Re: partial locking and access control

[Andy Bierman <ietf@andybierman.com>]

Martin Bjorklund wrote:
> Andy Bierman <ietf@andybierman.com> wrote:
> > I want the partial lock to only be a super-simple Xpath
> > expression that only includes the QNames and [index1='foo'][index2='bar']
> > type of expressions.  It would be good if access-control works the
> > same way, if there ever is a standard for NETCONF access control.
>
> Agreed.
>
> > Fancy stuff like "lock all the interfaces to Chicago that
> > have the 'gold-service' feature enabled" can wait
> > for Version 2 of the standard.  Start simple and prove
> > that this approach is secure and interoperable.
>
> Ok.
>
> > I don't mind defining a safe subset of Xpath that MUST be supported
> > by every agent, just like <lock>.  I have an objection making
> > full Xpath mandatory for RFC 4741 compliant agents.
>
> That was never the intent of course.  partial-locking is an optional
> capability.  And the intention was also to support the general xpath
> part only if your implementation also supported the :xpath
> capability. 

To be clear.
I think it is a great draft and I hope it approved quickly.
Starting simple will make that much easier.

> /martin

Andy

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>