On Mon, Aug 22, 2016 at 9:37 AM, Juergen Schoenwaelder <
j.schoenwael...@jacobs-university.de> wrote:
> On Mon, Aug 22, 2016 at 06:15:50PM +0200, Vladimir Vassilev wrote:
> > On 08/22/2016 06:10 PM, Juergen Schoenwaelder wrote:
> > > On Mon, Aug 22, 2016 at 05:59:37PM +0200, Vladimir Vassilev wrote:
> > >
> > > > Which of the 3 issues pointed in the conclusion you don't agree with
> and why
> > > > {1. limited validation expression flexibility, 2. higher validation
> > > > workload, 3. broken NACM}? Difficult to not agree with 2. And 1 is
> > > > predetermined from the fact of the reduced entropy attributed to a
> > > > non-presence container - namely its existence now is determined by
> the
> > > > existence of its parent (which reduces flexibility in a very certain
> way).
> > > Can someone explain to me what exactly breaks NACM? An example would
> > > help me.
> > >
> > > /js (as contributor)
> > >
> > "It is absolutely legal to configure "update" rights to /interfaces to a
> > group of users reserving the "create" right to the superuser. How is this
> > scenario handled by servers ignoring empty non-presence containers?"
> (this
> > is excerpt from an earlier post on that thread)
> >
> > If a non-presence container always exits in YANG 1.1 this usage example
> is
> > not possible.
>
> Should I read 'ignoring empty non-presence containers' as 'removing empty
> non-presence containers (form the XML encoding)'?
>
> Isn't the idea that non-presence container always exits in YANG 1.1
> for the purpose of validation, that is in the XPATH context.
>
>
This is an important point.
YANG 1.1 treats default nodes as if they always exist,
but this ifor conceptual XPath evaluation only.
The create and delete operations still fail on a node with a YANG default,
based on whether it actually exists in the implementation.
NP containers are no different than default nodes in this respect.
Back to your example, what is the client going to update in
> /interfaces if /interfaces is empty? Or is the scenario that the group
> of users have create and update rights within /interfaces but no
> create right on /interfaces? I am trying to understand what exactly
> the situation is that you think causes problems.
>
In our NACM implementation there will be a check on node /interfaces.
The operation better be "none" if the user is not allowed to write to
that node.
Consider a file system where /home is an NP-container.
You don't give user 'foo' access to write to /home, just /home/foo.
> /js
>
>
Andy
> --
> Juergen Schoenwaelder Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
> Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod
>
_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod
