Re: partial locking and access control

[Martin Bjorklund <mbj@tail-f.com>]

Andy Bierman <ietf@andybierman.com> wrote:
> I want the partial lock to only be a super-simple Xpath
> expression that only includes the QNames and [index1='foo'][index2='bar']
> type of expressions.  It would be good if access-control works the
> same way, if there ever is a standard for NETCONF access control.

Agreed.

> Fancy stuff like "lock all the interfaces to Chicago that
> have the 'gold-service' feature enabled" can wait
> for Version 2 of the standard.  Start simple and prove
> that this approach is secure and interoperable.

Ok.

> I don't mind defining a safe subset of Xpath that MUST be supported
> by every agent, just like <lock>.  I have an objection making
> full Xpath mandatory for RFC 4741 compliant agents.

That was never the intent of course.  partial-locking is an optional
capability.  And the intention was also to support the general xpath
part only if your implementation also supported the :xpath
capability. 


/martin

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>