On Mon, Aug 22, 2016 at 9:15 AM, Vladimir Vassilev <[email protected]
> wrote:
> On 08/22/2016 06:10 PM, Juergen Schoenwaelder wrote:
>
>> On Mon, Aug 22, 2016 at 05:59:37PM +0200, Vladimir Vassilev wrote:
>>
>> Which of the 3 issues pointed in the conclusion you don't agree with and
>>> why
>>> {1. limited validation expression flexibility, 2. higher validation
>>> workload, 3. broken NACM}? Difficult to not agree with 2. And 1 is
>>> predetermined from the fact of the reduced entropy attributed to a
>>> non-presence container - namely its existence now is determined by the
>>> existence of its parent (which reduces flexibility in a very certain
>>> way).
>>>
>> Can someone explain to me what exactly breaks NACM? An example would
>> help me.
>>
>> /js (as contributor)
>>
>> "It is absolutely legal to configure "update" rights to /interfaces to a
> group of users reserving the "create" right to the superuser. How is this
> scenario handled by servers ignoring empty non-presence containers?" (this
> is excerpt from an earlier post on that thread)
>
> If a non-presence container always exits in YANG 1.1 this usage example is
> not possible.
>
>
I have to agree that NACM does not have any special rules for NP containers.
I also find the concept of "has no semantics except to hold child nodes"
to be especially confusing. The parent of all foo-things is in itself
semantic content,
especially when considering the NP-container used as the target of augments
or the target of a NACM rule.
IMO the only use-case for must-stmt in the container is to validate child
nodes,
so it is non-intuitive that must-stmt is always tested on NP-containers
without
any child nodes. I think it can be made to work in the code, but it will
cause
customer astonishment.
Andy
_______________________________________________
> netmod mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/netmod
>
_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod
