access control on the <eventStreams> data model

[Andy Bierman <ietf@andybierman.com>]

Hi,

Sec. 3.2.5.1 says

  The returned list must only include the names of
  those event streams for which the NETCONF session has sufficient
  privileges.

Yet, sec. 2.1 (on create-subscription) does not mention access
control at all. It does not even mention that the RPC can fail
due to access control.

This requirement for <eventStreams> puts an unreasonable burden
on agent implementations to maintain special access control
mechanisms for this data model.  Normally, the agent only
has to check if the manager has read access to the requested
nodes.  This text would require special code to hook into
the notification subscription code to enforce this rule.

It is not even clear that access control "by stream" even
makes any sense.  Access control by namespace and element name
within the data stream makes sense.  What if the same data
can appear in multiple streams?  It is also more robust
to simply exclude restricted data from the particular subscription,
rather than reject the entire subscription, because the manager
has access to most (but not all) of the possible data that
could be generated in a stream.  This is how access control
works in SNMP.  If you to a getnext or getbulk, it skips restricted data,
rather than rejecting the PDU with an error.

IMO, the restriction in 3.2.5.1 should be removed.
The only real requirement is that a session must have sufficient
access rights to receive the <notification> data, or it is not delivered.

Andy




--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>