Re: [yang-doctors] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-consumer-facing-interface-dm-05
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Wed, 06 November 2019 02:05 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD523120274; Tue, 5 Nov 2019 18:05:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HK_NAME_FM_MR_MRS=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5nKsB72IKiq; Tue, 5 Nov 2019 18:05:53 -0800 (PST)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3464120236; Tue, 5 Nov 2019 18:05:52 -0800 (PST)
Received: by mail-lj1-x234.google.com with SMTP id n21so10560304ljg.12; Tue, 05 Nov 2019 18:05:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IiIL28iyedE/T/k4KjIdf7X8XR6qSJsqFocKKE6bbs8=; b=G8sXad9Btbg1UYPSXT/I3qjQztRc+hYJo5v3rqFOdaV0/AHRmbKlbjPqjrRdyN0EOY ScTnuqDBgWxWGHybeGtuz+4hav0S0IfK7K50pDL1lkKPT46RslokWRhxrkHq2/Ecph+a Nf8Zv0PFH43d095astQshDbHVoOmdgkwU4Yi48eyNON/wxMknK6i67DcAVFODzo4B+Sd b37WOFGzoygeiBSbll5jnFyDCtNROU+NAsPPz5ALOmWcThlYu3JhldhwEyBFx0euBx00 nG4dzD4wrqSYfzXd5ZbtsKFKKyOTPSywlRFcgzTLogRXyq4+R+GLYNxt70cyY5WJaB96 iqXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IiIL28iyedE/T/k4KjIdf7X8XR6qSJsqFocKKE6bbs8=; b=O+9Nb2sv8JUn+uGIV9zDiCMC+0yYBAep0eUhr/FyFNKVAQbANcbnqKDIB5E/RKrwjl yDorR8FpYQOdFbIsObR0pYVDfXO9ACn/k4TblGNjJzJ5SzWkkCBZEZPpwxk0mUq/yma8 4CQRf70LKH1RSk3rTBekrFnCKtUOi2dX6sHWavK7Io//fEbAc4gxuWng3tj1Y9rmO7Qs nn3bRXBjn1iBEuiqbJVCn4NcSUo7acGxv2kouL4WAul10yro0sQNZPBiXaN/alld1G/1 LRto1OYcDW7VHBzsJiUQWLIO5hcjkjZfpOSUJFgS6HCKJtQUkh8NzJeGXud58e2L+I6A n/qQ==
X-Gm-Message-State: APjAAAWGsNvrvdLbX5ED+cdsO0QP5/s8lRJ7tfBCPGjBHNpw9P7Uu9Mb bFlRthSjMiTaLvCnE3sstADG/oD1wDXhTzCWzUM=
X-Google-Smtp-Source: APXvYqyHhAIv7UljgnJgySDG7ItCwVtbNM3nLnxIr/2eiU2ftoN0+U06vvO/9Xehd/xmKo8osP3IA0GzCQpH3bX9w5g=
X-Received: by 2002:a2e:91d5:: with SMTP id u21mr15270900ljg.32.1573005950892; Tue, 05 Nov 2019 18:05:50 -0800 (PST)
MIME-Version: 1.0
References: <156156480691.19914.1926691912558233407@ietfa.amsl.com> <CAPK2DexupkRCkxETaqJOECL6wrtW19s239qQFo4fzkbJFWWT-Q@mail.gmail.com> <EEBF46C1-D425-4ABA-A0DB-7392799D0A05@tail-f.com> <CAPK2DexOx=s2HL3EAYsLvzw2ak0Rg1cW0WkUZNi3GWA1sont=g@mail.gmail.com> <D367CE60-3106-427F-92F0-5CE605D0F323@tail-f.com> <CAPK2Dew8Zi+foOGA24ThNR-e5WLirHGAaVOxAmQDEEVnVBm3Jw@mail.gmail.com>
In-Reply-To: <CAPK2Dew8Zi+foOGA24ThNR-e5WLirHGAaVOxAmQDEEVnVBm3Jw@mail.gmail.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Wed, 06 Nov 2019 11:05:15 +0900
Message-ID: <CAPK2DexQ6=JPHHzja1J+3++n0JjO8STDigdtqZNNEj2XU+7bPQ@mail.gmail.com>
To: Jan Lindblad <janl@tail-f.com>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, YANG Doctors <yang-doctors@ietf.org>, draft-ietf-i2nsf-consumer-facing-interface-dm.all@ietf.org, skku-iotlab-members@googlegroups.com, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000eec3d80596a3fc08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/32a2yQ8nTjxEBclxdcLtMLxxT9Y>
Subject: Re: [yang-doctors] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-consumer-facing-interface-dm-05
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 02:05:56 -0000
Hi Jan, I believe that I have addressed your comments on I2NSF Consumer-Facing Interface Data Model: https://tools.ietf.org/html/draft-ietf-i2nsf-consumer-facing-interface-dm-07 If you are satisfied with the revision, could you update the Review result in the following page? https://datatracker.ietf.org/doc/review-ietf-i2nsf-consumer-facing-interface-dm-05-yangdoctors-lc-lindblad-2019-06-26/ Thanks. Best Regards, Paul On Tue, Nov 5, 2019 at 6:03 PM Mr. Jaehoon Paul Jeong < jaehoon.paul@gmail.com> wrote: > Hi Jan, > I have revised the Consumer-Facing Interface Data Model draft according to > your guideline as follows: > > https://tools.ietf.org/html/draft-ietf-i2nsf-consumer-facing-interface-dm-07 > > > I attach a revision letter to explain how I revised this draft according > to your comments. > > If you have further comments, please let me know. > > Thanks. > > Best Regards, > Paul > > On Wed, Jul 31, 2019 at 5:21 PM Jan Lindblad <janl@tail-f.com> wrote: > >> Paul, I2NSF team, >> >> Thanks for your volunteering to improve our Consumer-Facing Interface >> YANG Module. >> Could you propose a way to redesign ietf-i2nsf-cfi-policy.yang to befit >> NACM? >> >> >> Certainly. Find my proposed sketch for the module structure attached. >> >> I think it is important for the adoption of this module that it is >> reasonably easy to implement it on top of existing NETCONF/RESTCONF/YANG >> servers. They all implement the NACM management access control mechanism >> today, so the ietf-i2nsf-cfi-policy module should build on that. It's >> therefore important to leverage the existing NACM mechanisms and concepts >> for groups, users, permissions. >> >> It would be technically possible to set up all the management access >> control rules needed to implement the I2NSF ideas by only creating rules in >> NACM. The NACM rules are massively more complex than the simple owner leaf >> proposed in your YANG module, however. From a usability perspective I think >> it makes good sense to keep the abstraction in ietf-i2nsf-cfi-policy and >> let the module implementor make sure this high level authorization view is >> translated into NACM specifics. >> >> In order to make this feasible, I changed the owner string leaf into a >> leafref pointer to NACM groups, and removed the module's separate >> identities for permissions. Let's adopt the NACM counterparts instead. The >> structure of the rules was very flat, i.e. the domains, tenants, policies >> and rules were mostly side by side, not reflecting their logical hierarchy >> in the YANG. This would make the number of NACM rules to control access to >> each individual item very high. By arranging them in a tree structure, I >> believe the number of NACM rules can be kept to a minimum. NACM rules may >> have a high impact on server performance, so it's important to not have >> excessive amounts of them. >> >> I created a hierarchy with domains on top, each domain containing zero or >> more tenants, each with zero or more policies that in turn consist of zero >> or more rules. At each level it is possible to list owners in the form of >> NACM groups. The module implementor would then have to translate these >> owner references to actual NACM rules. >> >> Here is an example sketch configuration and the resulting NACM rules (in >> CLI style syntax for readability): >> >> i2nsf-cfi domains domain example.com >> owners [ example.com--eng-it ] >> tenants tenant dev >> policies policy team-black >> owners [ example.com--dev ] >> rules rule 2 >> ! >> rules rule allow-malware-sites >> owners [ example.com--dev ] >> >> This is supposed to mean that members of the example.com--eng-it group >> have full ownership of everything in the example.com domain. Within this >> domain, there is a tenant called dev, with a policy called team-black. That >> policy is owned by example.com--dev. This means this policy may be >> updated by members in example.com--dev and example.com--eng-it. Within >> the policy there are two rules ("2" and "allow-malware-sites"). The >> "allow-malware-sites" rule has the example.com--dev group listed as >> owner; this is superfluous. In this example, the rules are otherwise empty. >> >> In order for existing NC/RC/YANG servers to enforce the above, the >> ietf-i2nsf-cfi-policy module implementation would need to translate the >> intent above to NACM rules like the ones below. In this example, the >> implementation created a rule to allow members of the dev and eng-it groups >> within the example.com org to see the example.com domain and everything >> within it. Next there is a rule to allow members of the example.com dev >> group to update the policy named team-black within the dev tenant. Finally, >> there is a rule to allow the eng-it group members to update anything within >> the example.com domain. The default nacm policy per statement in the >> YANG is to deny anyone else to see anything within the i2nsf domain. >> >> nacm rule-list example.com >> group [ example.com--dev example.com--eng-it ] >> rule read-all >> path /i2nsf-cfi/domains/domain[name='example.com'] >> access-operations read >> action permit >> ! >> ! >> nacm rule-list example.com--dev >> group [ example.com--dev ] >> rule 1 >> path /i2nsf-cfi/domains/domain[name='example.com >> ']/tenants/tenant[name='dev']/policies/policy[name='team-black'] >> action permit >> ! >> ! >> nacm rule-list example.com--eng-it >> group [ example.com--eng-it ] >> rule 1 >> path /i2nsf-cfi/domains/domain[name='example.com'] >> action permit >> ! >> ! >> >> NACM also contains a mapping from user names to groups. Is this in line >> with your expectations? Do we need additional infrastructure to control >> this mapping? >> >> nacm groups group example.com--dev >> user-name [ jan vasilij ] >> ! >> nacm groups group example.com--eng-it >> user-name [ chris victor ] >> ! >> nacm groups group example.com--finance >> user-name [ clara sakura ] >> ! >> >> What do you think about this approach to the management access control? >> I'm not sure I got the relations between domains, tenants, policies and >> rules as you want them. Are all these levels needed? Do you believe this is >> this is a workable approach to your vision? >> >> Please let me know if you would like me to take any further steps with >> this sketch. I should mention that I also have plenty of other comments on >> your updated module, but I want to get the access control approach resolved >> before looking at anything else. >> >> I am not aware of any particular party interested to implement our data >> model. >> >> >> Then it is all the more important that the solution can be implemented on >> top of the existing servers out there without modifying them. >> >> Best Regards, >> /jan >> > > > -- > =========================== > Mr. Jaehoon (Paul) Jeong, Ph.D. > Associate Professor > Department of Software > Sungkyunkwan University > Office: +82-31-299-4957 > Email: jaehoon.paul@gmail.com, pauljeong@skku.edu > Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php > <http://cpslab.skku.edu/people-jaehoon-jeong.php> > -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Software Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.paul@gmail.com, pauljeong@skku.edu Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
- [yang-doctors] Yangdoctors last call review of dr… Jan Lindblad via Datatracker
- Re: [yang-doctors] Yangdoctors last call review o… Andy Bierman
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Jan Lindblad
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Jan Lindblad
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Jan Lindblad
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Mr. Jaehoon Paul Jeong
- Re: [yang-doctors] [I2nsf] Yangdoctors last call … Mr. Jaehoon Paul Jeong