen-order

john heasley <heas@shrubbery.net> Wed, 20 November 2019 08:54 UTC

Return-Path: <heas@shrubbery.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23DE71208B9 for <opsawg@ietfa.amsl.com>; Wed, 20 Nov 2019 00:54:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hO3U-m6MDzUz for <opsawg@ietfa.amsl.com>; Wed, 20 Nov 2019 00:54:41 -0800 (PST)
Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AFE012086B for <opsawg@ietf.org>; Wed, 20 Nov 2019 00:54:41 -0800 (PST)
Received: by guelah.shrubbery.net (Postfix, from userid 7053) id EF0472447CB; Wed, 20 Nov 2019 08:54:40 +0000 (UTC)
Date: Wed, 20 Nov 2019 08:54:40 +0000
From: john heasley <heas@shrubbery.net>
To: "Joe Clarke (jclarke)" <jclarke@cisco.com>
Cc: john heasley <heas@shrubbery.net>, "Wubo (lana)" <lana.wubo@huawei.com>, opsawg <opsawg@ietf.org>
Message-ID: <20191120085440.GD38915@shrubbery.net>
References: <20191120031745.GC49549@shrubbery.net> <96C3F282-036F-4F04-BB1A-B18407AEE502@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <96C3F282-036F-4F04-BB1A-B18407AEE502@cisco.com>
X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc
X-note: live free, or die!
X-homer: i just want to have a beer while i am caring.
X-Claimation: an engineer needs a manager like a fish needs a bicycle
X-reality: only YOU can put an end to the embarrassment that is Tom Cruise
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/3k1Y9pyA9cz1Kbt0XBNt8kJ9c9g>
Subject: Re: [OPSAWG] re opsawg-tacacs-yang & ietf-system user-authen-order
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 08:54:42 -0000

Wed, Nov 20, 2019 at 05:30:29AM +0000, Joe Clarke (jclarke):
> Lada replied on YANG docs with a suggestion for the T+ module authors.  While we can’t affect the authentication-order node, the tacacsplus container could be defined like:
> 
> augment "/sys:system" {
>  container tacacs {
>    must "not(derived-from-or-self("
>       + "../sys:authentication/sys:user-authentication-order, 'tacacs')"
>       + "or server";
>    list server {
>       ...
>    }
>  }
> }
> 
> In this manner, T+ can provide enforcement.  Lada also mentioned that this would have been a better way of handling RADIUS in ietf-system.  Certainly this could be an item for a .bis, but not sure if this alone is worth taking on that work.

That would be an improvement, but I still assert that this constraint is
not necessary nor desired - tacacs nor radius - if I'm reading that
correctly (XPATH often confuses me).

ps. parens imbalanced?

v2.23.0 | Report a Bug | By Email