--- 1/draft-ietf-supa-generic-policy-info-model-01.txt 2017-01-18 11:13:29.403519895 -0800 +++ 2/draft-ietf-supa-generic-policy-info-model-02.txt 2017-01-18 11:13:29.655525887 -0800 @@ -1,20 +1,20 @@ Network Working Group J. Strassner Internet Draft Huawei Technologies Intended status: Standard Track J. Halpern -Expires: January 19, 2017 S. van der Meer +Expires: July 20, 2017 S. van der Meer Ericsson - July 19, 2016 + January 18, 2017 Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA) - draft-ietf-supa-generic-policy-info-model-01 + draft-ietf-supa-generic-policy-info-model-02 Abstract This document defines an information model for representing policies using a common extensible framework that is independent of language, protocol, repository. It is also independent of the level of abstraction of the content and meaning of a policy. Status of this Memo @@ -25,38 +25,39 @@ Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 19, 2017. + This Internet-Draft will expire on July 20, 2017. Copyright Notice - Copyright (c) 2016 IETF Trust and the persons identified as the + Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents +*** Note: this is out of date, will be fixed in next version *** 1. Overview ....................................................... 9 1.1. Introduction .............................................. 9 1.2. Changes Since Version -03 ................................ 11 2. Conventions Used in This Document ............................. 11 3. Terminology ................................................... 12 3.1. Acronyms ................................................. 12 3.2. Definitions .............................................. 12 3.2.1. Core Terminology .................................... 12 3.2.1.1. Information Model .............................. 12 @@ -133,60 +134,58 @@ 5.2.1.5. The Attribute "supaPolicyName" ................. 51 5.2.2. SUPAPolicy Relationships ............................ 52 5.2.2.1. The Relationship "SUPAHasPolicyMetadata" ....... 52 5.2.2.2. The Association Class "SUPAHasPolicyMetadataDetail" .................. 52 5.3. The Abstract Class "SUPAPolicyStructure" ................. 52 5.3.1. SUPAPolicyStructure Attributes ...................... 53 5.3.1.1. The Attribute "supaPolAdminStatus" ............. 53 5.3.1.2. The Attribute "supaPolContinuumLevel" .......... 53 5.3.1.3. The Attribute "supaPolDeployStatus" ............ 54 - 5.3.1.4. The Attribute "supaPolExecStatus" .............. 54 - 5.3.1.5. The Attribute "supaPolExecFailStrategy" ........ 54 + 5.3.1.4. The Attribute "supaPolExecFailStrategy" ........ 54 Table of Contents (continued) 5.3.2. SUPAPolicyStructure Relationships ................... 55 5.3.2.1. The Aggregation "SUPAHasPolicySource" .......... 55 5.3.2.2. The Association Class "SUPAHasPolicySourceDetail" .................... 55 5.3.2.2.1. The Attribute "supaPolSrcIsAuthenticated" . 55 5.3.2.2.2. The Attribute "supaPolSrcIsTrusted" ....... 56 5.3.2.3. The Aggregation "SUPAHasPolicyTarget" .......... 56 5.3.2.4. The Association Class "SUPAHasPolicyTargetDetail" ................... 56 5.3.2.4.1. The Attribute "supaPolTgtIsAuthenticated" . 56 5.3.2.4.2. The Attribute "supaPolTgtIsEnabled" ....... 56 5.3.2.5. The Association "SUPAHasPolExecFailTakeAction" . 57 5.3.2.6. The Association Class "SUPAHasPolExecFailTakeActionDetail" ........... 57 5.3.2.6.1. The Attribute - "supaPolExecFailTakeActionEncoding" ....... 57 + "supaPolExecFailActionEncoding" ........... 57 5.3.2.6.2. The Attribute - "supaPolExecFailTakeActionName[1..n]" ..... 58 + "supaPolExecFailActionName[1..n]" ......... 58 5.3.2.7. The Aggregation "SUPAHasPolicyClause" .......... 58 5.3.2.8. The Association Class "SUPAHasPolicyClauseDetail" .................... 58 5.4. The Abstract Class "SUPAPolicyComponentStructure" ........ 59 5.4.1. SUPAPolicyComponentStructure Attributes ............. 59 5.4.2. SUPAPolicyComponentStructure Relationships .......... 59 5.5. The Abstract Class "SUPAPolicyClause" .................... 59 5.5.1. SUPAPolicyClause Attributes ......................... 60 - 5.5.1.1. The Attribute "supaPolClauseExecStatus" ........ 60 + 5.5.1.1. The Attribute "supaPolClauseDeployStatus" ...... 60 5.5.2. SUPAPolicyClause Relationships ...................... 61 5.6. The Concrete Class "SUPAEncodedClause" ................... 61 5.6.1. SUPAEncodedClause Attributes ........................ 61 5.6.1.1. The Attribute "supaEncodedClauseContent" ....... 61 5.6.1.2. The Attribute "supaEncodedClauseEncoding" ...... 61 - 5.6.1.3. The Attribute "supaEncodedClauseResponse" ...... 62 - 5.6.1.4. The Attribute "supaEncodedClauseLang[0..n]" .... 62 - 5.6.1.5. The Attribute "supaEncodedClauseResponse" ...... 62 + 5.6.1.3. The Attribute "supaEncodedClauseLanguage" ...... 62 + 5.6.1.4. The Attribute "supaEncodedClauseResponse" ...... 62 5.6.2. SUPAEncodedClause Relationships ..................... 62 5.7. The Abstract Class "SUPAPolicyComponentDecorator" ........ 62 5.7.1. The Decorator Pattern ............................... 63 5.7.2. SUPAPolicyComponentDecorator Attributes ............. 64 5.7.2.1. The Attribute "supaPolCompConstraintEncoding" .. 65 5.7.2.2. The Attribute "supaAPolCompConstraint[0..n]" ... 65 5.7.3. SUPAPolicyComponentDecorator Relationships .......... 65 5.7.3.1. The Aggregation "SUPAHasDecoratedPolicyComponent" .............. 66 5.7.3.2. The Association Class @@ -473,31 +472,35 @@ module MUST extend the GPIM to define a new type of policy rule by adding to the GPIM. Each additoinal module MUST NOT alter any of the model elements of the GPIM. The use of extensions preserves the interoperability of this approach; if the base GPIM was modified, then this would adversely compromise interoperability. The SUPA ECA Policy Rule Information Model (EPRIM) extends the GPIM to represent policy rules that use the Event-Condition-Action (ECA) paradigm. -1.2. Changes Since Version -00 +1.2. Changes Since Version -01 There are several changes in this version of this document compared to the previous versions of this document. They are: - 1) Rewrote parts of the Introduction. - 2) Clarified how to extend the GPIM and EPRIM - 3) Redesigned the SUPAPolicyVersionMetadataDef class - 4) Added Fully Qualified Path Names where applicable - 5) Removed Appendices B and C (declarative policies) - 6) Fixed typos + 1) Clarified figure 7 and figure 17 + 2) Aligned enumerations in IM with those in DM and standardized + values in the IM version and their explanations + 3) Removed supaPolExecStatus and supaPolClauseExecStatus + 4) Added supaPolClauseDeployStatus attribute + 5) Rewrote SUPAPolicyComponentStructure definition + 6) Rewrote SUPAPolicyClause definition + 7) Synchronized information and data models. + 8) Deleted the attribute "supaEncodedClauseLang[0..n]" + 9) Fixed typos 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying [RFC2119] significance. @@ -1462,20 +1465,22 @@ | | | | | | | | | SUPAHasPolicyClause #1 | | | | | +------------------------------+ | | | | | | | | SUPAHasPolicyClause #2 | | | +----------------------------------------+ | | | | SUPAHasPolicyClause #3 | +--------------------------------------------------+ + note: all 3 aggregations have a multiplicity of 1..n - 0..n + Figure 7. Instantiating a SUPAECAPolicyRule, part 1 In figure 7, SUPAECAPolicyRule is shown as "owning" these three aggregations, since it inherits them from its superclass (SUPAPolicyStructure). The three aggregations represent the event, condition, and action clauses of a SUPAECAPolicyRule. Note that each of these clauses MAY consist of one or more SUPAPolicyClauses. Similarly, each SUPAPolicyClause MAY consist of one or more predicates. In this way, complex event, condition, and action clauses, which are combinations of Boolean expressions @@ -1653,21 +1658,21 @@ I I I +------------+-------------+----------------+ I I I I A I I C I I +--------+-------+ I +---------+------------+ I | SUPAPolicyTerm | I | SUPAPolicyCollection | I +----------------+ I +----------------------+ I (for defining I (for defining sets and/or I - clauses in I groups of objects) I + clauses in a I groups of objects) I canonical form) I I I I C I A I +----------------+--------------+ +---------+--------+ | SUPAGenericDecoratedComponent | | SUPAECAComponent | +-------------------------------+ +------------------+ (for decorating concrete (for defining reusable subclasses of SUPAPolicyClause) event, condition, and action objects) @@ -2060,23 +2065,22 @@ to a given object. SUPAPolicyMetadata objects (see sections 5.16 - 5.20) may be attached to the SUPAECAPolicyRule and/or any of its components to define additional semantics of the SUPAECAPolicyRule. For example, SUPAAccessMetadataDef (see section 5.19) and/or SUPAVersionMetadataDef (see section 5.20) may be attached to define the access privileges and version information, respectively, of a policy rule and/or its components. - The SUPAPolicyStructure contains two attributes, - supaPolDeployStatus and supaPolExecStatus (see sections 5.3.1.3. - and 5.3.1.4., respectively) that SUPAPolicyMetadata objects can + The SUPAPolicyStructure defines an attribute, supaPolDeployStatus, + (see section 5.3.1.3.) that SUPAPolicyMetadata objects can use to get and set the deployment and execution status of a SUPAPolicy. This allows metadata to be used to alter the deployment and/or execution state of a policy (or a set of policy components) without having to affect other parts of the policy-based management system. The supaPolDeployStatus attribute indicates that this SUPAPolicy can or cannot be deployed. If it cannot be deployed. Similarly, the supaPolExecStatus attribute is used to indicate if a particular SUPAPolicy has executed, is currently executing, or is ready to execute, and whether or not the execution of that SUPAPolicy had any failures. @@ -2275,36 +2279,40 @@ | | | | | | | +---SUPAPolicyValue (5.11) | | | | | +---SUPAGenericDecoratedComponent (5.12) | | | | | +---SUPAPolicyCollection (5.13) | | | +---SUPAPolicySource (5.14) | | | +---SUPAPolicyTarget (5.15) + + (Class of another model that SUPAPolicyMetadata is integrating into) | +---SUPAPolicyMetadata (5.16) | +---SUPAPolicyConcreteMetadata (5.17) | +---SUPAPolicyMetadataDecorator (5.18) | +---SUPAPolicyAccessMetadataDef (5.19) | +---SUPAPolicyVersionMetadataDef (5.20) Figure 16: Main Classes of the GPIM SUPAPolicy is the root of the SUPA class hierarchy. For implementations, it is assumed that SUPAPolicy is subclassed from - a class from another model. + a class from another model. Note that SUPAPolicyMetadata MAY be + subclassed from the same or (preferably) a different class in the + external model. Classes, attributes, and relationships that are marked as "mandatory" MUST be part of a conformant implementation (i.e., a schema MUST contain these entities). This does not mean that these entities must be instantiated; rather it means that they must be able to be instantiated. Classes, attributes, and relationships that are marked as "optional" MAY be part of a conformant implementation. Unless otherwise stated, all classes (and attributes) defined in @@ -2313,21 +2321,21 @@ in [5] has been put on hold, and the names of many of the classes, attributes, and relationships are slightly different. 5.2. The Abstract Class "SUPAPolicyObject" This is a mandatory abstract class. Figure 17 shows the SUPAPolicyObject class, and its four subclasses. A 0..n 0..n A +----------------+/ \ \+------------------+ - |SUPAPolicyObject+ A ------------------------+SUPAPolicyMetadata| + |SUPAPolicyObject+ A --------------------------+SUPAPolicyMetadata| +--------+-------+\ / SUPAHasPolicyMetadata /+------------------+ / \ I I +-----------------+----------------+-----------+ I I I I A I I I I +--------+------------+ I I I | SUPAPolicyStructure | I I I +---------------------+ I I I @@ -2408,51 +2416,54 @@ This is a mandatory non-zero enumerated integer attribute that represents part of the object identifier of an instance of this class. It defines the format of the object identifier. It works with another class attribute, called supaPolObjIDContent, which defines the content of the object ID. These two attributes form a tuple, and together enable a machine to understand the syntax and value of an object identifier for the object instance of this class. The supaPolObjIDEncoding attribute is mapped to the following values: - 0: undefined - 1: GUID - 2: UUID - 3: primary key - 4: foreign key - 5: URI - 6: FQDN - 7: FQPN + 0: error + 1: init + 2: primary_key + 3: foreign_key + 4: GUID + 5: UUID + 6: URI + 7: FQDN + 8: FQPN + 9: string_instance_id - The value 0 may be used to initialize the system, or to signal - that there is a problem with this particular SUPAPolicyObject. + The values 0 and 1 represent an error state and an initialization + state, respectively. The value 9 defines the canonical + representation, in ASCII, of an instance ID of this object. 5.2.1.4. The Attribute "supaPolicyDescription" This is an optional string attribute that defines a free-form textual description of this object. 5.2.1.5. The Attribute "supaPolicyName" This is an optional string attribute that defines the name of this Policy. This enables any existing generic naming attribute to be used for generic naming, while allowing this attribute to be used to name Policy entities in a common manner. Note that this is NOT the same as the commonName attribute of the Policy class defined in [RFC3060], as that attribute is intended to be used with just X.500 cn attributes. 5.2.2. SUPAPolicyObject Relationships The SUPAPolicyObject class currently defines a single relationship, - as defined in the subsections below. + as defined in the subsection below. 5.2.2.1. The Aggregation "SUPAHasPolicyMetadata" This is a mandatory aggregation that defines the set of SUPAPolicyMetadata that are aggregated by this particular SUPAPolicyObject. This aggregation is defined in section 5.16.2. 5.2.2.2. The Association Class "SUPAHasPolicyMetadataDetail" @@ -2506,112 +2517,101 @@ Care must be taken in adding attributes to this class, because the behavior of future subclasses of this class (e.g., declarative and functional policies) is very different than the behavior of SUPAECAPolicyRules. 5.3.1.1. The Attribute "supaPolAdminStatus" This is an optional attribute, which is an enumerated non-negative integer. It defines the current administrative status of this - SUPAPolicyClause. - - This attribute can be used to place this particular - SUPAPolicyStructure object instance into a specific administrative - state, such as enabled, disabled, or in test. Values include: + SUPAPolicyClause. Values include: - 0: Unknown (an error state) - 1: Enabled - 2: Disabled - 3: In Test (i.e., no operational traffic can be passed) + 0: error + 1: init + 2: enabled + 3: disabled + 4: in test (i.e., no operational traffic can be passed) - Value 0 denotes an error that prevents this SUPAPolicyStructure - from being used. Values 1 and 2 mean that this SUPAPolicyStructure - is administratively enabled or disabled, respectively. A value of - 3 means that this SUPAPolicyStructure is in a special test mode - and SHOULD NOT be used as part of an OAM&P policy. + The values 0 and 1 represent an error state and an initialization + state, respectively. Values 2 and 3 mean that this + SUPAPolicyStructure is administratively enabled or disabled, + respectively. A value of 4 means that this SUPAPolicyStructure is + currently in a special test mode and SHOULD NOT be used as part of + an OAM&P policy. 5.3.1.2. The Attribute "supaPolContinuumLevel" This is an optional non-negative integer attribute. It defines the level of abstraction, or policy continuum level [10], of this particular SUPAPolicy. The value assignment of this class is dependent on the application; however, it is recommended that - for consistency with other SUPA attributes, the value of 0 is - reserved for initialization and/or error conditions. + for consistency with other SUPA attributes, the values of 0 and 1 + are reserved for error and initialization states. By convention, lower values represent more abstract levels of the policy continuum. For example, a value of 1 could represent business policy, a value of 2 could represent application-specific policies, and a value of 3 could represent low=level policies for network administrators. 5.3.1.3. The Attribute "supaPolDeployStatus" This is an optional enumerated, non-negative integer attribute. The purpose of this attribute is to indicate that this SUPAPolicy can or cannot be deployed by the policy management system. This attribute enables the policy manager to know which SUPAPolicies to retrieve, and may be useful for the policy execution system for planning the staging of SUPAPolicies. Values include: - 0: undefined - 1: deployed and enabled - 2: deployed and in test - 3: deployed but not enabled - 4: ready to be deployed - 5: cannot be deployed - - If the value of this attribute is 0 or 5, then the policy - management system SHOULD ignore this SUPAPolicy. Otherwise, the - policy management MAY use this SUPAPolicy. - -5.3.1.4. The Attribute "supaPolExecStatus" - - This is an optional attribute, which is an enumerated, - non-negative integer. It defines the current execution status - of this SUPAPolicy. Values include: + 0: error + 1: init + 2: deployed and enabled + 3: deployed and in test + 4: deployed but not enabled + 5: ready to be deployed + 6: cannot be deployed - 0: undefined - 1: executed and SUCCEEDED (operational mode) - 2: executed and FAILED (operational mode) - 3: currently executing (operational mode) - 4: ready to execute (operational mode) - 5: executed and SUCCEEDED (test mode) - 6: executed and FAILED (test mode) - 7: currently executing (test mode) - 8: ready to execute (test mode) + The values 0 and 1 represent an error state and an initialization + state, respectively. A value of 2 means that the policy management + system MAY use this SUPAPolicy. A value of 3-5 means that the + policy management system SHOULD NOT use this SUPAPolicy until it is + put into an enabled state. -5.3.1.5. The Attribute "supaPolExecFailStrategy" +5.3.1.4. The Attribute "supaPolExecFailStrategy" This is an optional non-negative, enumerated integer that defines what actions, if any, should be taken by this SUPAPolicyStructure object if it fails to execute correctly. Note that some systems may not be able to support all options specified in this enumeration. If rollback is supported by the system, then option 2 may be skipped. Options 3 and 4 can be used by systems that do and do not support rollback. Values include: - 0: undefined - 1: attempt rollback of all actions taken and stop execution - 2: attempt rollback of only the action that failed and stop + 0: error + 1: init + 2: attempt rollback of all actions taken and stop execution + 3: attempt rollback of only the action that failed and stop execution - 3: stop execution but do not rollback any actions - 4: ignore failure and continue execution + 4: stop execution but do not rollback any actions + 5: ignore failure and continue execution - A value of 0 can be used as an error condition. A value of 1 means - that ALL execution is stopped, rollback of all actions (whether - successful or not) is attempted, and that SUPAPolicies that - otherwise would have been executed are ignored. A value of 2 means - that execution is stopped, and rollback is attempted for ONLY the - SUPAPolicy that failed to execute correctly. + The values 0 and 1 represent an error state and an initialization + state, respectively. A value of 2 means that ALL execution is + stopped, rollback of all actions (whether successful or not) is + attempted, and that SUPAPolicies that otherwise would have been + executed are ignored. A value of 3 means that execution is stopped, + and rollback is attempted for ONLY the SUPAPolicy that failed to + execute correctly. A value of 4 means that execution is stopped, but + no actions are rolled back. A value of 5 means that the failure is + ignored, and execution continues. 5.3.2. SUPAPolicyStructure Relationships The SUPAPolicyStructure class owns four relationships, which are defined in the following subsections. 5.3.2.1. The Aggregation "SUPAHasPolicySource" This is an optional aggregation, and defines the set of SUPAPolicySource objects that are attached to this particular @@ -2726,46 +2726,55 @@ | |\ ^ +---------------------------+ 1..n | | C | +------------------+-----------------+ | SUPAHasPolExecFailTakeActionDetail | +------------------------------------+ Figure 18. SUPAHasPolExecFailTakeAction Association -5.3.2.6.1. The Attribute "supaPolExecFailTakeActionEncoding" +5.3.2.6.1. The Attribute "supaPolExecFailActionEncoding" This is an optional enumerated, non-negative integer attribute that defines how to find the set of SUPAPolicyActions contained in each element of the supaPolExecFailTakeActionName class attribute. Values include: - 0: undefined - 1: String - 2: GUID - 3: UUID - 4: URI + 0: error + 1: init + 2: URI + 3: GUID + 4: UUID 5: FQDN 6: FQPN + 7: string + 8: string_instance_id -5.3.2.6.2. The Attribute "supaPolExecFailTakeActionName[1..n]" + The values 0 and 1 represent an error state and an initialization + state, respectively. Values 2-6 define a representation for the + SUPAPolicyAction. A value of 7 defines an ASCII string that + contains the name of the SUPAPolicyAction to be executed (e.g., to + be used in a regex search). A value of 8 defines the canonical + representation, in ASCII, of an instance ID of this object. + +5.3.2.6.2. The Attribute "supaPolExecFailActionName[1..n]" This is an optional array of string attributes that identifies the - set of policy actions to take if the SUPAPolicyStructure object + set of SUPAPolicyActions to take if the SUPAPolicyStructure object that owns this association failed to execute properly. The interpretation of this string attribute is defined by the supaPolExecFailTakeActionEncoding class attribute. The association defines the SUPAPolicyStructure that contains the set of policy actions to execute, and this attribute defines which of these - actions are to be executed. Note that there is no need to execute - a SUPAPolicy, since the event and failure have already occurred. + actions are to be executed. That there is no need to execute a + SUPAPolicy, since the event and failure have already occurred. Note: [1..n] means that this is a multi-valued property that has at least one (and possibly more) attributes. 5.3.2.7. The Aggregation "SUPAHasPolicyClause" This is an optional aggregation that defines the set of SUPAPolicyClauses that are aggregated by this particular SUPAPolicyStructure instance. The semantics of this aggregation are defined by the SUPAHasPolicyClauseDetail association class. @@ -2791,28 +2800,46 @@ determine which SUPAPolicyClauses are aggregated by which SUPAPolicyStructure objects. Attributes will be added to this class at a later time. 5.4. The Abstract Class "SUPAPolicyComponentStructure" This is a mandatory abstract class that is the superclass of all objects that represent different types of components of a SUPAPolicy. Different types of policies have different types of - structural components. However, all of these are used in at least - one type of policy. This class represents a convenient control - point for defining characteristics and behavior that are common - to objects that serve as components of a policy. + structural components. This is accommodated by defining two generic + subclasses, called SUPAPolicyClause and SUPAPolicyComponentDecorator, + which are common to different policy types. These two classes + represent convenient control points for defining characteristics + and behavior that are common to objects that serve as components of + a SUPAPolicy. + + SUPAPolicyClause defines a basic building block for writing + parts of a SUPAPolicy. It is analogous to a clause in a sentence. + For example, in an ECA Policy Rule, the Event, Condition, and Action + clauses are each made up of at least one (subclass of a) + SUPAPolicyClause. Similalry, declarative Policy Rules can also be + defined using (its own subclasses of) SUPAPolicyClauses. This class + is defined in section 5.5. + + SUPAPolicyComponentDecorator is used to implement the decorator + pattern [11]. The decorator pattern enables all or part of one or + more objects to "wrap" another concrete object. This enables the + definition of an extensible set of subclasses that can augment the + definition of a SUPAPolicyClause. This class is defined in + section 5.7. Note that there are significant differences between the definition - of this class, and its attributes, and the definition of the - corresponding class (and its attributes) in [5]. + of the SUPAPolicyComponentStructure class, and its attributes and + relationships, and the definition of the corresponding class (and + its attributes and relationships) in [5]. 5.4.1. SUPAPolicyComponentStructure Attributes No attributes are currently defined for the SUPAPolicyComponentStructure class. 5.4.2. SUPAPolicyComponentStructure Relationships SUPAPolicyComponentStructure participates in a single relationship, SUPAHasDecoratedPolicyComponent, as defined in section 5.7.3. @@ -2820,85 +2847,89 @@ 5.5. The Abstract Class "SUPAPolicyClause" This is a mandatory abstract class that separates the representation of a SUPAPolicy from its implementation. SUPAPolicyClause was abstracted from DEN-ng [2]. This abstraction is missing in [RFC3060], [RFC3460], [4], and [6]. This class is called PolicyStatement in [5], but the class and relationship definitions differ significantly from the corresponding designs in this document. - A SUPAPolicyClause contains an individual or group of related - functions that are used to define the content of a policy. More - specifically, since the number and type of functions that make up - a SUPAPolicyClause can vary, the decorator pattern is used, so - that the contents of a SUPAPolicyClause can be adjusted + A SUPAPolicy, regardless of its structure and semantics, can be + abstracted into a set of sentences. Each sentence can in turn be + abstracted into a set of clauses. A SUPAPolicyClause is, as its + name implies, a clause (i.e., a part of a statement), and defines + the content of a SUPAPolicy. The decorator pattern is used to + enable an extensible set of objects to "wrap" the SUPAPolicyClause; + this enables the contents of a SUPAPolicyClause to be adjusted dynamically at runtime without affecting other objects. This document defines two different types of policy clauses: SUPAEncodedClause (which is generic, and can be used by any type of policy), and SUPABooleanClause (which is also generic, - but is typically used by SUPAECAPolicyRule objects). + but is typically used by SUPAECAPolicyRule objects, since it is + used specifically to represent Boolean clauses). SUPAPolicyClauses are objects in their own right, which facilitates their reuse. SUPAPolicyClauses can aggregate a set of any of the subclasses of SUPAPolicyComponentDecorator, which - was shown in Figure 10. These four subclasses provide four - different ways to construct a SUPAPolicyClause: + was shown in Figure 10. These four subclasses (i.e., SUPAPolicyTerm, + SUPAGenericDecoratedComponent, SUPAECAComponent, and SUPACollection) + provide four different ways to construct a SUPAPolicyClause: - 1) SUPAPolicyTerm, which enables constructing a {variable, + 1) a SUPAPolicyClause can be made up of a set of three + SUPAPolicyTerms, which enables constructing a {variable, operator, value} expression for building SUPAPolicyClauses - 2) SUPAEncodedClause, which enables policy clauses to be + 2) a SUPAPolicyClause can be made up of one or more + SUPAEncodedClauses, which enables a SUPAPolicyClause to be formed as an encoded object (e.g., to pass YANG or CLI code) - 3) SUPAPolicyCollection, which defines a collection of objects - that requires further processing by the policy management - system in order to be made into a SUPAPolicyClause - 4) SUPAECAComponent, which enables policy clauses to be formed - using (reusable) Event, Condition, and/or Action objects + 3) a SUPAPolicyClause can be made up of a set of SUPACollections, + which define a Collection (e.g., set, bad, associative arrays) + of objects that can be assembled into SUPAPolicyClauses + 4) a SUPAPolicyClause can be made up of one or more + SUPAECAComponents, which enables a SUPAPolicyClause to be + formed using (reusable) Event, Condition, and/or Action + objects SUPAPolicyClauses are aggregated by a SUPAPolicyStructure object, which enables all types of SUPAPolicies to uniformly be made up of one or more SUPAPolicyClauses. 5.5.1. SUPAPolicyClause Attributes This section defines the attributes of the SUPAPolicyClause class, which are inherited by all SUPAPolicyClause subclasses. -5.5.1.1. The Attribute "supaPolClauseExecStatus" +5.5.1.1. The Attribute "supaPolClauseDeployStatus" - This is an optional enumerated non-negative integer attribute. It - defines whether this SUPAPolicyClause is currently in use and, if - so, what its execution status is. This attribute can also be used - to place this particular SUPAPolicyClause into a specific execution - state, such as enabled (values 1-4), in test (value 5) or disabled - (value 6). Values include: + This is an optional enumerated, non-negative integer attribute. The + purpose of this attribute is to indicate that this SUPAPolicyClause + can or cannot be deployed by the policy management system. This + attribute enables the policy manager to know which SUPAPolicyClauses + to retrieve, and may be useful for the policy execution system for + planning the staging of SUPAPolicies. Values include: - 0: Unknown (an error state) - 1: Completed (i.e., successfully executed, but now idle) - 2: Working (i.e., in use and no errors reported) - 3: Not Working (i.e., in use, but errors have been reported) - 4: Available (i.e., could be used, but currently isn't) - 5: In Test (i.e., cannot be used as part of an OAM&P policy) - 6: Disabled (i.e., not available for use) + 0: error + 1: init + 2: deployed and enabled + 3: deployed and in test + 4: deployed but not enabled + 5: ready to be deployed + 6: cannot be deployed - Value 0 denotes an error that prevents this SUPAPolicyClause - from being used. Value 1 means that this SUPAPolicyClause has - successfully finished execution, and is now idle and available. - Value 2 means that this SUPAPolicyClause is in use; in addition, - this SUPAPolicyClause is working correctly. Value 3 is the same as - value 2, except that this SUPAPolicyClause is not working - correctly. Value 4 means that this SUPAPolicyClause is available, - but not currently in use. Value 5 means that this SUPAPolicyClause - is in a special test state. A test state signifies that it SHOULD - NOT be used to evaluate OAM&P policies. A value of 6 means that - this SUPAPolicyClause is unavailable for use. + The values 0 and 1 represent an error state and an initialization + state, respectively. If the value of this attribute is 0 or 6, then + the policy management system SHOULD ignore this SUPAPolicy. + Otherwise, the policy management system MAY use this SUPAPolicyClause + (once this SUPAPolicyClause is deployed and enabled). However, a + value of 4 means that this policy is not admininstratively enabled + for use and SHOULD NOT be used in OAM&P policies. 5.5.2. SUPAPolicyClause Relationships SUPAPolicyClause participates in a single relationship, SUPAHasPolicyClause, as defined in section 5.3.2.7. Note that SUPAPolicyClause uses the decorator pattern to "wrap" this object with instances of the (concrete) subclasses of the SUPAPolicyComponentDecorator object. 5.6. The Concrete Class "SUPAEncodedClause" @@ -2913,79 +2944,91 @@ SUPAEncodedClause. Hence, SUPAEncodedClause objects are reusable at the object level, whereas SUPABooleanClause clauses are reusable at the individual Boolean expression level. This class uses two of its attributes (supaEncodedClauseContent and supaEncodedClauseEncoding) for defining the content and type of encoding used in a given SUPAPolicyClause. The benefit of a SUPAEncodedClause is that it enables direct encoding of the text of the SUPAPolicyClause, without having the "overhead" of using other objects. However, note that while this method is efficient, it - does not reuse other SUPAPolicy objects. + does not reuse other SUPAPolicy objects. Furthermore, its potentially + for reuse is reduced, as only SUPAPolicies that can use the exact + encoding of this clause can reuse this object. 5.6.1. SUPAEncodedClause Attributes This section defines the attributes of the SUPAEncodedClause class. + Prescriptive and/or descriptive information about the usage of this + SUPAEncodedClause may be provided by one or more SUPAPolicyMetadata + objects, which are each attached to the object instance of this + SUPAEncodedClause. 5.6.1.1. The Attribute "supaEncodedClauseContent" This is a mandatory string attribute, and defines the content of this clause. It works with another class attribute, called supaEncodedClauseEncoding, which defines how to interpret the value of this attribute (e.g., as a string or reference). These two attributes form a tuple, and together enable a machine to understand the syntax and value of this object instance. 5.6.1.2. The Attribute "supaEncodedClauseEncoding" This is a mandatory non-negative integer attribute, and defines - how to interpret the value of this encoded clause. It works with - another class attribute (supaEncodedClauseContent), which defines - the content of the encoded clause. These two attributes form a - tuple, and together enable a machine to understand the syntax and - value of the encoded clause for the object instance of this class. - Values include: + how to interpret the value of the supaEncodedClauseContent. It + works with another class attribute (supaEncodedClauseContent), + which defines the content of the encoded clause. These two + attributes form a tuple, and together enable a machine to + understand the syntax and value of the encoded clause for the + object instance of this class. This attribute is NOT required in + all data model implementations. Values include: - 0: undefined - 1: String - 2: GUID - 3: UUID - 4: URI - 5: FQDN - 6: FQPN + 0: error (i.e., an error state) + 1: init (i.e., an initialization state) + 2: primary_key + 3: foreign_key + 4: GUID + 5: UUID + 6: URI + 7: FQDN + 8: FQPN + 9: string_instance_id + + The values 0 and 1 represent an error state and an initialization + state, respectively. The value 9 defines the canonical + representation, in ASCII, of an instance ID of this object. 5.6.1.3. The Attribute "supaEncodedClauseLanguage" This is mandatory non-negative integer attribute, and defines the type of language used in this encoded clause. Values include: - 0: undefined - 1: Text - 2: YANG - 3: XML - 4: CLI + 0: error + 1: init + 2: Text + 3: YANG + 4: XML 5: TL1 -5.6.1.4. The Attribute "supaEncodedClauseLang[0..n]" - - This is an optional array of string attribute that contains - descriptive information about the type of language used in the - supaEncodedClauseLanguage class attribute. Text is in comma - separated value (i.e., vendorName, vendorVersion) format. + The values 0 and 1 represent an error state and an initialization + state, respectively. -5.6.1.5. The Attribute "supaEncodedClauseResponse" +5.6.1.4. The Attribute "supaEncodedClauseResponse" This is an optional Boolean attribute that emulates a Boolean response of this clause, so that it may be combined with other subclasses of the SUPAPolicyClause that provide a status as to their correctness and/or evaluation state. This enables this object to be used to construct more complex Boolean clauses. + Note that this attribute does NOT have to be implemented by all + data model implementations (e.g., [15]). 5.6.2. SUPAEncodedClause Relationships SUPAPolicyClause participates in a single inherited relationship, SUPAHasPolicyClause, as defined in section 5.3.2.7. 5.7. The Abstract Class "SUPAPolicyComponentDecorator" This is a mandatory class, and is used to implement the decorator pattern. The decorator pattern enables all or part of one or more @@ -3006,85 +3049,87 @@ +---------------+--------------+ / \ I I A A I A I \ / 0..1 +----------+---------+ +--------------+-----+---------+ | SUPAPolicyClause | | SUPAPolicyComponentDecorator | +----------+---------+ +--------------+---------------+ I I I I / \ / \ Concrete Subclasses, Concrete Subclasses - (e.g., SUPAEncodedClause) (e.g., SUPAPolicyCollection) + (e.g., SUPAEncodedClause) (e.g., SUPAPolicyEvent) (object being wrapped) (wrapping object(s)) Figure 19. The PolicyComponent Decorator Pattern 5.7.1. The Decorator Pattern Each SUPAPolicyComponentDecorator object HAS_A (i.e., wraps) a concrete instance of the SUPAPolicyClause object. This means that the SUPAPolicyComponentDecorator object has an instance variable that holds a reference to a SUPAPolicyClause object. Since the SUPAPolicyComponentDecorator object has the same interface as the SUPAPolicyClause object, the SUPAPolicyComponentDecorator object (and all of its subclasses) are transparent to clients of the SUPAPolicyClause object (and its subclasses). This means that SUPAPolicyComponentDecorator object instances can add attributes and/or methods to those of the concrete instance of the chosen subclass of SUPAPolicyClause. - Figure 20 shows how this is done for methods. 20a shows the - initial object to be wrapped; 20b shows SUPAPolicyCollection - wrapping SUPAEncodedClause; 20c shows SUPAGenericDecoratedComponent - wrapping SUPAPolicyCollection. + Figure 20 shows how this is done for methods. + - Figure 20a shows the initial object to be wrapped + - Figure 20b shows the SUPAPolicyEvent object wrapping the + SUPAEncodedClause object + - Figure 20c shows SUPAGenericDecoratedComponent object + wrapping the SUPAPolicyEvent object. +-------------------+ | SUPAEncodedClause | | eval() | +-------------------+ (a) Initial Object ===> +------------------------+ - | SUPAPolicyCollection | + | SUPAPolicyEvent | | eval() | | +-------------------+ | | | SUPAEncodedClause | | | | eval() | | | +-------------------+ | +------------------------+ - (b) SUPAPolicyCollection "wraps" SUPAEncodedClause + (b) SUPAPolicyEvent "wraps" SUPAEncodedClause ===> +--------------------------------+ | SUPAGenericDecoratedComponent | | eval() | | +-----------------------+ | - | | SUPAPolicyCollection | | + | | SUPAPolicyEvent | | | | eval() | | | | +-------------------+ | | | | | SUPAEncodedClause | | | | | | eval() | | | | | +-------------------+ | | | +-----------------------+ | +--------------------------------+ - (c) SUPAGenericDecoratedComponent "wraps" SUPAPolicyCollection + (c) SUPAGenericDecoratedComponent "wraps" SUPAPolicyEvent Figure 20. Conceptual Depiction of eval() Decorated Method - When eval() is called in the outermost object + When the eval() method is called in the outermost object (SUPAGenericDecoratedComponent), it delegates to the eval() method - of SUPAPolicyCollection, which in turn delegates to the eval() - method of SUPAEncodedClause. This method executes and returns the - results to SUPAPolicyCollection, which executes and returns the - results to SUPAGenericDecoratedComponent, which executes and returns - the final result. + of SUPAPolicyEvent, which in turn delegates to the eval() method + of SUPAEncodedClause. This method executes and returns the + results to SUPAPolicyEvent, which executes and returns the results + to SUPAGenericDecoratedComponent, which executes and returns the + final result. 5.7.2. SUPAPolicyComponentDecorator Attributes Currently, there are two attributes defined for this class, which are described in the following subsections. Both attributes are used by subclasses to constrain the behavior of that subclass; they do **not** affect the relationship between the concrete subclass of SUPAPolicyComponentDecorator that is wrapping the concrete subclass of SUPAPolicyClause. @@ -3094,44 +3139,49 @@ subclass of SUPAPolicyClause and the concrete subclass of the SUPAPolicyComponentDecorator object that is wrapping it). Note that [2] does not define any attributes for this class. 5.7.2.1. The Attribute "supaPolCompConstraintEncoding" This is a mandatory non-negative enumerated integer that defines how to interpret each string in the supaPolCompConstraint class attribute. Values include: - 0: undefined - 1: OCL 2.4 - 2: OCL 2.x - 3: OCL 1.x - 4: QVT 1.2 - Relations Language - 5: QVT 1.2 - Operational language - 6: Alloy - 7: English text + 0: error + 1: init + 2: OCL 2.4 + 3: OCL 2.x + 4: OCL 1.x + 5: QVT 1.2 - Relations Language + 6: QVT 1.2 - Operational language + 7: Alloy + 8: ASCII Text - Enumerations 1-3 are dedicated to OCL (with OCL 2.4 being the - latest version as of this writing). QVT defines a set of languages - (the two most powerful and useful are defined by enumerations 4 - and 5). Alloy is a language for describing constraints, and uses a - SAT solver to guarantee correctness. Note that enumeration 7 - (English text) is not recommended (since it is informal, and hence, - not verifiable), but included for completeness. + Enumerations 1 and 2 signify an error state and an initialization + state, respectively. Enumeraitons 3-5 are dedicated to OCL (with + OCL 2.4 being the latest version as of this writing). QVT defines a + set of languages [20] (the two most powerful and useful are defined + by enumerations 5 and 6). Alloy is a language for describing + constraints, and uses a SAT solver to guarantee correctness [21]. + Enumeration 8 (ASCII Text) is not recommended (since it is informal, + and hence, not verifiable), but is included for completeness. -5.7.2.2. The Attribute "supaAPolCompConstraint[0..n]" + If this class is instantiated, then this attribute SHOULD also be + instantiated, and SHOULD be part of a conformant implementation. + +5.7.2.2. The Attribute "supaPolCompConstraint[0..n]" This is a mandatory array of string attributes. Each attribute specifies a constraint to be applied using the encoding defined in the supaPolCompConstraintEncoding class attribute. This provides a more rigorous and flexible treatment of constraints than is - possible in [RFC3460]. + possible in [RFC3460], [4], [5], and [6]. Note: [0..n] means that this is a multi-valued property that may have zero or more attributes. 5.7.3. SUPAPolicyComponentDecorator Relationships One relationship is currently defined for this class, which is described in the following subsection. 5.7.3.1. The Aggregation "SUPAHasDecoratedPolicyComponent" @@ -3160,86 +3210,89 @@ is wrapping the concrete subclass of SUPAPolicyClause. Note that class attributes of SUPAPolicyComponentDecorator (see section 5.9.2) only affect that specific subclass. 5.7.3.2.1. The Attribute "supaDecoratedConstraintEncoding" This is a mandatory non-negative enumerated integer that defines how to interpret each string in the supaDecoratedConstraint class attribute. Values include: - 0: undefined - 1: OCL 2.4 - 2: OCL 2.x - 3: OCL 1.x - 4: QVT 1.2 - Relations Language - 5: QVT 1.2 - Operational language - 6: Alloy - 7: English text + 0: error + 1: init + 2: OCL 2.4 + 3: OCL 2.x + 4: OCL 1.x + 5: QVT 1.2 - Relations Language + 6: QVT 1.2 - Operational language + 7: Alloy + 8: ASCII Text - Enumerations 1-3 are dedicated to OCL (with OCL 2.4 being the - latest version as of this writing). QVT defines a set of languages - (the two most powerful and useful are defined by enumerations 4 - and 5). Alloy is a language for describing constraints, and uses a - SAT solver to guarantee correctness. Note that enumeration 7 - (English text) is not recommended (since it is informal, and hence, - not verifiable), but included for completeness. + Enumerations 1 and 2 signify an error state and an initialization + state, respectively. Enumeraitons 3-5 are dedicated to OCL (with + OCL 2.4 being the latest version as of this writing). QVT defines a + set of languages [20] (the two most powerful and useful are defined + by enumerations 5 and 6). Alloy is a language for describing + constraints, and uses a SAT solver to guarantee correctness [21]. + Enumeration 8 (ASCII Text) is not recommended (since it is informal, + and hence, not verifiable), but is included for completeness. + + If this class is instantiated, then this attribute SHOULD also be + instantiated, and SHOULD be part of a conformant implementation. 5.7.3.2.2. The Attribute "supaDecoratedConstraint[0..n]" This is a mandatory array of string attributes. Its purpose is to collect a set of constraints to be applied to a decorated object. The interpretation of each constraint in the array is defined in the supaDecoratedConstraintsEncoding class attribute. Note: [0..n] means that this is a multi-valued property that may have zero or more attributes. 5.7.4. Illustration of Constraints in the Decorator Pattern - The following example will illustrate how the different constraints + Figure 21 builds a simple SUPAPolicyClause that has both types + of relationships, and illustrates how the different constraints defined in sections 5.7.2 (class attribute constraints) and section 5.7.3 (relationship constraints) can be used. - Figure 21 builds a simple SUPAPolicyClause that has both types - of relationships. - A A +------------------+ 0..1 +----------------------------+ | | 1..n / \| | | SUPAPolicyClause +------+----- A +SUPAPolicyComponentDecorator| | | ^ \ /| | +---------+--------+ | +-----------+----------------+ I | I I | I C I | C I - +--------+--------+ | +---------+----------+ - |SUPAEncodedClause| | |SUPAPolicyCollection| - +-----------------+ | +--------------------+ + +--------+--------+ | +---------+---------+ + |SUPAEncodedClause| | | SUPAPolicyEvent | + +-----------------+ | +-------------------+ | C | +-----------------+-------------------+ |SUPAHasDecoratedPolicyComponentDetail| +-------------------------------------+ Figure 21. Constraints in the Decorator Pattern Figure 21 says that a SUPAPolicyClause, realized as a - SUPAEncodedClause, is wrapped by a SUPAPolicyCollection object. - The attributes in the SUPAPolicyComponentDecorator object are used - to constrain the attributes in the SUPAPolicyCollection object, - while the attributes in the SUPAHasDecoratedPolicyComponentDetail + SUPAEncodedClause, is wrapped by a SUPAPolicyEvent object. The + attributes in the SUPAPolicyComponentDecorator object are used + to constrain the attributes in the SUPAPolicyEvent object, while + the attributes in the SUPAHasDecoratedPolicyComponentDetail object are used to contrain the behavior of the aggregation (SUPAHasDecoratedPolicyComponent). For example, the attributes in the SUPAPolicyComponentDecorator object could restrict the data - type and range of the components in the SUPAPolicyCollection, while + type and range of the components in the SUPAPolicyEvent, while the attributes in the SUPAHasDecoratedPolicyComponentDetail object - could restrict which SUPAPolicyCollection objects are allowed to be + could restrict which SUPAPolicyEvent objects are allowed to be used with which SUPAEncodedClauses. 5.8. The Abstract Class "SUPAPolicyTerm" This is a mandatory abstract class that is the parent of SUPAPolicy objects that can be used to define a standard way to test or set the value of a variable. It does this by defining a 3-tuple, in the form {variable, operator, value}, where each element of the 3-tuple is defined by a concrete subclass of the appropriate type (i.e., SUPAPolicyVariable, SUPAPolicyOperator, @@ -3364,22 +3417,22 @@ 5.9.2.1. The Attribute "supaPolVarName" This is an optional string attribute that contains the name of this SUPAPolicyVariable. This variable name forms part of the {variable, operator, value} canonical form of a SUPAPolicyClause. 5.9.3. SUPAPolicyVariable Relationships Currently, no relationships are defined for the SUPAPolicyVariable class (note that the decorator pattern obviates the need for - relationships such as those in [RFC3460] and [6]). - SUPAPolicyVariable, and its subclasses, inherit the + relationships such as those defined in [RFC3460] and [6]). This is + because SUPAPolicyVariable, and its subclasses, inherit the SUPAHasDecoratedPolicyComponent aggregation, which was defined in section 5.7.3. 5.10. The Concrete Class "SUPAPolicyOperator" This is a mandatory concrete class for modeling different types of operators that are used in a SUPAPolicyClause. The restriction of the type of operator used in a SUPAPolicyClause restricts the semantics that can be expressed in that @@ -3394,56 +3447,56 @@ Currently, SUPAPolicyOperator defines a single generic attribute, as described below. 5.10.2.1. The Attribute "supaPolOpType" This is a mandatory non-negative enumerated integer that specifies the various types of operators that are allowed to be used in this particular SUPAPolicyClause. Values include: - 0: Unknown - 1: Greater than - 2: Greater than or equal to - 3: Less than - 4: Less than or equal to - 5: Equal to - 6: Not equal to - 7: IN - 8: NOT IN - 9: SET - 10: CLEAR - 11: BETWEEN (inclusive) + 0: error + 1: init + 2: Greater than + 3: Greater than or equal to + 4: Less than + 5: Less than or equal to + 6: Equal to + 7: Not equal to + 8: IN + 9: NOT IN + 10: SET + 11: CLEAR (0 for integers, "" for strings, FALSE for Booleans) + 12: BETWEEN (inclusive) - Note that 0 is an unacceptable value. Its purpose is to support - dynamically building a SUPAPolicyClause by enabling the - application to set the value of this attribute to a standard - default value if the real value is not yet known. + Note that 0 and 1 represent error and initialization states, + respectively. Their purpose is to support dynamically building a + SUPAPolicyClause by enabling the application to set the value of + this attribute to a standard value. Additional operators may be defined in future work. For example, if SUPAPolicyVariables and SUPAPolicyValues are expanded to/from include structured objects, then "deep" versions of operators 1-6 could also be defined. In this case, values 1-6 will be edited to explicitly indicate that they perform "shallow" comparison operations. 5.10.3. SUPAPolicyOperator Relationships Currently, no relationships are defined for the SUPAPolicyOperator class (note that the decorator pattern obviates the need for - relationships such as those in [6]). SUPAPolicyOperator, and its - subclasses, inherit the SUPAHasDecoratedPolicyComponent - aggregation, which was defined in section 5.7.3. - - Please refer to the examples in section 7, which show how to - restrict the value, data type, range, and other semantics of the - SUPAPolicyOperator when used in a SUPAPolicyClause. + relationships such as those in [6]). This is because + SUPAPolicyOperator, and its subclasses, inherit the + SUPAHasDecoratedPolicyComponent aggregation, which was defined in + section 5.7.3. Please refer to the examples in section 7, which + show how to restrict the value, data type, range, and other + semantics of the SUPAPolicyOperator when used in a SUPAPolicyClause. 5.11. The Concrete Class "SUPAPolicyValue" The SUPAPolicyValue class is a mandatory concrete class for modeling different types of values and constants that occur in a SUPAPolicyClause. SUPAPolicyValues are used to abstract the representation of a SUPAPolicyRule from its implementation. Therefore, the design of SUPAPolicyValues depends on two important factors. First, just as @@ -3486,66 +3539,64 @@ class attribute. Note: [0..n] means that this is a multi-valued property that has zero or more attributes. 5.11.2.2. The Attribute "supaPolValEncoding" This is a mandatory string attribute that contains the data type of the SUPAPolicyValue object instance. Its value is defined by the supaPolValContent class attribute. Values include: - 0: Undefined - 1: String - 2: Integer - 3: Boolean - 4: Floating Point - 5: DateTime - 6: GUID - 7: UUID - 8: URI - 9: FQDN - 10: FQPN - 11: NULL + 0: error + 1: init + 2: String + 3: Integer + 4: Boolean + 5: Floating Point + 6: DateTime + 7: GUID + 8: UUID + 9: URI + 10: DN + 11: FQDN + 12: FQPN + 13: NULL - A string is a sequence of zero or more characters. An Integer is - a whole number (e.g., it has no fractional part). A Boolean - represents the values TRUE and FALSE. A floating point number may - contain fractional values, as well as an exponent. A DateTime - represents a value that has a date and/or a time component (as in - the Java or Python libraries). A NULL explicitly models the lack - of a value. + Note that 0 and 1 represent error and initialization states, + respectively. A string is a sequence of zero or more characters. An + Integer is a whole number, and has no fractional part. A Boolean may + take the values TRUE and FALSE. A floating point number may contain + fractional values, as well as an exponent. A DateTime represents a + value that has a date and/or a time component (as in the Java or + Python libraries). A NULL explicitly models the lack of a value. 5.11.3. SUPAPolicyValue Relationships Currently, no relationships are defined for the SUPAPolicyValue class (note that the decorator pattern obviates the need for relationships such as those in [6]). SUPAPolicyValue, and its subclasses, inherit the SUPAHasDecoratedPolicyComponent - aggregation, which was defined in section 5.7.3. - - Please refer to the examples in section 7, which show how to - restrict the value, data type, range, and other semantics of the - SUPAPolicyValue when used in a SUPAPolicyClause. + aggregation, which was defined in section 5.7.3. Please refer to + the examples in section 7, which show how to restrict the value, + data type, range, and other semantics of the SUPAPolicyValue when + used in a SUPAPolicyClause. 5.12. The Concrete Class "SUPAGenericDecoratedComponent" - A SUPAGenericDecoratedComponent enables a custom, vendor-specific - object to be defined and used in a SUPAPolicyClause. This class - was derived from [2], but is not present in [RFC3460], [4], [5], - or [6]. + A SUPAGenericDecoratedComponent enables a generic object to be + defined and used in a SUPAPolicyClause. This class was derived + from [2], but is not present in [RFC3460], [4], [5], or [6]. - This should not be confused with the SUPAEncodedClause class. The - SUPAGenericDecoratedComponent class represents a single, atomic, - vendor-specific object that defines a **portion** of a - SUPAPolicyClause, whereas a SUPAEncodedClause, which may or - may not be vendor-specific, represents an **entire** - SUPAPolicyClause. + This class should not be confused with the SUPAEncodedClause class. + The SUPAGenericDecoratedComponent class represents a single, atomic + object that defines a **portion** of a SUPAPolicyClause, whereas a + SUPAEncodedClause represents an **entire** SUPAPolicyClause. 5.12.1. SUPAGenericDecoratedComponent Attributes Currently, SUPAGenericDecoratedComponent defines two generic attributes, as described below. 5.12.1.1. The Attribute "supaVendorDecoratedCompContent[0..n]" This is a mandatory attribute that defines an array of strings. This array contains the value(s) of the @@ -3565,67 +3616,69 @@ 3: Boolean 4: Floating Point 5: DateTime 6: GUID 7: UUID 8: URI 9: FQDN 10: FQPN 11: NULL - A string is a sequence of zero or more characters. An Integer is - a whole number (e.g., it has no fractional part). A Boolean - represents the values TRUE and FALSE. A floating point number may - contain fractional values, as well as an exponent. A DateTime - represents a value that has a date and/or a time component (as in - the Java or Python libraries). A NULL explicitly models the lack - of a value. + Note that 0 and 1 represent error and initialization states, + respectively. A string is a sequence of zero or more characters. An + Integer is a whole number (e.g., it has no fractional part). A + Boolean represents the values TRUE and FALSE. A floating point + number may contain fractional values, as well as an exponent. A + DateTime represents a value that has a date and/or a time component + (as in the Java or Python libraries). A NULL explicitly models the + lack of a value. 5.12.2. SUPAGenericDecoratedComponent Relationships Currently, no relationships are defiend for the SUPAGenericDecoratedComponent class (note that the decorator pattern obviates the need for relationships such as those in [6]). SUPAGenericDecoratedComponent participates in a single relationship, SUPAHasDecoratedPolicyComponent, as defined in section 5.7.3. +** This class is under discussion - please comment as to its utility ** + 5.13. The Concrete Class "SUPAPolicyCollection" A SUPAPolicyCollection is an optional concrete class that enables a collection (e.g., set, bag, or other, more complex, collections of elements) of **arbitrary objects** to be defined and used as part of a SUPAPolicyClause. This class was derived from [2], but is not present in [RFC3460], [4], [5], or [6]. 5.13.1. Motivation One of the problems with ECA policy rules is when a set of events or conditions needs to be tested. For example, if a set of events is received, the policy system may need to wait for patterns of events to emerge (e.g., any number of Events of type A, followed by either one event of type B or two events of type Event C). - Similarly, a set of conditions, testing the value of an attribute, + Similarly, for conditions, testing the value of a set of attributes may need to be performed. Both of these represent behavior similar to a set of if-then-else statements or a switch statement. It is typically not desirable for the policy system to represent - each choice in such conditions as its own policy clause (i.e., a + each choice in such clauses as its own policy clause (i.e., a 3-tuple), as this creates object explosion and poor performance. Furthermore, in these cases, it is often required to have a set of complex logic to be executed, where the logic varies according to the particular event or condition that was selected. It is much too complex to represent this using separate objects, especially - when the logic is application- and/or vendor-specific. - - However, recall that one of the goals of this document was to - facilitate the machine-driven construction of policies. Therefore, - a solution to this problem is needed. + when the logic is application- and/or vendor-specific. However, + recall that one of the goals of this document was to facilitate + the machine-driven construction of policies. Therefore, a solution + to this problem is needed. 5.13.2. Solution Therefore, this document defines the concept of a collection of entities, called a SUPAPolicyCollection. Conceptually, the items to be collected (e.g., events or conditions) are aggregated in one or more SUPAPolicyCollection objects of the appropriate type. Another optional SUPAPolicyCollection object could be used to aggregate logic blocks (including SUPAPolicies) to execute. Once finished, all appropriate SUPAPolicyCollection objects are @@ -3652,65 +3705,74 @@ an object that is collected by this SUPAPolicyCollection instance. Note: [0..n] means that this is a multi-valued property that has zero or more attributes. 5.13.3.2. The Attribute "supaPolCollectionEncoding" This is an optional non-negative enumerated integer that defines the data type of the content of this collection instance. Values include: - 0: undefined - 1: by regex (regular expression) - 2: by URI + 0: error + 1: init + 2: by regex (regular expression) + 3: by URI - For example, if the value of this attribute is 1, then each of - the strings in the supaPolCollectionContent attribute represent - a regex that contains all or part of a string to match the class - name of the object that is to be collected by this instance of - a SUPAPolicyCollection class. + Note that 0 and 1 represent error and initialization states, + respectively. If the value of this attribute is 2, then each of the + strings in the supaPolCollectionContent attribute represent a regex + that contains all or part of a string to match the class name of the + object that is to be collected by this instance of a + SUPAPolicyCollection class. If the value of this attribute is 3, + then each of the strings in the supaPolCollectionContent attribute + represent a URI. 5.13.3.3. The Attribute "supaPolCollectionFunction" This is an optional non-negative enumerated integer that defines the function of this collection instance. Values include: - 0: undefined - 1: event collection - 2: condition collection - 3: action collection - 4: logic collection + 0: error + 1: init + 2: event collection + 3: condition collection + 4: action collection + 5: logic collection - Values 1-3 define a collection of objects that are to be used to - populate the event, condition, or action clauses, respectively, of - a SUPAECAPolicyRule. A value of 4 indicates that this collection - contains objects that define logic for processing a SUPAPolicy. + Note that 0 and 1 represent error and initialization states, + respectively. Values 2-4 define a collection of objects that are to + be used to populate the event, condition, or action clauses, + respectively, of a SUPAECAPolicyRule. A value of 4 indicates that + this collection contains objects that define logic for processing + a SUPAPolicy. 5.13.3.4. The Attribute "supaPolCollectionIsOrdered" This is an optional Boolean attribute. If the value of this attribute is TRUE, then all elements in this instance of this SUPAPolicyCollection are ordered. 5.13.3.5. The Attribute "supaPolCollectionType" This is an optional non-negative enumerated integer that defines the type of collection that this instance is. Values include: - 0: undefined - 1: set - 2: bag (e.g., multi-set) - 3: dictionary (e.g., associative array) + 0: error + 1: init + 2: set + 3: bag (e.g., multi-set) + 4: dictionary (e.g., associative array) - A set is an unordered collection of elements that MUST NOT have - duplicates. A bag is an unordered collection of elements; it MAY - also have duplicates. A dictionary is a table that associates a + Note that 0 and 1 represent error and initialization states, + respectively. A set is an unordered collection of elements that MUST + NOT have duplicates. A bag is an unordered collection of elements; + it MAY have duplicates. A dictionary is a table that associates a key with a value. Sets have a number of important functions, including: o membership: returns TRUE if the element being tested is in the set, and FALSE otherwise o subset: returns TRUE if all elements in the first set are also in the second set o union: returns all elements from both sets with no duplicates @@ -3884,26 +3946,33 @@ represents part of the object identifier of an instance of this class. It defines the format of the object identifier. It works with another class attribute, called supaPolMetadataIDContent, which defines the content of the object ID. These two attributes form a tuple, and together enable a machine to understand the syntax and value of an object identifier for the object instance of this class. The supaPolMetadataIDEncoding attribute is mapped to the following values: - 0: undefined - 1: GUID - 2: UUID - 3: URI - 4: FQDN - 5: FQPN + 0: error + 1: init + 2: GUID + 3: UUID + 4: URI + 5: FQDN + 6: FQPN + 7: string_instance_id + + Note that 0 and 1 represent error and initialization states, + respectively. Values 2-6 define the content as a reference. Value 7 + defines the content as a string that is the canonical + representation, in ASCII, of an instance ID of this object. 5.16.1.4. The Attribute "supaPolMetadataName" This is an optional string attribute that defines the name of this SUPAPolicyMetadata object. 5.16.2. SUPAPolicyMetadata Relationships SUPAPolicyMetadata participates in a single aggregation, which is defined in the following subsections. @@ -3939,39 +4008,41 @@ attribute is TRUE, then the SUPAPolicyMetadata object(s) of this particular SUPAHasPolicyMetadata aggregation SHOULD be aggregated by this particular SUPAPolicyObject. 5.16.2.2.2. The Attribute "supaPolMetadataConstraintEncoding" This is an optional non-negative enumerated integer that defines how to interpret each string in the supaPolMetadataConstraint class attribute. Values include: - 0: undefined - 1: OCL 2.4 - 2: OCL 2.x - 3: OCL 1.x - 4: QVT 1.2 - Relations Language - 5: QVT 1.2 - Operational language - 6: Alloy - 7: English text + 0: error + 1: init + 2: OCL 2.4 + 3: OCL 2.x + 4: OCL 1.x + 5: QVT 1.2 - Relations Language + 6: QVT 1.2 - Operational language + 7: Alloy + 8: ASCII Text - Enumerations 1-3 are dedicated to OCL (with OCL 2.4 being the - latest version as of this writing). QVT defines a set of languages - (the two most powerful and useful are defined by enumerations 4 - and 5). Alloy is a language for describing constraints, and uses a - SAT solver to guarantee correctness. Note that enumeration 7 - (English text) is not recommended (since it is informal, and hence, - not verifiable), but included for completeness. + Enumerations 1 and 2 signify an error state and an initialization + state, respectively. Enumeraitons 3-5 are dedicated to OCL (with + OCL 2.4 being the latest version as of this writing). QVT defines a + set of languages [20] (the two most powerful and useful are defined + by enumerations 5 and 6). Alloy is a language for describing + constraints, and uses a SAT solver to guarantee correctness [21]. + Enumeration 8 (ASCII Text) is not recommended (since it is informal, + and hence, not verifiable), but is included for completeness. If this class is instantiated, then this attribute SHOULD also be - instantiated, and should be part of a conformant implementation. + instantiated, and SHOULD be part of a conformant implementation. 5.16.2.2.3. The Attribute "supaPolMetadataConstraint[0..n]" This is an optional array of string attributes. Each attribute specifies a constraint to be applied using the format identified by the value of the supaPolMetadataPolicyConstraintEncoding class attribute. This provides a more rigorous and flexible treatment of constraints than is possible in [RFC3460]. If this class is instantiated, then this attribute SHOULD also be @@ -4096,68 +4167,74 @@ 5.19.1.1. The Attribute "supaPolAccessPrivilegeDef" This is an optional non-negative enumerated integer attribute. It specifies the access privileges that external Applications have when interacting with a specific SUPAPolicyObject that is adorned with an instance of this SUPAPolicyAccessMetadataDef object. This enables the management system to control, in a consistent manner, the set of operations that external Applications have for SUPAPolicies and components of SUPAPolicies. Values include: - 0: undefined - 1: read only (for all policy components) - 2: read and write (for all policy components) - 3: privileges are specified by an external MAC model - 4: privileges are specified by an external DAC model - 5: privileges are specified by an external RBAC model - 6: privileges are specified by an external ABAC model - 7: privileges are specified by an external custom model + 0: error + 1: init + 2: read only (for all policy components) + 3: read and write (for all policy components) + 4: privileges are specified by an external MAC model + 5: privileges are specified by an external DAC model + 6: privileges are specified by an external RBAC model + 7: privileges are specified by an external ABAC model + 8: privileges are specified by an external custom model - Values 1 and 2 apply to ALL SUPAPolicyObject instances that are - adorned with this SUPAPolicyConcreteMetadata object instance; - these two settings are "all-or-nothing" settings, and are included - for ease of use. + Note that 0 and 1 represent error and initialization states, + respectively. Values 4-8 indicate that a formal external access + control model is used. The name of this model, and its location, + are specified in two other class attributes, called + supaPolAccessPrivilegeModelName and supaPolAccessPrivilegeModelRef. - Values 3-7 indicate that a formal external access control model is - used. The name of this model, and its location, are specified in - two other class attributes, called supaPolAccessPrivilegeModelName - and supaPolAccessPrivilegeModelRef. MAC, DAC, RBAC, and ABAC - (values 3-6 stand for Mandatory Access Control, Discretionary - Access Control, Role-Based Access Control, and Attribute-Based - Access Control, respectively. A value of 7 indicates that a formal - external model that is not MAC, DAC, RBAC, or ABAC is used. + MAC, DAC, RBAC, and ABAC (values 4-7 stand for Mandatory Access + Control, Discretionary Access Control, Role-Based Access Control, + and Attribute-Based Access Control, respectively. They are defined + in [22]. A value of 8 indicates that a formal external model that + is not MAC, DAC, RBAC, or ABAC is used. 5.19.1.2. The Attribute "supaPolAccessPrivilegeModelName" This is an optional string attribute that contains the name of the access control model being used. If the value of the supaPolAccessPrivilegeDef is 0-2, then the value of this attribute is not applicable. Otherwise, the text in this class attribute should be interpreted according to the value of the supaPolAccessPrivilegeModelRef class attribute. 5.19.1.3. The Attribute "supaPolAccessPrivilegeModelRef" This is an optional non-negative enumerated integer attribute that defines the data type of the supaPolAccessPrivilegeModelName attribute. If the value of the supaPolAccessPrivilegeDef class attribute is 0-2, then the value of this attribute is not applicable. Otherwise, the value of this class attribute defines how to interpret the text in the supaPolAccessPrivilegeModelRef class attribute. Values include: - 0: Undefined - 1: URI + 0: error + 1: init 2: GUID 3: UUID - 4: FQDN - 5: FQPN + 4: URI + 5: FQDN + 6: FQPN + 7: string_instance_id + + Note that 0 and 1 represent error and initialization states, + respectively. Values 2-6 define the content as a reference. Value 7 + defines the content as a string that is the canonical + representation, in ASCII, of an instance ID of this object. 5.20. The Concrete Class "SUPAPolicyVersionMetadataDef" This is an optional concrete class that defines versioning information, in the form of metadata, that can be added to a SUPAPolicyObject. This enables all or part of a standardized description and/or specification of version information for a given SUPAPolicyObject to be easily changed at runtime by wrapping an object instance of the SUPAPolicyConcreteMetadata class (or its subclass) with all or part of this object. @@ -4302,21 +4379,22 @@ of the SUPA ECAPolicyRule Information Model (EPRIM). Unless otherwise stated, all classes (and attributes) defined in this section were abstracted from DEN-ng [2], and a version of them are in the process of being added to [5]. 6.1. Overview Conceptually, the EPRIM is a set of subclasses that specialize the concepts defined in the GPIM for representing the components of a Policy that uses ECA semantics. This is shown in Figure 23 (only - new EPRIM subclasses and their GPIM superclasses are shown). + new EPRIM subclasses and their GPIM superclasses are shown; note + that the SUPAPolicyMetadata hierarchy is used **as is**). (Class of another model that SUPA is integrating into) | +---SUPAPolicyObject (5.2) | +---SUPAPolicyStructure (5.3) | | | +---SUPAECAPolicyRule (6.4) | | | +---SUPAECAPolicyRuleAtomic (6.5) @@ -4607,28 +4684,33 @@ among policy actions (e.g., given a set of conflicting actions, which one will execute) and (2) to define the execution order of policy actions (e.g., when one action may depend on the output of one or more previous actions). 6.4.1.2. The Attribute "supaECAPolicyRuleStatus" This is an optional non-negative enumerated integer whose value defines the current status of this policy rule. Values include: - 0: In development, not ready to be deployed + 0: error + 1: init + 2: In development, not ready to be deployed 1: Ready to be deployed 2: Deployed but not enabled 3: Deployed and enabled, but not executed 4: Executed without errors 5: Executed with errors 6: Aborted during execution + Note that 0 and 1 represent error and initialization states, + respectively. + 6.4.2. SUPAECAPolicyRule Relationships Currently, the SUPAECAPolicyRule does not define any relationships. It inherits all four relationships defined by the SUPAPolicyStructure class (see section 5.3.2.). 6.5. The Concrete Class "SUPAECAPolicyRuleAtomic" This is a mandatory concrete class. This class is a type of PolicyContainer, and represents a SUPAECAPolicyRule that can @@ -4666,57 +4748,63 @@ 6.6.1.1. The Attribute "supaECAEvalStrategy" This is a mandatory, non-zero, integer attribute that enumerates a set of allowable alternatives that define how the set of SUPAECAPolicyRule object instances in a SUPAECAPolicyRuleComposite object are evaluated. It is assumed that the event and condition clauses of the SUPAECAPolicyRules have evaluated to TRUE (e.g., the event has occurred and the conditions were met). Values include: - 0: undefined - 1: execute the first SUPAECAPolicyRule in the + 0: error + 1: init + 2: execute the first SUPAECAPolicyRule in the SUPAECAPolicyRuleComposite and then terminate - 2: execute only the highest priority SUPAECAPolicyRule(s) in + 3: execute only the highest priority SUPAECAPolicyRule(s) in the SUPAECAPolicyRuleComposite and then terminate - 3: execute all SUPAECAPolicyRules in prioritized order (if + 4: execute all SUPAECAPolicyRules in prioritized order (if any) regardless of whether their SUPAPolicyActions succeed or fail - 4: execute all SUPAECAPolicyRules in prioritized order (if + 5: execute all SUPAECAPolicyRules in prioritized order (if any) until at least one SUPAPolicyAction in a SUPAECAPolicyRule fails, and then terminate + Note that 0 and 1 represent error and initialization states, + respectively. + If the value of supaECAEvalStrategy is 3 or 4, then all SUPAECAPolicyRules that have a priority will be executed first (starting with the SUPAECAPolicyRule(s) that have the highest priority, and descending); all SUPAECAPolicyRule(s) that do not have a priority are then executed (in any order). Assume that the actions in a given SUPAECAPolicyRuleComposite are defined as follows SUPAECAPolicyRule A, priority 0 SUPAECAPolicyRule B, priority 10 SUPAECAPolicyRule C, priority 5 SUPAECAPolicyRule D, priority 10 SUPAECAPolicyRule E, priority 2 Then, if the supaECAEvalStrategy attribute value equals: 0: an error is issued - 1: only SUPAECAPolicyRule A is executed - 2: only SUPAECAPolicyRules B and D are executed - 3: all SUPAECAPolicyRules are executed, regardless of any + 1: this SUPAECAPolicyRule MUST NOT be used (since it is not yet + properly initialized) + 2: only SUPAECAPolicyRule A is executed + 3: only SUPAECAPolicyRules B and D are executed + 4: all SUPAECAPolicyRules are executed, regardless of any failures in their SUPAPolicyActions - 4: all SUPAECAPolicyRules are executed until a failure is + 5: all SUPAECAPolicyRules are executed until a failure is detected, and then execution for all SUPAECAPolicyRules - terminate + terminates 6.6.2. SUPAECAPolicyRuleComposite Relationships Currently, the SUPAECAPolicyRuleComposite defines a single aggregation between it and SUPAECAPolicyRule, as described below. 6.6.2.1. The Aggregation "SUPAHasECAPolicyRule" This is an optional aggregation that implements the composite pattern. The multiplicity of this aggregation is 0..1 on the @@ -5007,35 +5095,36 @@ Note: [0..n] means that this is a multi-valued property that has zero or more attributes. 6.11.1.4. The Attribute "supaPolicyEventEncoding" This is a mandatory non-zero enumerated integer attribute, and defines how to interpret the supaPolicyEventData class attribute. These two attributes form a tuple, and together enable a machine to understand the syntax and value of the data carried by the object instance of this class. Values include: - - 0: Undefined - 1: String - 2: Integer - 3: Boolean - 4: Floating Point - 5: DateTime + 0: error + 1: init + 2: String + 3: Integer + 4: Boolean + 5: Floating Point + 6: DateTime 6.11.1.5. The Attribute "supaPolicyEventData[1..n]" This is a mandatory attribute that defines an array of strings. Each string in the array represents an attribute name and value of an Event object. The format of each string is defined as name:value. The 'name' part is the name of the SUPAPolicyEvent attribute, and the 'value' part is the value of that attribute. + Note: [1..n] means that this is a multi-valued property that has at least one (and possibly more) attributes. For example, if this value of this attribute is: {(startTime:0800), (endTime:1700), (date:2016-05-11), (timeZone:-08:00)} then this attribute contains four properties, called startTime, endTime, date, and timeZone whose values are 0800, 1700, May 11 2016, and Pacific Standard Time, respectively. @@ -5084,36 +5173,41 @@ by the object instance of this class. 6.12.1.2. The Attribute "supaPolicyConditionEncoding" This is a mandatory non-zero enumerated integer attribute, and defines the data type of the supaPolicyConditionData attribute. These two attributes form a tuple, and together enable a machine to understand the syntax and value of the content of this SUPAPolicyCondition object. Values include: - 0: undefined - 1: String - 2: OCL 2.x - 3: OCL 1.x - 4: QVT 1.2 - Relations Language - 5: QVT 1.2 - Operational language - 6: Alloy - 7: English text + 0: error + 1: init + 2: OCL 2.4 + 3: OCL 2.x + 4: OCL 1.x + 5: QVT 1.2 - Relations Language + 6: QVT 1.2 - Operational language + 7: Alloy + 8: ASCII Text - Enumerations 1-3 are dedicated to OCL (with OCL 2.4 being the - latest version as of this writing). QVT defines a set of languages - (the two most powerful and useful are defined by enumerations 4 - and 5). Alloy is a language for describing constraints, and uses a - SAT solver to guarantee correctness. Note that enumeration 7 - (English text) is not recommended (since it is informal, and hence, - not verifiable), but included for completeness. + Enumerations 1 and 2 signify an error state and an initialization + state, respectively. Enumeraitons 3-5 are dedicated to OCL (with + OCL 2.4 being the latest version as of this writing). QVT defines a + set of languages [20] (the two most powerful and useful are defined + by enumerations 5 and 6). Alloy is a language for describing + constraints, and uses a SAT solver to guarantee correctness [21]. + Enumeration 8 (ASCII Text) is not recommended (since it is informal, + and hence, not verifiable), but is included for completeness. + + If this class is instantiated, then this attribute SHOULD also be + instantiated, and SHOULD be part of a conformant implementation. 6.12.2. SUPAPolicyEvent Relationships No relationships are currently defined for this class. It inherits the relationships defined by the SUPAPolicyComponentDecorator (see section 5.7.3.). 6.13. The Concrete Class "SUPAPolicyAction" This is a mandatory concrete class that represents the concept of @@ -5168,31 +5262,46 @@ 6.13.1.2. The Attribute "supaPolicyActionEncoding" This is a mandatory non-zero enumerated integer attribute, and defines the data type of the supaPolicyActionData attribute. This attribute works with another class attribute, called supaPolicyActionData, which contains the content of the action. These two attributes form a tuple, and together enable a machine to understand the syntax and value of the content of this SUPAPolicyAction object. Values include: - 0: undefined - 1: GUID - 2: UUID - 3: URI - 4: FQDN - 5: String - 6: OCL 2.x - 7: OCL 1.x - 8: QVT 1.2 - Relations Language - 9: QVT 1.2 - Operational language - 10: Alloy + 0: error + 1: init + 2: OCL 2.4 + 3: OCL 2.x + 4: OCL 1.x + 5: QVT 1.2 - Relations Language + 6: QVT 1.2 - Operational language + 7: Alloy + 8: ASCII Text + 9: GUID + 10: UUID + 11: URI + 12: FQDN + + Enumerations 1 and 2 signify an error state and an initialization + state, respectively. Enumeraitons 3-5 are dedicated to OCL (with + OCL 2.4 being the latest version as of this writing). QVT defines a + set of languages [20] (the two most powerful and useful are defined + by enumerations 5 and 6). Alloy is a language for describing + constraints, and uses a SAT solver to guarantee correctness [21]. + Enumeration 8 (ASCII Text) is not recommended (since it is informal, + and hence, not verifiable), but is included for completeness. + Enumerations 9-12 define a reference to the SUPAPolicyAction. + + If this class is instantiated, then this attribute SHOULD also be + instantiated, and SHOULD be part of a conformant implementation. 6.13.2. SUPAPolicyAction Relationships No relationships are currently defined for this class. It inherits the relationships defined by the SUPAPolicyComponentDecorator (see section 5.7.3.). Enumerations 1-4 are used to provide a reference to an action object. Enumerations 5-10 are used to express the action to perform as a string. @@ -5227,27 +5336,20 @@ 12. References This section defines normative and informative references for this document. 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. - [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for - the Network Configuration Protocol (NETCONF)", - RFC 6020, October 2010. - - [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, - July 2013. - 12.2. Informative References [RFC3060] Moore, B., Ellesson, E., Strassner, J., Westerinen, A., "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001 [RFC3198] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J., Waldbusser, S., "Terminology for Policy-Based Management", RFC 3198, November, 2001 @@ -5308,36 +5410,40 @@ [13] Liskov, B.H., Wing, J.M., "A Behavioral Notion of subtyping", ACM Transactions on Programming languages and Systems, 16 (6): 1811 - 1841, 1994 [14] Martin, R.C., "Agile Software Development, Principles, Patterns, and Practices", Prentice-Hall, 2002, ISBN: 0-13-597444-5 [15] Halpern, J., Strassner, J., "Generic Policy Data Model for Simplified Use of Policy Abstractions (SUPA)" - draft-ietf-supa-generic-policy-data-model-00, + draft-ietf-supa-generic-policy-data-model-02, July 13, 2016 [16] Wang, Y., Esposito, F., Matta, I., Day, J., "RINA: An Architecture for Policy-based Dynamic Service Management", Tech Report BUCS-TR-2013-014, 2013 [17] Meyer, B., "Object-Oriented Software Construction", Prentice Hall, second edition, 1997 ISBN 0-13-629155-4 [18] http://semver.org/ [19] ISO/IEC:2004(E), "Data elements and interchange formats -- Information interchange -- Representation of dates and times", 2004 + [20] http://www.omg.org/spec/QVT/ + + [21] http://alloy.mit.edu/alloy/ + Authors' Addresses John Strassner Huawei Technologies 2330 Central Expressway Santa Clara, CA 95138 USA Email: john.sc.strassner@huawei.com Joel Halpern Ericsson