Hi Tore

It is not quite true to say the MNTNER objects serve no useful purpose. You are overlooking the mandatory "upd-to:' and optional "mnt-nfy:" attributes.

The "upd-to:" notifies the maintainer of any unsuccessful attempts to modify an object maintained by that MNTNER. This could be an indication of attempts to hack your data.

The "mnt-nfy:" notifies the maintainer of successful updates. Many people don't realise how this attribute can be used. If you set up the same email address in the "mnt-nfy:" of all an organisation's MNTNER objects you can have a centralised audit trail of all your data updates across the organisation.

So bypassing the MNTNER object is quite a significant change to the security model of the RIPE Database. If, at some later stage, we were to add this type of notification setup into the SSO groups, managed through the portal UI, and with other options besides emails, then maybe we are starting to get a more modern interface to managing the RIPE Database...but it is significant change, so I suggest we start with the SSO groups and new auth method.

cheers
denis
co-chair DB-WG

On Tuesday, 9 April 2019, 16:26:35 CEST, Tore Anderson via db-wg <db-wg@ripe.net> wrote:


* Cynthia Revström via db-wg
> Hello,
>
> On 2019-04-09 12:58, Tore Anderson via db-wg wrote:
>> «This authentication group can be referenced directly in mnt-*:
>> attributes in database objects, or if that is not feasible, as a
>> new authentication method in MNTNER objects.»
>
> AFAIK, mnt-* (mnt-by, lower, etc) defines what you are authorized to do, not how you are authorized. Authentication mechanisms defines how you are authorized. So to me a new auth method would make more sense.

Hi Cynthia,

The point here is simply to get rid of the need to always create
«proxy» MNTNER objects.

That is, instead of needing this:

######
inet6num:      2001:db8::/32
mnt-lower:      MNT-MYLIR
mnt-routes:    MNT-MYLIR-ROUTES

-->

mntner:        MNT-MYLIR
auth:          LIRPORTAL eu.mylir

+

mntner:        MNT-MYLIR-ROUTES
auth:          LIRPORTAL eu.mylir/routes

-->

http://lirportal.ripe.net
user: alice@mylir.eu
user: bob@mylir.eu (member of group «routes»)
######

The LIR could make do with something like this:

######
inet6num:      2001:db8::/32
mnt-lower:      LIRPORTAL-eu.mylir
mnt-routes:    LIRPORTAL-eu.mylir/routes

-->

http://lirportal.ripe.net
user: alice@mylir.eu
user: bob@mylir.eu (member of group «routes»)
######

The two mntner objects in the first example serve no real purpose, except
to cause extra work and require LIR hostmasters to learn a concept they
have no need for.


Tore