On Wed, Oct 10, 2018 at 5:32 AM Martin Bjorklund <m...@tail-f.com> wrote:
> Hi, > > Eric Rescorla <e...@rtfm.com> wrote: > > Eric Rescorla has entered the following ballot position for > > draft-ietf-netmod-schema-mount-11: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to > https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-netmod-schema-mount/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > Rich version of this review at: > > https://mozphab-ietf.devsvcdev.mozaws.net/D3506 > > > > > > > > DETAIL > > S 4. > > > > > > It is worth emphasizing that the nodes specified in > > > "parent-reference" leaf-list are available in the mounted schema > only > > > for XPath evaluations. In particular, they cannot be accessed > there > > > via network management protocols such as NETCONF [RFC6241] or > > > RESTCONF [RFC8040]. > > > > What are the security implications of this XPath reference outside the > > mount jail? Specifically, how does it interact with the access control > > for the enclosing module. > > There is no such interaction, since access control comes into play > when some external entity accesses the data through some management > protocol, and the nodes from the "parent-reference" expressions cannot > be accessed via management protocols. > > The last sentence of the quoted paragraph was supposed to make this > clear, but it seems we might need some additional explanation? > Yes, I think so. I guess I'm not clear on what the XPath expressions are for if they can't be accessed via the management protocols. How can they be used? -Ekr > > > /martin >
_______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod