On Wed, Apr 30, 2014 at 7:56 AM, Susan Hares <[email protected]> wrote:
> Andy: > > > > My goal is not to invent something new, so as an expert in > netconf/restconf role-based access control model could you: > > > > 1 - comment if this can be handle by netconf/restconf > > > > Identity + role <im-tree-portion, access permission> pairs > yes. NACM assigns users to admin-configured groups. Groups are used to represent roles. Rule-lists are used to specify policy for various groups. There are several wildcards and defaults to make rule specification simple. Rules are processed in order (first match == process and exit) http://www.netconfcentral.org/modules/ietf-netconf-acm/2012-02-22#rule-list.310 > > 2 - provide me with references to these RFCs that I should pull out to > reference to identify how this could be expressed? > > > The access control model is in RFC 6536. A 'data rule' would be configured to achieve the policy above: - 'admin' group has full access the /foo/rib-data subtree - 'monitor' group has read access the /foo/rib-data subtree - all others have no access <rule-list> <name>admin-can-write-rib-data</name> <group>admin</group> <rule> <name>foo-rib-data</name> <path>/acme:foo/acme:rib-data</path> <access-operations>create read update delete</access-operations> <action>permit</action> </rule> <rule-list> <rule-list> <name>monitor-can-read-rib-data</name> <group>monitor</group> <rule> <name>foo-rib-data</name> <path>/acme:foo/acme:rib-data</path> <access-operations>read</access-operations> <action>permit</action> </rule> <rule-list> <rule-list> <name>no-access-to-rib-data</name> <rule> <name>foo-rib-data</name> <path>/acme:foo/acme:rib-data</path> <action>deny</action> </rule> <rule-list> > <snip> > > > > NETCONF and RESTCONF already have a standard Role-Based Access Control > Model, > > called NACM (RFC 6536). Does the I2RS WG plan to create its own ACM, > leave it > > to vendors, or something else? > > > > <snip> > > Sue > > Andy
_______________________________________________ i2rs mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2rs
