* Cynthia Revström via db-wg
> Hello,
>
> On 2019-04-09 12:58, Tore Anderson via db-wg wrote:
>> «This authentication group can be referenced directly in mnt-*:
>> attributes in database objects, or if that is not feasible, as a
>> new authentication method in MNTNER objects.»
>
> AFAIK, mnt-* (mnt-by, lower, etc) defines what you are authorized to do, not how you are authorized. Authentication mechanisms defines how you are authorized. So to me a new auth method would make more sense.
Hi Cynthia,
The point here is simply to get rid of the need to always create
«proxy» MNTNER objects.
That is, instead of needing this:
######
inet6num: 2001:db8::/32
mnt-lower: MNT-MYLIR
mnt-routes: MNT-MYLIR-ROUTES
-->
mntner: MNT-MYLIR
auth: LIRPORTAL eu.mylir
+
mntner: MNT-MYLIR-ROUTES
auth: LIRPORTAL eu.mylir/routes
-->
http://lirportal.ripe.netuser:
alice@mylir.euuser:
bob@mylir.eu (member of group «routes»)
######
The LIR could make do with something like this:
######
inet6num: 2001:db8::/32
mnt-lower: LIRPORTAL-eu.mylir
mnt-routes: LIRPORTAL-eu.mylir/routes
-->
http://lirportal.ripe.netuser:
alice@mylir.euuser:
bob@mylir.eu (member of group «routes»)
######
The two mntner objects in the first example serve no real purpose, except
to cause extra work and require LIR hostmasters to learn a concept they
have no need for.
Tore