Re: access control on the <eventStreams> data model

[Martin Bjorklund <mbj@tail-f.com>]

Andy Bierman <ietf@andybierman.com> wrote:
> Hi,
> 
> Sec. 3.2.5.1 says
> 
>    The returned list must only include the names of
>    those event streams for which the NETCONF session has sufficient
>    privileges.
> 
> Yet, sec. 2.1 (on create-subscription) does not mention access
> control at all. It does not even mention that the RPC can fail
> due to access control.
> 
> This requirement for <eventStreams> puts an unreasonable burden
> on agent implementations to maintain special access control
> mechanisms for this data model.  Normally, the agent only
> has to check if the manager has read access to the requested
> nodes.  This text would require special code to hook into
> the notification subscription code to enforce this rule.
> 
> It is not even clear that access control "by stream" even
> makes any sense.  Access control by namespace and element name
> within the data stream makes sense.  What if the same data
> can appear in multiple streams?  It is also more robust
> to simply exclude restricted data from the particular subscription,
> rather than reject the entire subscription, because the manager
> has access to most (but not all) of the possible data that
> could be generated in a stream.  This is how access control
> works in SNMP.  If you to a getnext or getbulk, it skips restricted data,
> rather than rejecting the PDU with an error.
> 
> IMO, the restriction in 3.2.5.1 should be removed.
> The only real requirement is that a session must have sufficient
> access rights to receive the <notification> data, or it is not delivered.

I fully agree with Andy.  (Incidentally, this is how I have currently
implemented the eventStreams datamodel...)


/martin

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>