Re: [i2rs] Some comments on draft-ietf-i2rs-rib-info-model-01

Wed, 30 Apr 2014 09:11:44 -0700 

Andy:

 

Thanks.  The pointer are helpful!

 

Sue 

 

From: Andy Bierman [mailto:[email protected]] 
Sent: Wednesday, April 30, 2014 11:37 AM
To: Susan Hares
Cc: Joel M. Halpern; Nitin Bahadur; [email protected]; Mach Chen;
[email protected]
Subject: Re: [i2rs] Some comments on draft-ietf-i2rs-rib-info-model-01

 

 

 

On Wed, Apr 30, 2014 at 7:56 AM, Susan Hares <[email protected]> wrote:

Andy:

 

My goal is not to invent something new, so as an expert in  netconf/restconf
role-based access control model could you: 

 

1 - comment if this can be handle by netconf/restconf

 

Identity + role  <im-tree-portion, access permission> pairs

 

 

yes.

NACM assigns users to admin-configured groups.

Groups are used to represent roles. Rule-lists are

used to specify policy for various groups. There are several

wildcards and defaults to make rule specification simple.

Rules are processed in order (first match == process and exit)

 

http://www.netconfcentral.org/modules/ietf-netconf-acm/2012-02-22#rule-list.
310

 

 

 

2 - provide me with references to these RFCs that I should pull out to
reference to identify how this could be expressed? 

 

 

The access control model is in RFC 6536.

 

A 'data rule' would be configured to achieve the policy above:

 

 -  'admin' group has full access the /foo/rib-data subtree

 -  'monitor' group has read access the /foo/rib-data subtree

 -  all others have no access

 

 

  <rule-list>

    <name>admin-can-write-rib-data</name>

     <group>admin</group>

     <rule>

        <name>foo-rib-data</name>

        <path>/acme:foo/acme:rib-data</path>

        <access-operations>create read update delete</access-operations>

        <action>permit</action>

     </rule>

  <rule-list>

  <rule-list>

    <name>monitor-can-read-rib-data</name>

     <group>monitor</group>

     <rule>

        <name>foo-rib-data</name>

        <path>/acme:foo/acme:rib-data</path>

        <access-operations>read</access-operations>

        <action>permit</action>

     </rule>

  <rule-list>

  <rule-list>

    <name>no-access-to-rib-data</name>

     <rule>

        <name>foo-rib-data</name>

        <path>/acme:foo/acme:rib-data</path>

        <action>deny</action>

     </rule>

  <rule-list>

 

 

 

<snip> 

 

NETCONF and RESTCONF already have a standard Role-Based Access Control
Model,

called NACM (RFC 6536).  Does the I2RS WG plan to create its own ACM, leave
it

to vendors, or something else?

 

<snip> 

Sue 

 

 

Andy

 


_______________________________________________
i2rs mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i2rs

Reply via email to