transport-security in openconfig-system-management.yang

[Reshad-Rahman]

https://github.com/openconfig/public/blob/master/release/models/system/openconfig-system-management.yang#L74 has leaf-node transport-security. Disabling transport security should not be allowed according to https://github.com/openconfig/reference/blob/master/rpc/gnmi/gnmi-specification.md#31-session-security-authentication-and-rpc-authorization?

[aashaikh]

You're right that the leaf was introduced for gRPC services like gNMI (though OpenConfig models are intended to be used with other protocols), so it does seem inconsistent. We can look at adding a default false statement to make the intent clear. I think there are lab / testing and other use cases where one may want to disable TLS -- certainly not recommended for any production environment.

[samribeiro]

I have sent a PR to the private repo setting this to default:true. Enforcing transport security by default and clarifying that a use case for disabling it would be lab testing. As mentioned by Anees, this is a generic gRPC configuration interface and does not apply only for gNMI (which always encrypts and authenticates) so it makes sense to leave this leaf in place.

[samribeiro]

This has been merged in the private repository which will be synched to the public one. Closing for now. Please reopen if anything is amiss.

[github-actions[bot]]

This issue is stale because it has been open 180 days with no activity. If you wish to keep this issue active, please remove the stale label or add a comment, otherwise will be closed in 14 days.