Re: [yang-doctors] Ensuring top/base models are designed as augmentable
Ladislav Lhotka <lhotka@nic.cz> Wed, 20 November 2019 05:59 UTC
Return-Path: <lhotka@nic.cz>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5C1A120802 for <yang-doctors@ietfa.amsl.com>; Tue, 19 Nov 2019 21:59:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.997
X-Spam-Level:
X-Spam-Status: No, score=-6.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k14J4JtCv7f9 for <yang-doctors@ietfa.amsl.com>; Tue, 19 Nov 2019 21:59:42 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86B9812000F for <yang-doctors@ietf.org>; Tue, 19 Nov 2019 21:59:42 -0800 (PST)
Received: from birdie (dhcp-9c3a.meeting.ietf.org [31.133.156.58]) by mail.nic.cz (Postfix) with ESMTPSA id A287F140E93; Wed, 20 Nov 2019 06:59:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1574229580; bh=QOFRX/qzd0R3xkqfRRKrLNqlXIBPeOgKN8noKbmEfIM=; h=From:To:Date; b=WuLrnG+ZXFEnGuRtqsw5hXaNqRATVN6Per+DhXZF98vhh+lURSvn0IvJ3VRdFH6xS r3NfcL7bbvMrzfkR9xBbhbEayfFxEHZUTrU0HVqAWM0iew0Pd7ylrKYTNdiVrnkiBo DatTSjLl02FHBy1WXja4vTXAqqUg9CmgRVmjWuwc=
Message-ID: <de7dab5bd009acd4a55e6e0d948c8981f850f8a1.camel@nic.cz>
From: Ladislav Lhotka <lhotka@nic.cz>
To: "Joe Clarke (jclarke)" <jclarke@cisco.com>
Cc: "Benoit Claise (bclaise)" <bclaise@cisco.com>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>
Date: Wed, 20 Nov 2019 13:59:33 +0800
In-Reply-To: <B6927709-464F-4E8E-8EED-FB668FA240A5@cisco.com>
References: <20191118000150.amlnwhgagufkft5t@localhost> <20191118.085212.404540088270846510.mbj@tail-f.com> <20191118081238.wckqp7tczhmfmb45@localhost> <0515f51c-77bc-a1ff-6645-da5eb91c670b@cisco.com> <A453A1DE-08E7-4101-9858-39B7CC6F2528@cisco.com> <9e7583d6316468cc1eec5d11a66273d81f2185ed.camel@nic.cz> <B6927709-464F-4E8E-8EED-FB668FA240A5@cisco.com>
Organization: CZ.NIC
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.100.3 at mail.nic.cz
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/ZsNB3pDtvRG95FtWfC88n5nboHI>
Subject: Re: [yang-doctors] Ensuring top/base models are designed as augmentable
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 05:59:47 -0000
On Wed, 2019-11-20 at 05:28 +0000, Joe Clarke (jclarke) wrote: > > > > On Nov 19, 2019, at 23:15, Ladislav Lhotka <lhotka@nic.cz> wrote: > > > > On Wed, 2019-11-20 at 03:47 +0000, Joe Clarke (jclarke) wrote: > > > > On Nov 19, 2019, at 22:06, Benoit Claise <bclaise@cisco.com> wrote: > > > > > > > > Including Joe Clarke in the loop. > > > > As OPSAWG chair, Joe took the AI to follow up with the YANG doctors in > > > > order > > > > to find the best solution for the TACACS+ YANG model. > > > > > > Thanks, Benoit. YANG docs, specifically for the YANG TACACS+ module and > > > its > > > interaction with ietf-system, we can certainly push for a new rev of ietf- > > > system, but what would be the recommendation to move this forward in lieu > > > of > > > this strict enforcement? > > > > My suggestion would be to do this in the tacacs module: > > > > augment "/sys:system" { > > container tacacs { > > must "not(derived-from-or-self(" > > + "../sys:authentication/sys:user-authentication-order, 'tacacs')" > > + "or server"; > > list server { > > ... > > } > > } > > } > > Thanks, Lada. This makes sense within tacacs (or tacacsplus) itself. I agree > it would have been good if this had been done for RADIUS previously as it > would have been easier to extend with new authn types. > > I’ll update the authors on this. I suppose this could be an item for ietf- > system.bis should it happen. It should, because the identityref value is tested using plain string comparison and, moreover, the module isn't NMDA compatible. Lada > > Joe > > > It would be better and more instructive to have it done in the same way for > > radius in the ietf-system module. > > > > Lada > > > > > Joe > > > > > > > Regards, Benoit > > > > > On Nov 18 08:52 AM, Martin Bjorklund wrote: > > > > > > Ebben Aries <exa@arrcus.com> wrote: > > > > > > > I was looking for any such possible wording in 8407 but could not > > > > > > > find > > > > > > > anything around this design consideration. > > > > > > > > > > > > > > Case in point, there are many modules that may be defined with > > > > > > > top- > > > > > > > level > > > > > > > nodes where the intention is that other domains add/augment in > > > > > > > either > > > > > > > at > > > > > > > a later date or at a bare minimum via another set of > > > > > > > definitions/modules in related domains. When this occurs, it > > > > > > > seems > > > > > > > important that the top level modules are designed in such a way to > > > > > > > account for such augmentation and to pick on one case, is the use > > > > > > > of > > > > > > > 'must' statements in top-level modules. > > > > > > > > > > > > > > If we look at ietf-system below, for authentication, there are 2 > > > > > > > definitions carried in the top-level module (local-users/radius) > > > > > > > with > > > > > > > a > > > > > > > must restriction being placed at a node which is a target > > > > > > > candidate > > > > > > > for > > > > > > > augmentation. > > > > > > > > > > > > > > # ietf-system@2014-08-06.yang > > > > > > > > > > > > > > container authentication { > > > > > > > nacm:default-deny-write; > > > > > > > if-feature authentication; > > > > > > > > > > > > > > description > > > > > > > "The authentication configuration subtree."; > > > > > > > > > > > > > > leaf-list user-authentication-order { > > > > > > > type identityref { > > > > > > > base authentication-method; > > > > > > > } > > > > > > > must '(. != "sys:radius" or ../../radius/server)' { > > > > > > > error-message > > > > > > > "When 'radius' is used, a RADIUS server" > > > > > > > + " must be configured."; > > > > > > > description > > > > > > > "When 'radius' is used as an authentication method, > > > > > > > a RADIUS server must be configured."; > > > > > > > } > > > > > > > ordered-by user; > > > > > > > > > > > > > > Now if one were to augment in with say 'tacacs' which would define > > > > > > > an > > > > > > > identity that would base off sys:authentication-method, this would > > > > > > > either mean > > > > > > > > > > > > > > - Any augmented identities cannot follow the same design pattern > > > > > > > as > > > > > > > those in the base module > > > > > > Can you provide an example of what you want to do and show what > > > > > > doesn't work? From what I understand, it seems you can add the > > > > > > nodes > > > > > > you want, but you can't just augment a must expression: > > > > > > > > > > > > must '(. != "x:tacacs" or ../../x:tacacs/server)' > > > > > The question is more generic wrt. ensuring nodes are augmentable or > > > > > some > > > > > verbiage around such otherwise there could very well be cases that a > > > > > base restriction prevents and/or makes this difficult either for other > > > > > future SDO modules or other implementation augments. > > > > > > > > > > For this specific case - that is precisely it as you have above. The > > > > > augmented module cannot enforce similar restrictions for design > > > > > consistency sake > > > > > > > > > > _______________________________________________ > > > > > yang-doctors mailing list > > > > > yang-doctors@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/yang-doctors > > > > > . > > > > > > > > > > > _______________________________________________ > > > yang-doctors mailing list > > > yang-doctors@ietf.org > > > https://www.ietf.org/mailman/listinfo/yang-doctors > > -- > > Ladislav Lhotka > > Head, CZ.NIC Labs > > PGP Key ID: 0xB8F92B08A9F76C67 > > -- Ladislav Lhotka Head, CZ.NIC Labs PGP Key ID: 0xB8F92B08A9F76C67
- [yang-doctors] Ensuring top/base models are desig… Ebben Aries
- Re: [yang-doctors] Ensuring top/base models are d… Martin Bjorklund
- Re: [yang-doctors] Ensuring top/base models are d… Ebben Aries
- Re: [yang-doctors] Ensuring top/base models are d… Benoit Claise
- Re: [yang-doctors] Ensuring top/base models are d… Joe Clarke (jclarke)
- Re: [yang-doctors] Ensuring top/base models are d… Ladislav Lhotka
- Re: [yang-doctors] Ensuring top/base models are d… Joe Clarke (jclarke)
- Re: [yang-doctors] Ensuring top/base models are d… Ladislav Lhotka
- Re: [yang-doctors] Ensuring top/base models are d… Rob Wilton (rwilton)