Re: partial locking and access control

[Balazs Lengyel <balazs.lengyel@ericsson.com>]

Hello Andy,
From RFC4741 security considerations:
"Implementors SHOULD provide a comprehensive authorization scheme with NETCONF."
It is true that here we have a SHOULD and not a MUST. So I propose to change the requirement to:

A partial lock MUST fail if:
- The NETCONF server implements access control and the locking user does not have at least some 
basic access rights, e.g., read rights, to all of the datastore section to be locked

As I know our previous security adviser had serious problems with the missing link between 
locking and access control.

Balazs

Andy Bierman wrote:
> Hi,
>
> The requirement about 'must have enough access rights'
> to get a partial lock is problematic.
>
> In order to accept this requirement, I have to accept the fact
> that NETCONF has a proprietary access control model, instead
> of no access control model at all, and I don't.
>
> The standard access control model in NETCONF is that every user has
> access to every part of every configuration database.  That means
> that any user can partial-lock anything, unless it is already locked.
[BALAZS]: I think there is no standard access control model in NETCONF, but according to the 
standard there SHOULD be a some kind of access control in the device.
> Andy

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>