Re: [yang-doctors] Ensuring top/base models are designed as augmentable
"Joe Clarke (jclarke)" <jclarke@cisco.com> Wed, 20 November 2019 05:28 UTC
Return-Path: <jclarke@cisco.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4607C120110 for <yang-doctors@ietfa.amsl.com>; Tue, 19 Nov 2019 21:28:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WB6aZ0Kv; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=o//qw6m3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Voi2D05Cwspl for <yang-doctors@ietfa.amsl.com>; Tue, 19 Nov 2019 21:28:10 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C274120033 for <yang-doctors@ietf.org>; Tue, 19 Nov 2019 21:28:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=39207; q=dns/txt; s=iport; t=1574227690; x=1575437290; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=vtmF9D6P+d9dT44KYYghNkaXzox41WEVnA4Q1SKgDhw=; b=WB6aZ0KvqoXYj8SRn8gLBlzCfObABxqiYMYmRoiNRU0WZFkOVsp3GDq/ Aku03K3lLlzCIY7qv9DXvZqfkRf72jfehVXAFtt3DtpOz7uwKx4IvpJa4 Ion32e3SJrFaEcIfFe1IgsgXorZpKe1yLzi2wYsYxu/3MsVCHSvlyXT1J o=;
IronPort-PHdr: 9a23:XRVKFRab9TSqgx8qYW+4IO//LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gebRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavoZCgzBsdPfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AUAAAHztRd/4kNJK1cCRoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBbAMBAQEBCwGBGy8kLAVsWCAECyqEKoNGA4pzgl6YAIEuFIEQA1AECQEBAQwBARgBCgoCAQGEQAIXgg4kNgcOAgMNAQEEAQEBAgEFBG2FNwyFUgIBAwEBEBEdAQElBwsBDwIBCC0LAQYDAgICJQsUEQIEDgUbB4MAAYF5TQMuAQ6lJgKBOIhgdYEygn4BAQWBOAMLQ0CCQRiCFwMGgTYBjBQYgUA/gTgfgU5JNT6CYgEBgRwbFEMSglEyggoikBOFR5hTCoIrjAs1iQ8bgj6XU5AJmEcCBAIEBQIOAQEFgVkOJIFYcBU7KgGCQVARFJEag3OFFIU/dIEojhEBAQ
X-IronPort-AV: E=Sophos;i="5.69,220,1571702400"; d="scan'208,217";a="376656959"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Nov 2019 05:28:08 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id xAK5S62N002058 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 20 Nov 2019 05:28:07 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 23:28:05 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 23:28:03 -0600
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 20 Nov 2019 00:28:03 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mBxv3itF5T48slpGM2t2RXvWAS+kPTIp6vgHHG0fJvnU4c9mSg/747ulbDoVEtB8zYj20/pEs49XqrjypU2db2zZ5GwHiRb1TpIsr2xzHkv5yt1bNav3BKBb15iAZWGp104kQfG+taG67ZBSbmVaiIym4D5lfpCO8s9XJ+0N6h1QtVH+zqc5/IbL7kpOFTns9vR7PNedP1XjqjSvELkIbwxaKAmSBXm+1Kx3Sxsbf8811Upi7EpRh9Dql6aQ1D08NoRnqu55w2/CVhnRU4EX7RKg9llksVcJ0lLsz7gDnw2jNlwokOV/ownvF4XNiOvReuZe9oQsBfjXfFAG/qSPPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vtmF9D6P+d9dT44KYYghNkaXzox41WEVnA4Q1SKgDhw=; b=eoeX6qiM9JL7ODQsVDmhEdCVaoYMPh3djBBmevJ1xglS1rU5AhE0N9gzXmi1jXCYVQnWcvFiY6eY+lQc3g/oRbyAlA77FZJf40KDSEGiFbdkNpLGJ7ctS0k7KmCio4ydKUYopUjNXIxro4TPARDcK+4QfrCBc1+nHUYuNik+l2OTEuVOB0nLw6zVTBl0ncLkR9cVLpXiVf3k+vtiJAg6pZqwNJx8NlZlTGMviQWjyVExcq3h3OgknSoLDsQtsi1WG5IFjbmXe6PmBu+pKXEBgz35AUg1mvlK/yPjyJOT1kbPc/D8916krWIxNEJZLxCf8of1Vk7y0CEEEGCAKMuAmg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vtmF9D6P+d9dT44KYYghNkaXzox41WEVnA4Q1SKgDhw=; b=o//qw6m3afaBckxqdgP1qGWsQdOAXmqvKbSf48tJAfXlez/i8ZFgWN9LnZJeynqgxfBNF0fuUNSYxtPdETGC1ksJ96co2kPoFIDc0pkKmkfe6Sg73aOGHfWtoDzpuY00mzLUGgK4JJk3EuKleE5z/8dUyQVMqjZWFZn6h2+0sZA=
Received: from BN6PR11MB1667.namprd11.prod.outlook.com (10.172.23.12) by BN6PR11MB0002.namprd11.prod.outlook.com (10.161.152.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.30; Wed, 20 Nov 2019 05:28:02 +0000
Received: from BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::499:8548:e967:458e]) by BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::499:8548:e967:458e%12]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019 05:28:02 +0000
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
To: Ladislav Lhotka <lhotka@nic.cz>
CC: "Benoit Claise (bclaise)" <bclaise@cisco.com>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>
Thread-Topic: [yang-doctors] Ensuring top/base models are designed as augmentable
Thread-Index: AQHVn095OwqHThHLuEiLDgPZ2zC4pKeTa/aAgAAHxQCAABQxAA==
Date: Wed, 20 Nov 2019 05:28:02 +0000
Message-ID: <B6927709-464F-4E8E-8EED-FB668FA240A5@cisco.com>
References: <20191118000150.amlnwhgagufkft5t@localhost> <20191118.085212.404540088270846510.mbj@tail-f.com> <20191118081238.wckqp7tczhmfmb45@localhost> <0515f51c-77bc-a1ff-6645-da5eb91c670b@cisco.com> <A453A1DE-08E7-4101-9858-39B7CC6F2528@cisco.com> <9e7583d6316468cc1eec5d11a66273d81f2185ed.camel@nic.cz>
In-Reply-To: <9e7583d6316468cc1eec5d11a66273d81f2185ed.camel@nic.cz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jclarke@cisco.com;
x-originating-ip: [2001:420:c0c4:1002::b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 59eed1c4-8bfc-45a4-a3f3-08d76d7a69ef
x-ms-traffictypediagnostic: BN6PR11MB0002:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BN6PR11MB00022FBCC0B02D96EB684AEAB84F0@BN6PR11MB0002.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(39860400002)(346002)(366004)(136003)(189003)(199004)(66446008)(186003)(66476007)(316002)(81166006)(66556008)(11346002)(486006)(25786009)(606006)(446003)(478600001)(476003)(6506007)(102836004)(76116006)(76176011)(966005)(14454004)(91956017)(7736002)(46003)(6916009)(6246003)(14444005)(256004)(5660300002)(36756003)(4001150100001)(86362001)(71190400001)(71200400001)(81156014)(64756008)(66946007)(8936002)(4326008)(99286004)(2616005)(53546011)(8676002)(6116002)(6486002)(2906002)(236005)(54906003)(6512007)(6306002)(54896002)(229853002)(33656002)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR11MB0002; H:BN6PR11MB1667.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UCDijLTf2X1gStxROteUCwhRY17d9r0KAly106ok5lSnp9w7w5EG3AACP71B8muBZrVZTR4bXGG2GL8r3EgyzK8a3ziWAoR7Lnr6iEbrSS87G5rmi5aDY7P46SGP2g839glfLF7XeeFEJyc/tP3nMMZutKKrmSkLZnlYQ+BSQB9iL1RBkGCcNFb5Crls6brMs7QLeWhcTBsbZ9N3SMzdVigd+YpaQgthiv40esxKPZ+ngA0A28W6jvwmMPZWLeG5EK1WcIkXcD+CrawjiwN00SjKWXWPwdg+SjsySI9vh4PN8f+eYfUFI5iuVksBi8WC1x9aLC0eeZ6m3jDUexkERgfbnPBZV5Y/qCzv3WdhBRED6z3EA9pnsD57+3PIo4aF6JxvgGGkcC7T+Z6b/zMs+dRHwanDJCNTM2S8KsLT9LD0lsGY6odJr8aiVEk9Kgoj
Content-Type: multipart/alternative; boundary="_000_B6927709464F4E8E8EEDFB668FA240A5ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 59eed1c4-8bfc-45a4-a3f3-08d76d7a69ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2019 05:28:02.4666 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h4fjizaadSyxkzEWbLseUCg5pvGVOpf8QP05Hs2kOjlWYdF70yBuz61K9ppCyQMibsy1qn7+EGwVCEISFhPMag==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB0002
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/Nn1pMe9DBWr2x1bEG-PP_Y3Uibo>
Subject: Re: [yang-doctors] Ensuring top/base models are designed as augmentable
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 05:28:12 -0000
On Nov 19, 2019, at 23:15, Ladislav Lhotka <lhotka@nic.cz<mailto:lhotka@nic.cz>> wrote: On Wed, 2019-11-20 at 03:47 +0000, Joe Clarke (jclarke) wrote: On Nov 19, 2019, at 22:06, Benoit Claise <bclaise@cisco.com<mailto:bclaise@cisco.com>> wrote: Including Joe Clarke in the loop. As OPSAWG chair, Joe took the AI to follow up with the YANG doctors in order to find the best solution for the TACACS+ YANG model. Thanks, Benoit. YANG docs, specifically for the YANG TACACS+ module and its interaction with ietf-system, we can certainly push for a new rev of ietf- system, but what would be the recommendation to move this forward in lieu of this strict enforcement? My suggestion would be to do this in the tacacs module: augment "/sys:system" { container tacacs { must "not(derived-from-or-self(" + "../sys:authentication/sys:user-authentication-order, 'tacacs')" + "or server"; list server { ... } } } Thanks, Lada. This makes sense within tacacs (or tacacsplus) itself. I agree it would have been good if this had been done for RADIUS previously as it would have been easier to extend with new authn types. I’ll update the authors on this. I suppose this could be an item for ietf-system.bis should it happen. Joe It would be better and more instructive to have it done in the same way for radius in the ietf-system module. Lada Joe Regards, Benoit On Nov 18 08:52 AM, Martin Bjorklund wrote: Ebben Aries <exa@arrcus.com<mailto:exa@arrcus.com>> wrote: I was looking for any such possible wording in 8407 but could not find anything around this design consideration. Case in point, there are many modules that may be defined with top- level nodes where the intention is that other domains add/augment in either at a later date or at a bare minimum via another set of definitions/modules in related domains. When this occurs, it seems important that the top level modules are designed in such a way to account for such augmentation and to pick on one case, is the use of 'must' statements in top-level modules. If we look at ietf-system below, for authentication, there are 2 definitions carried in the top-level module (local-users/radius) with a must restriction being placed at a node which is a target candidate for augmentation. # ietf-system@2014-08-06.yang<mailto:ietf-system@2014-08-06.yang> container authentication { nacm:default-deny-write; if-feature authentication; description "The authentication configuration subtree."; leaf-list user-authentication-order { type identityref { base authentication-method; } must '(. != "sys:radius" or ../../radius/server)' { error-message "When 'radius' is used, a RADIUS server" + " must be configured."; description "When 'radius' is used as an authentication method, a RADIUS server must be configured."; } ordered-by user; Now if one were to augment in with say 'tacacs' which would define an identity that would base off sys:authentication-method, this would either mean - Any augmented identities cannot follow the same design pattern as those in the base module Can you provide an example of what you want to do and show what doesn't work? From what I understand, it seems you can add the nodes you want, but you can't just augment a must expression: must '(. != "x:tacacs" or ../../x:tacacs/server)' The question is more generic wrt. ensuring nodes are augmentable or some verbiage around such otherwise there could very well be cases that a base restriction prevents and/or makes this difficult either for other future SDO modules or other implementation augments. For this specific case - that is precisely it as you have above. The augmented module cannot enforce similar restrictions for design consistency sake _______________________________________________ yang-doctors mailing list yang-doctors@ietf.org<mailto:yang-doctors@ietf.org> https://www.ietf.org/mailman/listinfo/yang-doctors . _______________________________________________ yang-doctors mailing list yang-doctors@ietf.org<mailto:yang-doctors@ietf.org> https://www.ietf.org/mailman/listinfo/yang-doctors -- Ladislav Lhotka Head, CZ.NIC Labs PGP Key ID: 0xB8F92B08A9F76C67
- [yang-doctors] Ensuring top/base models are desig… Ebben Aries
- Re: [yang-doctors] Ensuring top/base models are d… Martin Bjorklund
- Re: [yang-doctors] Ensuring top/base models are d… Ebben Aries
- Re: [yang-doctors] Ensuring top/base models are d… Benoit Claise
- Re: [yang-doctors] Ensuring top/base models are d… Joe Clarke (jclarke)
- Re: [yang-doctors] Ensuring top/base models are d… Ladislav Lhotka
- Re: [yang-doctors] Ensuring top/base models are d… Joe Clarke (jclarke)
- Re: [yang-doctors] Ensuring top/base models are d… Ladislav Lhotka
- Re: [yang-doctors] Ensuring top/base models are d… Rob Wilton (rwilton)