AuthZ service - REST(Conf) accessible or not?


Wojciech Dec
 

Hi Folks,

while working through the config sub-system wiring, I came to a question that calls for some wider input. As far as I understand, there are two types of wiring API ends that can be used a) Yang RPC derived b) manually defined. (The Toaster model exemplifies only the former)
Now, the advantage of the former is that the wiring automatically gets made with other services, eg RestConf. But it occured to me, is this necessary for the AuthZ service, i.e. would we want to expose the AuthZ service to external queries arriving over REST of the type: Can user X perform Y on Z?

Thoughts?

Cheers,
Wojciech.


Nguyen, Liem Manh <liem_m_nguyen@...>
 

Hi Wojciech,

 

I don’t really see a use-case for exposing AuthZ via REST…  In fact, I think it might be a security issue, since it exposes too much of the inner workings of the AAA system for a potential hacker if they get a hold of this information.  From the resource owner’s perspective, they should already know what kind of accesses they should get with the given role(s).

 

From the AAA admin’s perspective, however, I think CRUD APIs over the access policies would be beneficial.

 

Thoughts?

 

Regards,

Liem

 

From: aaa-dev-bounces@... [mailto:aaa-dev-bounces@...] On Behalf Of Wojciech Dec
Sent: Friday, July 04, 2014 9:22 AM
To: aaa-dev@...
Subject: [Aaa-dev] AuthZ service - REST(Conf) accessible or not?

 

Hi Folks,

while working through the config sub-system wiring, I came to a question that calls for some wider input. As far as I understand, there are two types of wiring API ends that can be used a) Yang RPC derived b) manually defined. (The Toaster model exemplifies only the former)
Now, the advantage of the former is that the wiring automatically gets made with other services, eg RestConf. But it occured to me, is this necessary for the AuthZ service, i.e. would we want to expose the AuthZ service to external queries arriving over REST of the type: Can user X perform Y on Z?

Thoughts?

Cheers,

Wojciech.