That seems like it's going to have some pretty surprising consequences and at minimum needs more information in the Security Considerations.
On Thu, Oct 11, 2018 at 12:18 AM Martin Bjorklund <[email protected]> wrote: > Eric Rescorla <[email protected]> wrote: > > I'm sorry but I don't understand this. > > > > Does the externally visible behavior of any mounted module depend in any > > way on these XPATH references > > Yes, but note that these XPath expressions ("parent-reference") are > read-only (config false in the YANG model). Thus they are set by the > implementation, and used to inform the operator about the environment > in which other XPath expressions are evaluated. > > > /martin > > > > > > -Ekr > > > > > > > > > > On Wed, Oct 10, 2018 at 6:38 AM Martin Bjorklund <[email protected]> wrote: > > > > > Eric Rescorla <[email protected]> wrote: > > > > On Wed, Oct 10, 2018 at 5:32 AM Martin Bjorklund <[email protected]> > wrote: > > > > > > > > > Hi, > > > > > > > > > > Eric Rescorla <[email protected]> wrote: > > > > > > Eric Rescorla has entered the following ballot position for > > > > > > draft-ietf-netmod-schema-mount-11: Discuss > > > > > > > > > > > > When responding, please keep the subject line intact and reply > to all > > > > > > email addresses included in the To and CC lines. (Feel free to > cut > > > this > > > > > > introductory paragraph, however.) > > > > > > > > > > > > > > > > > > Please refer to > > > > > https://www.ietf.org/iesg/statement/discuss-criteria.html > > > > > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > > > > > > > > > > > > > The document, along with other ballot positions, can be found > here: > > > > > > https://datatracker.ietf.org/doc/draft-ietf-netmod-schema-mount/ > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------------------------------------------------------- > > > > > > DISCUSS: > > > > > > > > > ---------------------------------------------------------------------- > > > > > > > > > > > > Rich version of this review at: > > > > > > https://mozphab-ietf.devsvcdev.mozaws.net/D3506 > > > > > > > > > > > > > > > > > > > > > > > > DETAIL > > > > > > S 4. > > > > > > > > > > > > > > It is worth emphasizing that the nodes specified in > > > > > > > "parent-reference" leaf-list are available in the mounted > > > schema > > > > > only > > > > > > > for XPath evaluations. In particular, they cannot be > accessed > > > > > there > > > > > > > via network management protocols such as NETCONF > [RFC6241] or > > > > > > > RESTCONF [RFC8040]. > > > > > > > > > > > > What are the security implications of this XPath reference > outside > > > the > > > > > > mount jail? Specifically, how does it interact with the access > > > control > > > > > > for the enclosing module. > > > > > > > > > > There is no such interaction, since access control comes into play > > > > > when some external entity accesses the data through some management > > > > > protocol, and the nodes from the "parent-reference" expressions > cannot > > > > > be accessed via management protocols. > > > > > > > > > > The last sentence of the quoted paragraph was supposed to make this > > > > > clear, but it seems we might need some additional explanation? > > > > > > > > > > > > > Yes, I think so. I guess I'm not clear on what the XPath expressions > are > > > > for if they > > > > can't be accessed via the management protocols. How can they be used? > > > > > > These are XPath expressions defined in the YANG models themselves, > > > such as "must" expressions or "leafrefs". The description of > > > "parent-reference" refer to them as: > > > > > > [...] XPath > > > expressions whose context nodes are defined in the > > > mounted schema > > > > > > > > > > > > /martin > > > >
_______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
