Re: [i2rs] WG LC for Topology (10/1 to 10/14)

[Alexander Clemm (alex)]

Hi Juergen,
Understood, but this doesn't really address our problem here.  We want to see 
how we can apply YANG to meet our needs, not the other way round.  Hence the 
suggestion to explore the use of metadata here.
--- Alex

-----Original Message-----
From: Juergen Schoenwaelder [mailto:j.schoenwael...@jacobs-university.de] 
Sent: Monday, October 26, 2015 11:19 AM
To: Alexander Clemm (alex) <a...@cisco.com>
Cc: Martin Bjorklund <m...@tail-f.com>; lho...@nic.cz; i2rs@ietf.org; 
a...@yumaworks.com; akat...@gmail.com; jh...@pfrc.org; sha...@ndzh.com; Kent 
Watsen <kwat...@juniper.net>
Subject: Re: [i2rs] WG LC for Topology (10/1 to 10/14)

In YANG, it is assumed that config true nodes exist in a datastore where all 
config true nodes are treated the same. A datastore is the unit of validation 
and we don't want to have a valid configuration datatore become invalid 
arbitrarily. This is why config true nodes are not allowed to depend on config 
false nodes (state data that can change arbitrarily).

/js

On Sat, Oct 24, 2015 at 01:15:55AM +0000, Alexander Clemm (alex) wrote:
> Hi Martin,
> 
> maybe option 1 provides a way out here.  This also has the least impact on 
> the existing design and implementation, hence preferable.  
> 
> However, I still feel that we are dealing with a limitation of the YANG 
> framework here.  I think we are dealing with a use case that was not really 
> foreseen in the YANG design, i.e. that we might run into data that has 
> instances that can indeed be authoritatively owned by a server versus others 
> representing more traditional configuration.  The one aspect that not really 
> address by making it regular config concerns your assertion that "any other 
> client can modify what this client wrote".  Access rights could provide a 
> solution, but not in the way as currently defined via NACM, since we would 
> need to differentiate access rights at the instance level, not at the module 
> definition level.  Rather than seeing how we can make our requirements 
> somehow fit a rigid interpretation of the YANG framework (that does not allow 
> for special treatment / behavior of special cases), I would like to see 
> whether the YANG framework can be flexible enough to still support what we 
> are trying to do.  
> 
> Kent made what I thought was a very interesting suggestion at the interim, 
> asking whether this would be an application for metadata.  I think this is 
> something that we might leverage here.  We could introduce a metadata item 
> that indicates for configuration information whether that was populated by a 
> server, so really should not be modified by other clients (or, when modified, 
> will presumably be "changed back" by the server).  Or, that might simply be 
> locked by the server.  
> 
> Thoughts regarding that suggestion?
> 
> --- Alex
> 
> -----Original Message-----
> From: Martin Bjorklund [mailto:m...@tail-f.com]
> Sent: Friday, October 23, 2015 12:17 AM
> To: Alexander Clemm (alex) <a...@cisco.com>
> Cc: lho...@nic.cz; i2rs@ietf.org; 
> j.schoenwael...@jacobs-university.de; a...@yumaworks.com; 
> akat...@gmail.com; jh...@pfrc.org; sha...@ndzh.com
> Subject: Re: [i2rs] WG LC for Topology (10/1 to 10/14)
> 
> "Alexander Clemm (alex)" <a...@cisco.com> wrote:
> > Hi Martin,
> > 
> > We can nitpick over how to best express this
> 
> This isn't nitpicking; I am trying to understand what you had in mind.
> 
> And it seems Juergen is correct.  You essentially want to mix config and 
> operational state in a single list.  This is not possible to express in YANG, 
> so you change the semantics of the formal statements with descriptions.  I 
> don't think this a good idea.
> 
> I can think of two alternatives to the current design that don't violate YANG:
> 
> 1)  Keep the single config true list, w/o the server-provided leaf,
>     and explain in text that there might be a client
>     "internal-to-the-server" that behaves just like any other client
>     (specifically respects locks, makes sure the end result is
>     valid, and any other client can modify what this client wrote
>     (module access rights)).
> 
> 2)  Split the model into two, one config list and one oper list.
>     References in the config list can either be by name (implicit) or
>     use the new YANG 1.1 syntax "require-instance false";
> 
> 
> /martin
> 
> > , but hopefully the
> > general sense of what the requirement is and what I was trying to 
> > express is clear.  You can have an outside client application 
> > maintain some topologies / list elements, and have others maintained 
> > an populated by the server - or arguably an app embedded in the server.
> > The difference from the "normal" client is that really it is that we 
> > want the server / embedded app that is the authoritative owner of 
> > the information.
> > 
> > Cheers
> > --- Alex
> > 
> > -----Original Message-----
> > From: Martin Bjorklund [mailto:m...@tail-f.com]
> > Sent: Monday, October 19, 2015 11:07 PM
> > To: Alexander Clemm (alex) <a...@cisco.com>
> > Cc: lho...@nic.cz; i2rs@ietf.org;
> > j.schoenwael...@jacobs-university.de; a...@yumaworks.com; 
> > akat...@gmail.com; jh...@pfrc.org; sha...@ndzh.com
> > Subject: Re: [i2rs] WG LC for Topology (10/1 to 10/14)
> > 
> > "Alexander Clemm (alex)" <a...@cisco.com> wrote:
> > > Hi Martin,
> > > 
> > > "So how is the server-provided leaf supposed to be implemented, 
> > > and how is it supposed to be used?"
> > > 
> > > When a network topology is populated by the server, the 
> > > server-provided leaf is supposed to be set to true.
> > 
> > But you earlier wrote that when the server wants to change something 
> > it would behave as a normal client.
> > 
> > > When a network topology is populated by a client app (through 
> > > "regular" configuration), the server provided leaf is supposed to 
> > > be set to false.
> > > 
> > > For any given network topology, when the corresponding 
> > > "server-provided" leaf is set to "true", attempts to edit the 
> > > configuration of that topology are to be rejected.
> > 
> > This also goes against what you acknowledged previously - "the 
> > server-provided data can be modified by anyone with proper access 
> > rights"
> > 
> > 
> > /martin
> > 
> > 
> > > 
> > > Alternatives to the current design include making the leaf "config 
> > > true", or moving it outside (just this leaf) for a list that 
> > > indicates for each topology whether it is server-provided or not 
> > > (in a separate "state" branch).
> > > --- Alex
> > > 
> > > -----Original Message-----
> > > From: Martin Bjorklund [mailto:m...@tail-f.com]
> > > Sent: Monday, October 19, 2015 1:27 PM
> > > To: Alexander Clemm (alex) <a...@cisco.com>
> > > Cc: lho...@nic.cz; i2rs@ietf.org;
> > > j.schoenwael...@jacobs-university.de; a...@yumaworks.com; 
> > > akat...@gmail.com; jh...@pfrc.org; sha...@ndzh.com
> > > Subject: Re: [i2rs] WG LC for Topology (10/1 to 10/14)
> > > 
> > > "Alexander Clemm (alex)" <a...@cisco.com> wrote:
> > > > Hi Martin,
> > > > 
> > > > One model for the data that is server-provided is to assume an 
> > > > app (which could be embedded on the same server) that knows how 
> > > > to discover the network, then populates the data accordingly.
> > > > 
> > > > [Of course, we would not want any random client app just being 
> > > > able to "mess" with that data.  The expectation is generally 
> > > > clearly access to this will be restricted / controlled.  The 
> > > > topology instances that were populated by the "server-provided 
> > > > app" should not be "touched" by other apps - it is the 
> > > > "server-provided" app that is responsible for maintaining them.]
> > > > 
> > > > So I assume the answer to your question is "yes", but with a 
> > > > bunch of caveats.
> > > 
> > > So how is the server-provided leaf supposed to be implemented, and 
> > > how is it supposed to be used?
> > > 
> > > 
> > > /martin
> > > 
> > > 
> > > 
> > > > --- Alex
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: i2rs [mailto:i2rs-boun...@ietf.org] On Behalf Of Martin 
> > > > Bjorklund
> > > > Sent: Monday, October 19, 2015 11:32 AM
> > > > To: Alexander Clemm (alex) <a...@cisco.com>
> > > > Cc: a...@yumaworks.com; i2rs@ietf.org; 
> > > > j.schoenwael...@jacobs-university.de; lho...@nic.cz; 
> > > > akat...@gmail.com; jh...@pfrc.org; sha...@ndzh.com
> > > > Subject: Re: [i2rs] WG LC for Topology (10/1 to 10/14)
> > > > 
> > > > Alex,
> > > > 
> > > > Is the idea that the server-provided data is normal config?  
> > > > I.e., if the server wants to modify this data it behaves like a 
> > > > normal client?
> > > > (conceptually...)  And the server-provided data can be modified 
> > > > by anyone with proper access rights?
> > > > 
> > > > 
> > > > /martin
> > > > 
> > > > 
> > > > 
> > > > "Alexander Clemm (alex)" <a...@cisco.com> wrote:
> > > > > Hi Juergen,
> > > > > 
> > > > > I think one of the key statements you make below is this:
> > > > > " Recall also that YANG does not allow configuration data to 
> > > > > depend on state data."
> > > > > 
> > > > > Note that this is not the case in the current model.  The 
> > > > > current model is essentially all configuration data.  Of 
> > > > > course, we have this flag to indicate who supplied that data 
> > > > > (and is hence maintaining it).
> > > > > 
> > > > > You argue that we should instead "split" the model and 
> > > > > introduce operational data to reflect what is populated by the server.
> > > > > However, doing that introduces precisely new issues - and you 
> > > > > have just brought another argument why this may be a bad idea 
> > > > > and may not even work.
> > > > > Topologies _are_ layered, and we need to be able to express 
> > > > > that in the model.  Now, if we have a topology that is 
> > > > > server-provided, hence (per your statement) to be represented 
> > > > > by operational data only, how do we build an overlay topology 
> > > > > that is "configured" on top of it?  If the answer is "we 
> > > > > can't, unless we replicate the server-provided topology into 
> > > > > the network configuration (which makes no sense)", we are screwed.
> > > > > Now, we might build it on top if we remove all references / 
> > > > > dependencies on the underlay from the model and punt the 
> > > > > problem to the user.  Basically, no longer have the model 
> > > > > express vertical relationships.  Not a good solution, IMHO.
> > > > > 
> > > > > How do you suggest we address this?  The ability to express 
> > > > > layering relationships between topologies, including cases 
> > > > > where topologies originate from different sources 
> > > > > (discovered/server-provided vs configured), is a requirement.
> > > > > It is not an artefact of our model, it is something that we 
> > > > > need to capture as part of the model.  There may not be a 
> > > > > "nice" way of doing this within the YANG framework, yet it is 
> > > > > important that we find a way to do this.  The current solution 
> > > > > to this
> > > > > - having the model as configuration data, and including a 
> > > > > parameter to indicate who supplies the data and is maintaining 
> > > > > it
> > > > > - appears to be cleanest and clearest solution (or perhaps the 
> > > > > "least bad") that results in the model of least complexity.
> > > > > 
> > > > > Perhaps there is something we can simply change about the 
> > > > > "server-provided" object to address your concerns?  We can 
> > > > > make it config (to address your issue that triggered this, the 
> > > > > presence of a r/o object in a tree that is otherwise r/w).
> > > > > 
> > > > > Thoughts?
> > > > > --- Alex
> > > > > 
> > > > > 
> > > > > 
> > > > > -----Original Message-----
> > > > > From: Juergen Schoenwaelder
> > > > > [mailto:j.schoenwael...@jacobs-university.de]
> > > > > Sent: Sunday, October 18, 2015 3:13 AM
> > > > > To: Alexander Clemm (alex) <a...@cisco.com>
> > > > > Cc: Ladislav Lhotka <lho...@nic.cz>; i2rs@ietf.org; Martin 
> > > > > Bjorklund <m...@tail-f.com>; Andy Bierman <a...@yumaworks.com>; 
> > > > > 'Alia Atlas'
> > > > > <akat...@gmail.com>; 'Jeffrey Haas' <jh...@pfrc.org>; Susan 
> > > > > Hares <sha...@ndzh.com>
> > > > > Subject: Re: [i2rs] WG LC for Topology (10/1 to 10/14)
> > > > > 
> > > > > On Thu, Oct 15, 2015 at 10:59:31PM +0000, Alexander Clemm 
> > > > > (alex)
> > > > > wrote:
> > > > > > Hello Juergen,
> > > > > > 
> > > > > > responses inline, delimited with <ALEX>
> > > > > > 
> > > > > > --- Alex
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Juergen Schoenwaelder
> > > > > > [mailto:j.schoenwael...@jacobs-university.de]
> > > > > > Sent: Wednesday, October 14, 2015 11:35 PM
> > > > > > To: Alexander Clemm (alex) <a...@cisco.com>
> > > > > > Cc: Susan Hares <sha...@ndzh.com>; Andy Bierman 
> > > > > > <a...@yumaworks.com>; i2rs@ietf.org; Martin Bjorklund 
> > > > > > <m...@tail-f.com>; Ladislav Lhotka <lho...@nic.cz>; 'Alia Atlas'
> > > > > > <akat...@gmail.com>; 'Jeffrey Haas'
> > > > > > <jh...@pfrc.org>
> > > > > > Subject: Re: [i2rs] WG LC for Topology (10/1 to 10/14)
> > > > > > 
> > > > > > On Fri, Oct 09, 2015 at 09:55:19PM +0000, Alexander Clemm
> > > > > > (alex)
> > > > > > wrote:
> > > > > > > 
> > > > > > > The only item in the topology that is read-only concerns 
> > > > > > > the "server-provided" flag, but this concerns a separate 
> > > > > > > issue that was also discussed (I am not sure if this is 
> > > > > > > what you are referring to).
> > > > > > > It is analogous to the other discussion concerning 
> > > > > > > distinguishing configuration that has been intended, 
> > > > > > > versus one that is in effect etc .  This concerns the 
> > > > > > > issue that some topologies are populated by the server 
> > > > > > > whereas some topologies can be populated by client applications.
> > > > > > 
> > > > > > Yes, this is what the concern is about.
> > > > > > 
> > > > > > > We have had discussions in the past whether to "split this 
> > > > > > > up", having a (rw) branch to populate "intended" 
> > > > > > > topologies and a
> > > > > > > (ro) branch for topologies "in effect".
> > > > > > 
> > > > > > This is the normal way to do this in YANG. And this goes 
> > > > > > back to what was driving us for years, namely to clearly 
> > > > > > separate config from state. This module makes this 
> > > > > > distinction a runtime property controlled by a data model 
> > > > > > specific mechanism. None of the generic tools out there will be 
> > > > > > able to understand this.
> > > > > > 
> > > > > > <ALEX>
> > > > > > I think the issue is more related to the current discussion 
> > > > > > with regards to openconfig and "intended configuration" and 
> > > > > > "applied configuration".  If YANG had an existing solution 
> > > > > > for this, we would not have this discussion.  The reason I 
> > > > > > believe this is similar is that you can view the "applied 
> > > > > > configuration" as the "server-provided configuration" 
> > > > > > (network topology, in our case), and the "intended 
> > > > > > configuration" as the, well, configured or intended network 
> > > > > > topology in our case.  That said, the issue is not identical
> > > > > > - whereas in the openconfig case every "applied configuration" 
> > > > > > has an accompanying "intended configuration", in our case 
> > > > > > this is not necessarily the case
> > > > > > - you can have "applied" [network topologies] that were 
> > > > > > provided by the server / the network itself, not configured by 
> > > > > > anybody.
> > > > > > </ALEX>
> > > > > 
> > > > > I think this has nothing to do with intended or applied config. 
> > > > > Your 'server supplied topology' appears to me to be 
> > > > > operational state and not configuration data.
> > > > >  
> > > > > > > We decided against it for various reasons - every piece of 
> > > > > > > information would essentially be duplicated inside the 
> > > > > > > model (this is not your normal config vs oper data 
> > > > > > > distinction, but would essentially reflect a limitation of 
> > > > > > > the framework), leading to unnecessary additional 
> > > > > > > complexity in the model (every augmentation has to be 
> > > > > > > conducted in two places), more complex validation rules, etc.
> > > > > > 
> > > > > > I do not understand why this is not a normal config vs oper 
> > > > > > data distinction. Please explain.
> > > > > > 
> > > > > > <ALEX>
> > > > > > A normal distinction would be e.g. the type of model we have 
> > > > > > in RFC
> > > > > > 7233 - separate trees with distinct data, some clearly part 
> > > > > > of configuration, other clearly operational data.
> > > > > > In this case, this is different.  You have the same data.  
> > > > > > However, in some cases it is populated by a client, in other 
> > > > > > cases by the server.
> > > > > > YANG requires the categorization of data as config false or true.  
> > > > > > In this case, this categorization does not always apply - 
> > > > > > or, the categorization depends on the particular instance.
> > > > > > </ALEX>
> > > > > 
> > > > > So you have operational state which is partially populated by 
> > > > > the server and partially populated from config. I fail to see 
> > > > > how this is any different from other cases, including network 
> > > > > interfaces as defined in RFC 7233. Recall also that YANG does 
> > > > > not allow configuration data to depend on state data.
> > > > > 
> > > > > > I do not understand how this leads to more complex validation rules.
> > > > > > Please explain.
> > > > > > 
> > > > > > <ALEX>
> > > > > > 
> > > > > > One example concerns the supporting nodes/links/TPs.  
> > > > > > 
> > > > > > We want to be able to express that, for example, a node in 
> > > > > > one network is supported by a node in an underlay network.  
> > > > > > For this purpose, we are referencing a node in another (underlay) 
> > > > > > network.
> > > > > > So that we cannot reference an arbitrary node in an 
> > > > > > arbitrary network, we want to make sure that the supporting 
> > > > > > node is part of a "supporting-network"
> > > > > > of the same network.
> > > > > > 
> > > > > > Currently, we have the following definition:
> > > > > > 
> > > > > >    list supporting-node {
> > > > > >         key "network-ref node-ref";
> > > > > >         description
> > > > > >           "Represents another node, in an underlay network, that 
> > > > > >            this node is supported by.  Used to represent layering 
> > > > > >            structure.";
> > > > > >         leaf network-ref {
> > > > > >           type leafref {
> > > > > >             path "../../../supporting-network/network-ref";
> > > > > >           }
> > > > > >           description
> > > > > >             "References the underlay network that the 
> > > > > >              underlay node is part of.";
> > > > > >         }
> > > > > >         leaf node-ref {
> > > > > >           type leafref {
> > > > > >             path "/network/node/node-id";
> > > > > >           }
> > > > > >           description
> > > > > >             "References the underlay node itself.";
> > > > > >         }
> > > > > /
> > > > > >       }
> > > > > > 
> > > > > > 
> > > > > > If we were to split the model, when we configure a node, we 
> > > > > > will have to account for the fact that the supporting node 
> > > > > > could be either part of a "configured" network itself, or of 
> > > > > > a network that has been "server-provided".  That is, we need 
> > > > > > to be able to allow for both possibilities.
> > > > > 
> > > > > Again note that YANG requires that configuration data does not 
> > > > > depend on state data. You seem to be breaking this rule, no?
> > > > > 
> > > > > > To do this, we would no longer be able to have the 
> > > > > > network-ref to be part of the key for supporting-node - we 
> > > > > > would have to replace network-ref with a choice of two nodes 
> > > > > > that reference either a server-provided network ("branch 
> > > > > > 1"), or a configured network ("branch 2").  As a result, we 
> > > > > > will have to introduce a separate way to reference elements in list 
> > > > > > supporting-node.
> > > > > > All of this results in considerable additional complexity.  
> > > > > > Or do you see an easier way?
> > > > > > 
> > > > > > </ALEX>
> > > > > 
> > > > > I do not think this is the solution. YANG requires that 
> > > > > constraints on config true nodes can only refer to other 
> > > > > config true nodes in the datastore where the node with the 
> > > > > constraint exists. See section
> > > > > 7.5.3 and section 7.19.5. And concerning leafref, section 9.9 
> > > > > says that a leafref may only point to configuration. I believe 
> > > > > this I-D is violating the distinction between configuration and state 
> > > > > data.
> > > > > 
> > > > > /js
> > > > > 
> > > > > -- 
> > > > > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > > > > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > > > > Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
> > > > > 
> > > > 
> > > > _______________________________________________
> > > > i2rs mailing list
> > > > i2rs@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/i2rs
> > > > 
> > > > _______________________________________________
> > > > i2rs mailing list
> > > > i2rs@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/i2rs
> > > > 
> > > 
> > 

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

_______________________________________________
i2rs mailing list
i2rs@ietf.org
https://www.ietf.org/mailman/listinfo/i2rs