IETF Logo Mail Archive

Re: [yang-doctors] Ensuring top/base models are designed as augmentable

"Joe Clarke (jclarke)" <jclarke@cisco.com> Wed, 20 November 2019 05:28 UTC

Return-Path: <jclarke@cisco.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4607C120110 for <yang-doctors@ietfa.amsl.com>; Tue, 19 Nov 2019 21:28:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WB6aZ0Kv; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=o//qw6m3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Voi2D05Cwspl for <yang-doctors@ietfa.amsl.com>; Tue, 19 Nov 2019 21:28:10 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C274120033 for <yang-doctors@ietf.org>; Tue, 19 Nov 2019 21:28:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=39207; q=dns/txt; s=iport; t=1574227690; x=1575437290; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=vtmF9D6P+d9dT44KYYghNkaXzox41WEVnA4Q1SKgDhw=; b=WB6aZ0KvqoXYj8SRn8gLBlzCfObABxqiYMYmRoiNRU0WZFkOVsp3GDq/ Aku03K3lLlzCIY7qv9DXvZqfkRf72jfehVXAFtt3DtpOz7uwKx4IvpJa4 Ion32e3SJrFaEcIfFe1IgsgXorZpKe1yLzi2wYsYxu/3MsVCHSvlyXT1J o=;
IronPort-PHdr: 9a23:XRVKFRab9TSqgx8qYW+4IO//LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gebRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavoZCgzBsdPfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AUAAAHztRd/4kNJK1cCRoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBbAMBAQEBCwGBGy8kLAVsWCAECyqEKoNGA4pzgl6YAIEuFIEQA1AECQEBAQwBARgBCgoCAQGEQAIXgg4kNgcOAgMNAQEEAQEBAgEFBG2FNwyFUgIBAwEBEBEdAQElBwsBDwIBCC0LAQYDAgICJQsUEQIEDgUbB4MAAYF5TQMuAQ6lJgKBOIhgdYEygn4BAQWBOAMLQ0CCQRiCFwMGgTYBjBQYgUA/gTgfgU5JNT6CYgEBgRwbFEMSglEyggoikBOFR5hTCoIrjAs1iQ8bgj6XU5AJmEcCBAIEBQIOAQEFgVkOJIFYcBU7KgGCQVARFJEag3OFFIU/dIEojhEBAQ
X-IronPort-AV: E=Sophos;i="5.69,220,1571702400"; d="scan'208,217";a="376656959"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Nov 2019 05:28:08 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id xAK5S62N002058 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 20 Nov 2019 05:28:07 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 23:28:05 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 23:28:03 -0600
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 20 Nov 2019 00:28:03 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mBxv3itF5T48slpGM2t2RXvWAS+kPTIp6vgHHG0fJvnU4c9mSg/747ulbDoVEtB8zYj20/pEs49XqrjypU2db2zZ5GwHiRb1TpIsr2xzHkv5yt1bNav3BKBb15iAZWGp104kQfG+taG67ZBSbmVaiIym4D5lfpCO8s9XJ+0N6h1QtVH+zqc5/IbL7kpOFTns9vR7PNedP1XjqjSvELkIbwxaKAmSBXm+1Kx3Sxsbf8811Upi7EpRh9Dql6aQ1D08NoRnqu55w2/CVhnRU4EX7RKg9llksVcJ0lLsz7gDnw2jNlwokOV/ownvF4XNiOvReuZe9oQsBfjXfFAG/qSPPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vtmF9D6P+d9dT44KYYghNkaXzox41WEVnA4Q1SKgDhw=; b=eoeX6qiM9JL7ODQsVDmhEdCVaoYMPh3djBBmevJ1xglS1rU5AhE0N9gzXmi1jXCYVQnWcvFiY6eY+lQc3g/oRbyAlA77FZJf40KDSEGiFbdkNpLGJ7ctS0k7KmCio4ydKUYopUjNXIxro4TPARDcK+4QfrCBc1+nHUYuNik+l2OTEuVOB0nLw6zVTBl0ncLkR9cVLpXiVf3k+vtiJAg6pZqwNJx8NlZlTGMviQWjyVExcq3h3OgknSoLDsQtsi1WG5IFjbmXe6PmBu+pKXEBgz35AUg1mvlK/yPjyJOT1kbPc/D8916krWIxNEJZLxCf8of1Vk7y0CEEEGCAKMuAmg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vtmF9D6P+d9dT44KYYghNkaXzox41WEVnA4Q1SKgDhw=; b=o//qw6m3afaBckxqdgP1qGWsQdOAXmqvKbSf48tJAfXlez/i8ZFgWN9LnZJeynqgxfBNF0fuUNSYxtPdETGC1ksJ96co2kPoFIDc0pkKmkfe6Sg73aOGHfWtoDzpuY00mzLUGgK4JJk3EuKleE5z/8dUyQVMqjZWFZn6h2+0sZA=
Received: from BN6PR11MB1667.namprd11.prod.outlook.com (10.172.23.12) by BN6PR11MB0002.namprd11.prod.outlook.com (10.161.152.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.30; Wed, 20 Nov 2019 05:28:02 +0000
Received: from BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::499:8548:e967:458e]) by BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::499:8548:e967:458e%12]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019 05:28:02 +0000
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
To: Ladislav Lhotka <lhotka@nic.cz>
CC: "Benoit Claise (bclaise)" <bclaise@cisco.com>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>
Thread-Topic: [yang-doctors] Ensuring top/base models are designed as augmentable
Thread-Index: AQHVn095OwqHThHLuEiLDgPZ2zC4pKeTa/aAgAAHxQCAABQxAA==
Date: Wed, 20 Nov 2019 05:28:02 +0000
Message-ID: <B6927709-464F-4E8E-8EED-FB668FA240A5@cisco.com>
References: <20191118000150.amlnwhgagufkft5t@localhost> <20191118.085212.404540088270846510.mbj@tail-f.com> <20191118081238.wckqp7tczhmfmb45@localhost> <0515f51c-77bc-a1ff-6645-da5eb91c670b@cisco.com> <A453A1DE-08E7-4101-9858-39B7CC6F2528@cisco.com> <9e7583d6316468cc1eec5d11a66273d81f2185ed.camel@nic.cz>
In-Reply-To: <9e7583d6316468cc1eec5d11a66273d81f2185ed.camel@nic.cz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jclarke@cisco.com;
x-originating-ip: [2001:420:c0c4:1002::b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 59eed1c4-8bfc-45a4-a3f3-08d76d7a69ef
x-ms-traffictypediagnostic: BN6PR11MB0002:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BN6PR11MB00022FBCC0B02D96EB684AEAB84F0@BN6PR11MB0002.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(39860400002)(346002)(366004)(136003)(189003)(199004)(66446008)(186003)(66476007)(316002)(81166006)(66556008)(11346002)(486006)(25786009)(606006)(446003)(478600001)(476003)(6506007)(102836004)(76116006)(76176011)(966005)(14454004)(91956017)(7736002)(46003)(6916009)(6246003)(14444005)(256004)(5660300002)(36756003)(4001150100001)(86362001)(71190400001)(71200400001)(81156014)(64756008)(66946007)(8936002)(4326008)(99286004)(2616005)(53546011)(8676002)(6116002)(6486002)(2906002)(236005)(54906003)(6512007)(6306002)(54896002)(229853002)(33656002)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR11MB0002; H:BN6PR11MB1667.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UCDijLTf2X1gStxROteUCwhRY17d9r0KAly106ok5lSnp9w7w5EG3AACP71B8muBZrVZTR4bXGG2GL8r3EgyzK8a3ziWAoR7Lnr6iEbrSS87G5rmi5aDY7P46SGP2g839glfLF7XeeFEJyc/tP3nMMZutKKrmSkLZnlYQ+BSQB9iL1RBkGCcNFb5Crls6brMs7QLeWhcTBsbZ9N3SMzdVigd+YpaQgthiv40esxKPZ+ngA0A28W6jvwmMPZWLeG5EK1WcIkXcD+CrawjiwN00SjKWXWPwdg+SjsySI9vh4PN8f+eYfUFI5iuVksBi8WC1x9aLC0eeZ6m3jDUexkERgfbnPBZV5Y/qCzv3WdhBRED6z3EA9pnsD57+3PIo4aF6JxvgGGkcC7T+Z6b/zMs+dRHwanDJCNTM2S8KsLT9LD0lsGY6odJr8aiVEk9Kgoj
Content-Type: multipart/alternative; boundary="_000_B6927709464F4E8E8EEDFB668FA240A5ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 59eed1c4-8bfc-45a4-a3f3-08d76d7a69ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2019 05:28:02.4666 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h4fjizaadSyxkzEWbLseUCg5pvGVOpf8QP05Hs2kOjlWYdF70yBuz61K9ppCyQMibsy1qn7+EGwVCEISFhPMag==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB0002
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/Nn1pMe9DBWr2x1bEG-PP_Y3Uibo>
Subject: Re: [yang-doctors] Ensuring top/base models are designed as augmentable
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 05:28:12 -0000


On Nov 19, 2019, at 23:15, Ladislav Lhotka <lhotka@nic.cz<mailto:lhotka@nic.cz>> wrote:

On Wed, 2019-11-20 at 03:47 +0000, Joe Clarke (jclarke) wrote:
On Nov 19, 2019, at 22:06, Benoit Claise <bclaise@cisco.com<mailto:bclaise@cisco.com>> wrote:

Including Joe Clarke in the loop.
As OPSAWG chair, Joe took the AI to follow up with the YANG doctors in order
to find the best solution for the TACACS+ YANG model.

Thanks, Benoit.  YANG docs, specifically for the YANG TACACS+ module and its
interaction with ietf-system, we can certainly push for a new rev of ietf-
system, but what would be the recommendation to move this forward in lieu of
this strict enforcement?

My suggestion would be to do this in the tacacs module:

augment "/sys:system" {
 container tacacs {
   must "not(derived-from-or-self("
      + "../sys:authentication/sys:user-authentication-order, 'tacacs')"
      + "or server";
   list server {
      ...
   }
 }
}

Thanks, Lada.  This makes sense within tacacs (or tacacsplus) itself.  I agree it would have been good if this had been done for RADIUS previously as it would have been easier to extend with new authn types.

I’ll update the authors on this.  I suppose this could be an item for ietf-system.bis should it happen.

Joe


It would be better and more instructive to have it done in the same way for
radius in the ietf-system module.

Lada


Joe

Regards, Benoit
On Nov 18 08:52 AM, Martin Bjorklund wrote:
Ebben Aries <exa@arrcus.com<mailto:exa@arrcus.com>> wrote:
I was looking for any such possible wording in 8407 but could not find
anything around this design consideration.

Case in point, there are many modules that may be defined with top-
level
nodes where the intention is that other domains add/augment in either
at
a later date or at a bare minimum via another set of
definitions/modules in related domains.  When this occurs, it seems
important that the top level modules are designed in such a way to
account for such augmentation and to pick on one case, is the use of
'must' statements in top-level modules.

If we look at ietf-system below, for authentication, there are 2
definitions carried in the top-level module (local-users/radius) with
a
must restriction being placed at a node which is a target candidate
for
augmentation.

# ietf-system@2014-08-06.yang<mailto:ietf-system@2014-08-06.yang>

   container authentication {
     nacm:default-deny-write;
     if-feature authentication;

      description
        "The authentication configuration subtree.";

      leaf-list user-authentication-order {
        type identityref {
          base authentication-method;
        }
        must '(. != "sys:radius" or ../../radius/server)' {
          error-message
            "When 'radius' is used, a RADIUS server"
          + " must be configured.";
          description
            "When 'radius' is used as an authentication method,
             a RADIUS server must be configured.";
        }
        ordered-by user;

Now if one were to augment in with say 'tacacs' which would define an
identity that would base off sys:authentication-method, this would
either mean

- Any augmented identities cannot follow the same design pattern as
 those in the base module
Can you provide an example of what you want to do and show what
doesn't work?  From what I understand, it seems you can add the nodes
you want, but you can't just augment a must expression:

         must '(. != "x:tacacs" or ../../x:tacacs/server)'
The question is more generic wrt. ensuring nodes are augmentable or some
verbiage around such otherwise there could very well be cases that a
base restriction prevents and/or makes this difficult either for other
future SDO modules or other implementation augments.

For this specific case - that is precisely it as you have above.  The
augmented module cannot enforce similar restrictions for design
consistency sake

_______________________________________________
yang-doctors mailing list
yang-doctors@ietf.org<mailto:yang-doctors@ietf.org>
https://www.ietf.org/mailman/listinfo/yang-doctors
.


_______________________________________________
yang-doctors mailing list
yang-doctors@ietf.org<mailto:yang-doctors@ietf.org>
https://www.ietf.org/mailman/listinfo/yang-doctors
--
Ladislav Lhotka
Head, CZ.NIC Labs
PGP Key ID: 0xB8F92B08A9F76C67

v2.23.0 | Report a Bug | By Email