draft-cridlig-netconf-rbac-00.txt

[Johan Rydberg <johan.rydberg@edgeware.tv>]

[subject] states that for <get/> and <get-config/> all subtrees
without read access should be filtered out of the result.

In other words, the data is in the configuration but the user can
never read it out.  This applies to any configuration, not just
''running''.

In respect to <edit-config/> [subject] specifies:

   [...] On receipt of an edit-config request, the agent applies
   the XPath expressions of the write "w" permissions set on the
   request.  All children and parents of the selected nodes are
   marked as authorized nodes.  If a "replace", "create", "delete",
   or "merge" operation is set in one of the parents of the
   selected nodes, access is denied.

My understanding is that this renders the 'replace' value for
the default-operation parameter useless, since the user will try
to delete all config data for parts of the data model that he or
she don't have access to.

I can imagine that the normal workflow for an operator using a simple
netconf tool is that he first fetches the whole configuration using
<get/>, edits the result, and then updates the candidate with either
<edit-config(default-operation=replace) /> or <copy-config/> and
finally commits it using <commit/>.  The problem is that he will not
be able to do that if he don't have access to the whole data model.
He would have to set an xc:operation='replace' on all top elements
and then merge the changes into ''candidate'' with <edit-config/>.
Far from user friendly.

How would you implement partial access to the data model?  Esp where
you can control if a user can read data or not.

best regards,
Johan

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>