[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: partial locking and access control
Hello,
I would also like to simplify locking. Also see below.
Balazs
Andy Bierman wrote:
I want the partial lock to only be a super-simple Xpath
expression that only includes the QNames and [index1='foo'][index2='bar']
type of expressions. It would be good if access-control works the
same way, if there ever is a standard for NETCONF access control.
[BALAZS]: This means you would not allow something like lock all interfaces, or all users?
(Naturally if there is a container above the individual users this could be still done.)
If I understand you correctly you would only allow the locking of specific individual nodes
(possibly multiple items). The user would have have to specify the nodes each individually and
no "groups of nodes" like all interfaces should be allowed.
Once you allow to lock "groups" you immediately have a lot of complications.
Fancy stuff like "lock all the interfaces to Chicago that
have the 'gold-service' feature enabled" can wait
for Version 2 of the standard. Start simple and prove
that this approach is secure and interoperable.
I don't mind defining a safe subset of Xpath that MUST be supported
by every agent, just like <lock>. I have an objection making
full Xpath mandatory for RFC 4741 compliant agents.
Unless the WG re-releases NETCONF-1 as a new version of the protocol,
requiring full Xpath, and then obsoletes RFC 4741.
[BALAZS]: Full XPATH will not be mandatory even if you support the partial-lock capability. It
is still a separate decision if you want to (or not) support the XPATH capability.
Andy
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>