Hi Tore
It is not quite true to say the MNTNER objects serve no useful purpose. You are 
overlooking the mandatory "upd-to:' and optional "mnt-nfy:" attributes.
The "upd-to:" notifies the maintainer of any unsuccessful attempts to modify an 
object maintained by that MNTNER. This could be an indication of attempts to 
hack your data.
The "mnt-nfy:" notifies the maintainer of successful updates. Many people don't 
realise how this attribute can be used. If you set up the same email address in 
the "mnt-nfy:" of all an organisation's MNTNER objects you can have a 
centralised audit trail of all your data updates across the organisation.
So bypassing the MNTNER object is quite a significant change to the security 
model of the RIPE Database. If, at some later stage, we were to add this type 
of notification setup into the SSO groups, managed through the portal UI, and 
with other options besides emails, then maybe we are starting to get a more 
modern interface to managing the RIPE Database...but it is significant change, 
so I suggest we start with the SSO groups and new auth method.
cheersdenisco-chair DB-WG
    On Tuesday, 9 April 2019, 16:26:35 CEST, Tore Anderson via db-wg 
<db-wg@ripe.net> wrote:  
 
 * Cynthia Revström via db-wg
> Hello,
> 
> On 2019-04-09 12:58, Tore Anderson via db-wg wrote:
>> «This authentication group can be referenced directly in mnt-*:
>> attributes in database objects, or if that is not feasible, as a
>> new authentication method in MNTNER objects.»
> 
> AFAIK, mnt-* (mnt-by, lower, etc) defines what you are authorized to do, not 
> how you are authorized. Authentication mechanisms defines how you are 
> authorized. So to me a new auth method would make more sense.

Hi Cynthia,

The point here is simply to get rid of the need to always create
«proxy» MNTNER objects.

That is, instead of needing this:

######
inet6num:      2001:db8::/32
mnt-lower:      MNT-MYLIR
mnt-routes:    MNT-MYLIR-ROUTES

-->

mntner:        MNT-MYLIR
auth:          LIRPORTAL eu.mylir

+

mntner:        MNT-MYLIR-ROUTES
auth:          LIRPORTAL eu.mylir/routes

-->

http://lirportal.ripe.net
user: al...@mylir.eu
user: b...@mylir.eu (member of group «routes»)
######

The LIR could make do with something like this:

######
inet6num:      2001:db8::/32
mnt-lower:      LIRPORTAL-eu.mylir
mnt-routes:    LIRPORTAL-eu.mylir/routes

-->

http://lirportal.ripe.net
user: al...@mylir.eu
user: b...@mylir.eu (member of group «routes»)
######

The two mntner objects in the first example serve no real purpose, except
to cause extra work and require LIR hostmasters to learn a concept they
have no need for.

Tore

  

Reply via email to