[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

partial locking and access control

To: "Netconf (E-mail)" <netconf@ops.ietf.org>
Subject: partial locking and access control
From: Andy Bierman <ietf@andybierman.com>
Date: Fri, 07 Dec 2007 09:10:52 -0800
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

Hi,

The requirement about 'must have enough access rights'
to get a partial lock is problematic.

In order to accept this requirement, I have to accept the fact
that NETCONF has a proprietary access control model, instead
of no access control model at all, and I don't.

The standard access control model in NETCONF is that every user has
access to every part of every configuration database.  That means
that any user can partial-lock anything, unless it is already locked.


(BTW, checking partial locks at configure time doesn't work
for nodes that match the Xpath expression at access time,
but did not exist at partial-lock config-time.  The config-time-only
for arbitrary Xpath approach is completely broken for this reason.)


Andy



--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: partial locking and access control
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: partial locking and access control
  - From: Phil Shafer <phil@juniper.net>
- Re: partial locking and access control
  - From: Martin Bjorklund <mbj@tail-f.com>

Prev by Date: partial lock security concerns
Next by Date: Re: partial lock security concerns
Previous by thread: partial lock security concerns
Next by thread: Re: partial locking and access control
Index(es):
- Date
- Thread