Re: partial locking and access control

[Martin Bjorklund <mbj@tail-f.com>]

Andy Bierman <ietf@andybierman.com> wrote:
> Hi,
> 
> The requirement about 'must have enough access rights'
> to get a partial lock is problematic.
> 
> In order to accept this requirement, I have to accept the fact
> that NETCONF has a proprietary access control model, instead
> of no access control model at all, and I don't.
> 
> The standard access control model in NETCONF is that every user has
> access to every part of every configuration database.

Are you saying that in order to be RFC 4741 compliant, an
implementation MUST NOT have a (proprietary) per-user access control
model?  That is definitely not my understanding, and I'd be very
suprised if any netconf implemention works that way.

> (BTW, checking partial locks at configure time doesn't work
> for nodes that match the Xpath expression at access time,
> but did not exist at partial-lock config-time.

What do you mean "doesn't work"?  When the XPath is evaluated, a node
set is returned.  Those node are locked.  This is the design.  What
exactly "doesn't work"??

> The config-time-only
> for arbitrary Xpath approach is completely broken for this reason.)

Please clarify "completely broken".


/martin

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>