Re: proto-04 concerns

[Eliot Lear <lear@cisco.com>]

Wes,

> 9: Implementators SHOULD also provide a well thought out authorization
>    scheme with NETCONF.  => MUST

As we discussed, a MUST would go against RFC 2119 Section 6.  Unless you 
can explain how it impacts interoperability, even a SHOULD here in caps 
is iffy at best, and may not get through the IESG.

> 9: you need to discuss that global operations MUST disallow the
> changing of information that an individual does not have authorization
> to perform.  EG, if a user U is not allowed to configure an IP address
> on an interface but someone else has configured an IP address for an
> interface within the <candidate>, then the user U must not be allowed
> to perform a copy-config or commit from <candidate> to <running>.

That would be part and parcel of an authorization model?

> 9: Similarly, you need to discuss what happens if you don't use a
> lock.  Specifically, if user U1 modifies the candidate config in a way
> that user U2 is not allowed to, and since U1 MUST NOT be able to
> commit those changes then not using a lock could leave a system in a
> state where neither U1 nor U2 can commit their changes to running.

We say:

   In addition, operations on configurations may have unintended
   consequences if those operations are also not guarded by the global
   lock on the files or objects being operated upon.

That should cover it.

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>