--- 1/draft-ietf-supa-generic-policy-data-model-02.txt 2017-04-15 23:13:11.031243742 -0700 +++ 2/draft-ietf-supa-generic-policy-data-model-03.txt 2017-04-15 23:13:11.171247018 -0700 @@ -1,21 +1,21 @@ Network Working Group J. Halpern Internet-Draft Ericsson Intended status: Informational J. Strassner -Expires: April 16, 2017 Huawei Technologies +Expires: October 15, 2017 Huawei Technologies S. Van der Meer Ericsson - October 13, 2016 + April 15, 2017 Generic Policy Data Model for Simplified Use of Policy Abstractions (SUPA) - draft-ietf-supa-generic-policy-data-model-02 + draft-ietf-supa-generic-policy-data-model-03 Abstract This document defines two YANG policy data modules. The first is a generic policy model that is meant to be extended on an application- specific basis. The second is an exemplary extension of the first generic policy model, and defines rules as event-condition-action policies. Both models are independent of the level of abstraction of the content and meaning of a policy. @@ -32,21 +32,21 @@ Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 15, 2017. Copyright Notice - Copyright (c) 2016 IETF Trust and the persons identified as the + Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided @@ -59,27 +59,27 @@ 3. Terminology .................................................... 3 3.1. Acronyms ................................................. 3 3.2. Definitions .............................................. 3 3.3. Symbology ................................................ 5 4. Design of the SUPA Policy Data Models ......................... 5 4.1. Objectives ............................................... 5 4.2 Yang Data Model Maintenance ................................ 5 4.3 YANG Data Model Overview ................................... 6 4.4. YANG Tree Diagram ........................................ 7 5. SUPA Policy Data Model YANG Module ............................ 11 -6. IANA Considerations ........................................... 62 -7. Security Considerations ....................................... 62 -8. Acknowledgments ............................................... 62 -9. References .................................................... 62 - 9.1. Normative References ..................................... 62 +6. IANA Considerations ........................................... 63 +7. Security Considerations ....................................... 63 +8. Acknowledgments ............................................... 63 +9. References .................................................... 63 + 9.1. Normative References ..................................... 63 9.2. Informative References ................................... 63 -Authors' Addresses ................................................ 63 +Authors' Addresses ................................................ 64 1. Overview This document defines two YANG [RFC6020] [RFC6991] policy data models. The first is a generic policy model that is meant to be extended on an application-specific basis. It is derived from the Generic Policy Information Model (GPIM) defined in [1]. The second is an exemplary extension of the first (generic policy) model, and defines policy rules as event-condition-action tuples. Both models are independent of the level of abstraction of the content and @@ -571,38 +571,47 @@ can be found there. Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info)."; - revision "2016-10-10" { + revision "2017-04-15" { description - "20161010: Changed back to transitive identities (to + "20170415: Updated SUPABooleanClause based on + implementation experience from SNMPO example; + reworded definitions of supaPolMetadataID and + supaEncodedClauseEncoding attribute. + 20170117: updated class and attribute names in the YANG + to match those in the IM, except where noted. + 20161210: Incorporated input from IISOMI + 20161010: Changed back to transitive identities (to enforce inheritance) after determining that errors were from a confdc bug. 20161008: Fixed errors found in latest pyang compiler and from YANG Doctors. 20161001: Minor edits in association definitions. 20160928: Generated yang tree. + 20160924: Rewrote association documentation; rebuilt how all classes are named for consistency. 20160904: Optimization of module by eliminating leaves that are not needed; rewrote section 4. 20160824: Edits to sync data model to info model. 20160720: Conversion to WG draft. Fixed pyang 1.1 - compilation errors. Fixed must clause derefencing - used in grouping statements. Reformatted and expanded - descriptions. Fixed various typos. + compilation errors. Fixed must clause + derefencing used in grouping statements. + Reformatted and expanded descriptions. + Fixed various typos. 20160321: Initial version."; reference "draft-ietf-supa-policy-data-model-02"; } typedef policy-constraint-language-list { type enumeration { enum "error" { description "This signifies an error state."; @@ -620,39 +629,44 @@ enum "OCL2.x" { description "Object Constraint Language, v2.0 through 2.3.1 [2]."; } enum "OCL1.x" { description "Object Constraint Language, any version prior to v2.0 [3]."; } - enum "QVT1.2R" { + enum "QVT1.2 Relational Language" { description "QVT Relational Language [5]."; } - enum "QVT1.2O" { + enum "QVT1.2 Operational Language" { description - "QVT Operational language [5]."; + "QVT Operational Language [5]."; } enum "Alloy" { description "A language for defining structures and and relations using constraints [4]."; } + enum "Text" { + description + "The constraints are written in plain text."; + } } description - "The language used to encode the constraints + "The language used to encode the constraints that relevant to the relationship between the metadata and the underlying policy object."; } + typedef policy-data-type-id-encoding-list { type enumeration { enum "error" { description "This signifies an error state."; } enum "init" { description "This signifies a generic initialization state."; } @@ -791,21 +805,21 @@ // it appears that we cannot put a MUST condition on its definition, // as the default (actual) value changes for each inherited object. // Finally, note that since identities are irreflexive, we define a // parent identitym called SUPA-ROOT-TYPE, to serve as the single root // from which all identity statements are derived. identity SUPA-ROOT-TYPE { description "The identity corresponding to a single root for all identities in the SUPA Data Model. Note that section - 7.18.2 in RFC7950 says that identity derivation is + 7.18.2 in [RFC7950] says that identity derivation is irreflexive (i.e., an identity cannot be derived from itself."; } identity POLICY-OBJECT-TYPE { base SUPA-ROOT-TYPE; description "The identity corresponding to a SUPAPolicyObject object instance."; } @@ -820,25 +834,25 @@ "The identifier of the class of this grouping."; } leaf supa-policy-ID { type string; mandatory true; description "The string identifier of this policy object, which functions as the unique object identifier of this object instance. This attribute MUST be unique within the policy system. This attribute is named - supaObjectIDContent in [1], and is used with another - attribute (supaObjectIDEncoding); since the YANG data + supaPolObjIDContent in [1], and is used with another + attribute (supaPolObIDEncoding); since the YANG data model does not need this genericity, the - supaObjectIDContent attribute was renamed, and the - supaObjectIDEncoding attribute was not mapped."; + supaPolObjIDContent attribute was renamed, and the + supaObjectIDEncoding attribute was removed."; } leaf supa-policy-name { type string; description "A human-readable name for this policy object. Note that this is NOT the object ID."; } leaf supa-policy-object-description { type string; description @@ -1082,23 +1094,23 @@ grouping supa-encoded-clause-type { uses supa-policy-clause-type { refine entity-class { default POLICY-ENCODED-CLAUSE-TYPE; } } leaf supa-encoded-clause-content { type string; mandatory true; description - "This defines the content of this SUPAEncodedClause; the - language used to express this content is defined by the - supa-encoded-clause-language attribute."; + "This defines the content of this SUPAEncodedClause. + Since the target is YANG, the supaEncodedClauseEncoding + attribute is NOT required, and therefore, not mapped."; } leaf supa-encoded-clause-language { type enumeration { enum "error" { description "This signifies an error state. OAM&P Policies SHOULD NOT use this SUPAEncodedClause if the value of this attribute is error."; } enum "init" { @@ -1646,22 +1660,23 @@ leaf-list supa-has-policy-target-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, 'SUPA-HAS-POLICY-TARGET-ASSOC')"; description "This leaf-list holds instance-identifiers that reference SUPAHasPolicyTarget associations [1]. This association is represented by the grouping supa-has-policy-target-detail, and describes how this SUPAPolicyStructure instance is related to a - set of SUPAPolicyTarget instances. Each - SUPAPolicyTarget instance defines a set of + set of SUPAPolicyTarget instances. + + Each SUPAPolicyTarget instance defines a set of unambiguous managed entities to which this SUPAPolicy will be applied to. Since this association class contains attributes, the instance-identifier MUST point to an instance using the grouping supa-has-policy-target-detail (which includes subclasses of this association class)."; } leaf-list supa-has-policy-clause-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, @@ -1749,22 +1764,23 @@ leaf-list supa-has-policy-source-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, 'SUPA-HAS-POLICY-SOURCE-ASSOC')"; description "This leaf-list holds the instance-identifiers that reference a SUPAHasPolicySource association [1], which is represented by the supa-has-policy-source-detail grouping. This association describes how each SUPAPolicySource instance is related to this - particular SUPAPolicyStructure instance. Since - this association class contains attributes, the + particular SUPAPolicyStructure instance. + + Since this association class contains attributes, the instance-identifier MUST point to an instance using the grouping supa-has-policy-source-detail (which includes subclasses of this association class)."; } description "This object defines a set of managed entities that authored, or are otherwise responsible for, this SUPAPolicy. Note that a SUPAPolicySource does NOT evaluate or execute SUPAPolicies. Its primary use is for auditability and the implementation of deontic logic (i.e., @@ -1861,23 +1877,23 @@ } leaf supa-policy-metadata-id { type string; mandatory true; description "This represents the object identifier of an instance of this class. This attribute is named supaPolMetadataIDContent in [1], and is used with another attribute (supaPolMetadataIDEncoding); since the YANG data model does not need this genericity, the - supaPolMetadataIDContent attribute was renamed, and - the supaPolMetadataIDEncoding attribute was - not mapped."; + supaPolMetadataIDContent attribute was renamed to + supa-policy-metadata-id, and the + supaPolMetadataIDEncoding attribute was not mapped."; } leaf supa-policy-metadata-description { type string; description "This contains a free-form textual description of this metadata object (e.g., what it may be used for)."; } leaf supa-policy-metadata-name { type string; description @@ -2144,23 +2162,24 @@ supa-policy-metadata-access-priv-model-ref is error, then this SUPAPolicyAccessMetadataDef object MUST NOT be used. If the value of the supa-policy-metadata-access-priv-model-ref is init, then this SUPAPolicyAccessMetadataDef object has been properly initialized, and is ready to be used. If the value of the supa-policy-metadata-access-priv-model-ref is read only or read write, then the value of this attribute is not applicable (because a type of model is NOT being defined; instead, the access control for - all SUPAPolicyObjects is being defined). Otherwise, - the text in this class attribute SHOULD be interpreted - according to the value of the + all SUPAPolicyObjects is being defined). + + Otherwise, the text in this class attribute SHOULD be + interpreted according to the value of the supa-policy-metadata-access-priv-model-ref class attribute."; } leaf supa-policy-metadata-access-priv-model-ref { type enumeration { enum "error" { description "This signifies an error state. OAM&P Policies SHOULD NOT use this SUPAPolicyAccessMetadataDef object if the value of this attribute is @@ -2499,22 +2518,23 @@ of this grouping."; } leaf supa-has-policy-component-decorator-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, 'POLICY-COMPONENT-TYPE')"; description "This leaf is an instance-identifier that references the SUPAPolicyComponentStructure instance end point of the association represented by this instance of the - SUPAHasDecoratedPolicyComponent association [1]. The - groupings supa-policy-component-decorator-type and + SUPAHasDecoratedPolicyComponent association [1]. + + The groupings supa-policy-component-decorator-type and supa-policy-component-structure-type represent the SUPAPolicyComponentDecorator and SUPAPolicyComponentStructure classes, respectively. Thus, the instance identified by this leaf is the SUPAPolicyComponentStructure instance that is associated by this association to the set of SUPAPolicyComponentStructure instances referenced by the supa-has-policy-component-decorator-agg-ptr leaf of this grouping."; } @@ -3003,20 +3022,21 @@ TBD 8. Acknowledgments This document has benefited from reviews, suggestions, comments and proposed text provided by the following members, listed in alphabetical order: Andy Bierman Benoit Claise + Berndt Zeuner Martin Bjorklund Qin Wu 9. References This section defines normative and informative references for this document. 9.1. Normative References @@ -3018,36 +3038,36 @@ This section defines normative and informative references for this document. 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. - [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, July 2013. [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", August 2016. 9.2. Informative References [1] Strassner, J., Halpern, J., Coleman, J., "Generic Policy Information Model for Simplified Use of Policy - Abstractions (SUPA)", March 21, 2016, - draft-ietf-supa-generic-policy-info-model-01 + Abstractions (SUPA)", Jan 18, 2017, + draft-ietf-supa-generic-policy-info-model-02 [2] http://www.omg.org/spec/OCL/ [3] http://doc.omg.org/formal/2002-04-03.pdf [4] http://alloy.mit.edu/alloy/ [5] http://www.omg.org/spec/QVT/ + [6] http://semver.org/ [7] Definitions of DAC, MAC, and RBAC may be found here: http://csrc.nist.gov/groups/SNS/rbac/faq.html#03 [8] ABAC is described here: http://csrc.nist.gov/groups/SNS/rbac/index.html Authors' Addresses Joel Halpern Ericsson