Re: [yang-doctors] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-consumer-facing-interface-dm-05

Jan Lindblad <janl@tail-f.com> Wed, 31 July 2019 08:22 UTC

Return-Path: <janl@tail-f.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38CA912004A; Wed, 31 Jul 2019 01:22:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id liJqfWqLJ8li; Wed, 31 Jul 2019 01:21:58 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 0C94B120098; Wed, 31 Jul 2019 01:21:57 -0700 (PDT)
Received: from [10.61.248.196] (unknown [173.38.220.50]) by mail.tail-f.com (Postfix) with ESMTPSA id 74B731AE02BB; Wed, 31 Jul 2019 10:21:54 +0200 (CEST)
From: Jan Lindblad <janl@tail-f.com>
Message-Id: <D367CE60-3106-427F-92F0-5CE605D0F323@tail-f.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AF26CFE3-729D-4F92-83B0-F05AB1D4ACA5"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 31 Jul 2019 10:21:52 +0200
In-Reply-To: <CAPK2DexOx=s2HL3EAYsLvzw2ak0Rg1cW0WkUZNi3GWA1sont=g@mail.gmail.com>
Cc: YANG Doctors <yang-doctors@ietf.org>, draft-ietf-i2nsf-consumer-facing-interface-dm.all@ietf.org, IETF Discussion <ietf@ietf.org>, skku_secu-brain_all@googlegroups.com, Brian Kim <kimshallom12@gmail.com>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>
References: <156156480691.19914.1926691912558233407@ietfa.amsl.com> <CAPK2DexupkRCkxETaqJOECL6wrtW19s239qQFo4fzkbJFWWT-Q@mail.gmail.com> <EEBF46C1-D425-4ABA-A0DB-7392799D0A05@tail-f.com> <CAPK2DexOx=s2HL3EAYsLvzw2ak0Rg1cW0WkUZNi3GWA1sont=g@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/7wAg_HgQmL2rB1GZ5UuU4KkaolI>
Subject: Re: [yang-doctors] [I2nsf] Yangdoctors last call review of draft-ietf-i2nsf-consumer-facing-interface-dm-05
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 08:22:02 -0000

Paul, I2NSF team,

> Thanks for your volunteering to improve our Consumer-Facing Interface YANG Module.
> Could you propose a way to redesign ietf-i2nsf-cfi-policy.yang to befit NACM?

Certainly. Find my proposed sketch for the module structure attached.

I think it is important for the adoption of this module that it is reasonably easy to implement it on top of existing NETCONF/RESTCONF/YANG servers. They all implement the NACM management access control mechanism today, so the ietf-i2nsf-cfi-policy module should build on that. It's therefore important to leverage the existing NACM mechanisms and concepts for groups, users, permissions. 

It would be technically possible to set up all the management access control rules needed to implement the I2NSF ideas by only creating rules in NACM. The NACM rules are massively more complex than the simple owner leaf proposed in your YANG module, however. From a usability perspective I think it makes good sense to keep the abstraction in ietf-i2nsf-cfi-policy and let the module implementor make sure this high level authorization view is translated into NACM specifics.

In order to make this feasible, I changed the owner string leaf into a leafref pointer to NACM groups, and removed the module's separate identities for permissions. Let's adopt the NACM counterparts instead. The structure of the rules was very flat, i.e. the domains, tenants, policies and rules were mostly side by side, not reflecting their logical hierarchy in the YANG. This would make the number of NACM rules to control access to each individual item very high. By arranging them in a tree structure, I believe the number of NACM rules can be kept to a minimum. NACM rules may have a high impact on server performance, so it's important to not have excessive amounts of them.

I created a hierarchy with domains on top, each domain containing zero or more tenants, each with zero or more policies that in turn consist of zero or more rules. At each level it is possible to list owners in the form of NACM groups. The module implementor would then have to translate these owner references to actual NACM rules.

Here is an example sketch configuration and the resulting NACM rules (in CLI style syntax for readability):

i2nsf-cfi domains domain example.com
 owners [ example.com--eng-it ]
 tenants tenant dev
  policies policy team-black
   owners [ example.com--dev ]
   rules rule 2
   !
   rules rule allow-malware-sites
    owners [ example.com--dev ]

This is supposed to mean that members of the example.com--eng-it group have full ownership of everything in the example.com domain. Within this domain, there is a tenant called dev, with a policy called team-black. That policy is owned by example.com--dev. This means this policy may be updated by members in example.com--dev and example.com--eng-it. Within the policy there are two rules ("2" and "allow-malware-sites"). The "allow-malware-sites" rule has the example.com--dev group listed as owner; this is superfluous. In this example, the rules are otherwise empty.

In order for existing NC/RC/YANG servers to enforce the above, the ietf-i2nsf-cfi-policy module implementation would need to translate the intent above to NACM rules like the ones below. In this example, the implementation created a rule to allow members of the dev and eng-it groups within the example.com org to see the example.com domain and everything within it. Next there is a rule to allow members of the example.com dev group to update the policy named team-black within the dev tenant. Finally, there is a rule to allow the eng-it group members to update anything within the example.com domain. The default nacm policy per statement in the YANG is to deny anyone else to see anything within the i2nsf domain.

nacm rule-list example.com
 group [ example.com--dev example.com--eng-it ]
 rule read-all
  path              /i2nsf-cfi/domains/domain[name='example.com']
  access-operations read
  action            permit
 !
!
nacm rule-list example.com--dev
 group [ example.com--dev ]
 rule 1
  path   /i2nsf-cfi/domains/domain[name='example.com']/tenants/tenant[name='dev']/policies/policy[name='team-black']
  action permit
 !
!
nacm rule-list example.com--eng-it
 group [ example.com--eng-it ]
 rule 1
  path   /i2nsf-cfi/domains/domain[name='example.com']
  action permit
 !
!

NACM also contains a mapping from user names to groups. Is this in line with your expectations? Do we need additional infrastructure to control this mapping?

nacm groups group example.com--dev
 user-name [ jan vasilij ]
!
nacm groups group example.com--eng-it
 user-name [ chris victor ]
!
nacm groups group example.com--finance
 user-name [ clara sakura ]
!

What do you think about this approach to the management access control? I'm not sure I got the relations between domains, tenants, policies and rules as you want them. Are all these levels needed? Do you believe this is this is a workable approach to your vision?

Please let me know if you would like me to take any further steps with this sketch. I should mention that I also have plenty of other comments on your updated module, but I want to get the access control approach resolved before looking at anything else.

> I am not aware of any particular party interested to implement our data model.

Then it is all the more important that the solution can be implemented on top of the existing servers out there without modifying them.

Best Regards,
/jan