Re: [netmod] a question about 'when'

Ladislav Lhotka <lhotka@nic.cz> Fri, 09 August 2019 12:08 UTC

Return-Path: <lhotka@nic.cz>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FA8C120132 for <netmod@ietfa.amsl.com>; Fri, 9 Aug 2019 05:08:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gf_atiOZPi0K for <netmod@ietfa.amsl.com>; Fri, 9 Aug 2019 05:08:01 -0700 (PDT)
Received: from trail.lhotka.name (trail.lhotka.name [77.48.224.143]) by ietfa.amsl.com (Postfix) with ESMTP id C874A120140 for <netmod@ietf.org>; Fri, 9 Aug 2019 05:08:00 -0700 (PDT)
Received: by trail.lhotka.name (Postfix, from userid 109) id 9398218201CB; Fri, 9 Aug 2019 14:10:08 +0200 (CEST)
Received: from localhost (unknown [195.113.220.121]) by trail.lhotka.name (Postfix) with ESMTPSA id 9B37518201C5; Fri, 9 Aug 2019 14:10:03 +0200 (CEST)
From: Ladislav Lhotka <lhotka@nic.cz>
To: "Rob Wilton \(rwilton\)" <rwilton@cisco.com>, Andy Bierman <andy@yumaworks.com>
Cc: "Fengchong \(frank\)" <frank.fengchong@huawei.com>, "netmod\@ietf.org" <netmod@ietf.org>, "Zhangxiaoping \(C\)" <zhang.xiaoping@huawei.com>, liuzhiying <liuzhiying@huawei.com>
In-Reply-To: <BYAPR11MB26317E5F1ED33289D07AC440B5D40@BYAPR11MB2631.namprd11.prod.outlook.com>
References: <5756FB984666AD4BB8E1D63E2E3AA3D001EE95B1@DGGEMM533-MBS.china.huawei.com> <87o914gcxn.fsf@nic.cz> <CABCOCHQLqB60o1JJQ24TV_ogZFKS3poJ8PxBZeM4+po==qZqcQ@mail.gmail.com> <8736ide87b.fsf@nic.cz> <BYAPR11MB2631BBE3A5726FBDB016D24DB5D40@BYAPR11MB2631.namprd11.prod.outlook.com> <CABCOCHT_9EhEkdPKiGxAZYEvsDGauDNQw=TMUkm+qZFCRPXr7Q@mail.gmail.com> <BYAPR11MB26317E5F1ED33289D07AC440B5D40@BYAPR11MB2631.namprd11.prod.outlook.com>
Mail-Followup-To: "Rob Wilton \(rwilton\)" <rwilton@cisco.com>, Andy Bierman <andy@yumaworks.com>, "Fengchong \(frank\)" <frank.fengchong@huawei.com>, "netmod\@ietf.org" <netmod@ietf.org>, "Zhangxiaoping \(C\)" <zhang.xiaoping@huawei.com>, liuzhiying <liuzhiying@huawei.com>
Date: Fri, 09 Aug 2019 14:07:54 +0200
Message-ID: <87mugiee3p.fsf@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/2FZjvEy191Sfyb4ypn_Xst5z08M>
Subject: Re: [netmod] a question about 'when'
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2019 12:08:04 -0000

"Rob Wilton (rwilton)" <rwilton@cisco.com>; writes:

> Hi Andy,
>
> From: Andy Bierman <andy@yumaworks.com>;
> Sent: 07 August 2019 16:30
> To: Rob Wilton (rwilton) <rwilton@cisco.com>;
> Cc: Ladislav Lhotka <lhotka@nic.cz>;; Fengchong (frank) <frank.fengchong@huawei.com>;; netmod@ietf.org; Zhangxiaoping (C) <zhang.xiaoping@huawei.com>;; liuzhiying <liuzhiying@huawei.com>;
> Subject: Re: [netmod] a question about 'when'
>
>
>
> On Wed, Aug 7, 2019 at 2:07 AM Rob Wilton (rwilton) <rwilton@cisco.com<mailto:rwilton@cisco.com>> wrote:
> I can see that 'when automatic deletion' processing can be useful if the configuration is being manipulated by a human.  E.g. if I delete a VRF then all the configuration that references that VRF can magically disappear.  Assuming the server supports config rollback then even if I make a catastrophic mistake, it isn't usually that hard to recover from.
>
> But for a fully automated client, then I agree with Lada, in that I see the server side 'when automatic deletion' processing as unhelpful.  The client logically needs to know/understand the full configuration anyway, so it should be able to generate the complete configuration change required to update the server with a new valid configuration state.  In these scenarios, having the server perform 'when automatic deletion' processing seems to increase the risk that that client and server views of the configuration could end up out of sync.  Some clients simplify the protocol operations by always doing a config replace on every config change to guarantee that the copy of the configuration on the server matches what is in the client.
>
> For clients that exist somewhere between no automation and full automation, then I can imagine that for some cases 'when automatic deletion' processing might be useful, and other cases where it is unhelpful.
>
>
> I don't see the big distinction between types of clients.
> YANG has 2 mechanisms (must and leafref) that will cause an error instead of a silent deletion.
> The when-stmt is used to indicate that the subtree is not relevant to the model if the result is false.
> [RW]
> The definition of a “when” statement is fine (i.e. the subtree becomes invalid if the ‘when’ check fails).  My only issue is with the automatic deletion behaviour that I think is unhelpful at times.

On the other hand, the "when" statement is so dangerous and tricky exactly because it is so powerful. If it was restricted and its effects localized, then the auto-delete behaviour could also be more generally acceptable.

>
> You can easily use must-stmt instead to cause the error behavior
> instead of deletion behavior.  This should be part of the model
> design, not left up to server developers.

> [RW] But as a client I would not want the server to silently remove
> configuration because a when condition became false.  Instead, I
> would rather do it explicitly and have the server return an error so
> that I can fix the behaviour of the client.  If the client is aware
> of the schema then it can also prune config associated with failed
> when conditions if it wants.

Yes, the same YANG module can be used with different setups and policies that may require different approaches.

>
> Ultimately, my aim as a client is to get a complete configuration in the client down to the server, and to be sure that the two are consistent.  The ‘when automatic deletion’ behaviour doesn’t help with that, it makes it riskier.  As mentioned previously, this can be mitigated by always sending the entire configuration down as a config replace, at which point I would presume that the ‘when’ statements are evaluated equivalently to ‘must’ statements anyway – although I’m not sure whether RFC 7950 is clear on this.
>
> Personally, I would have preferred that the 'when automatic deletion' processing was controlled via an explicit protocol option, with the default behaviour to just validate when statements (equivalently to must statements) and not perform any automatically config deletion.
>
> There has been nothing preventing anyone from augmenting the
> operations to turn off auto-deletion.  Is this widely implemented?
> Implemented at all?  [RW] I think that it is as Lada stated, some
> servers just don’t check must or when statements at all, or don’t
> perform the automatic deletion.  I’m not advocating that is a good
> or the right thing to do.  They just don’t comply to that part of
> the RFC.

Right, there is no reason why YANG couldn't be used with management protocols that don't support server-side auto-deletion. In fact, it is already used in situations when there is no management protocol at all.

Lada

>
> Thanks,
> Rob
>
>
>
> Thanks,
> Rob
>
> Andy
>
>
> -----Original Message-----
> From: netmod <netmod-bounces@ietf.org<mailto:netmod-bounces@ietf.org>> On Behalf Of Ladislav Lhotka
> Sent: 07 August 2019 08:39
> To: Andy Bierman <andy@yumaworks.com<mailto:andy@yumaworks.com>>; Fengchong (frank) <frank.fengchong@huawei.com<mailto:frank.fengchong@huawei.com>>; netmod@ietf.org<mailto:netmod@ietf.org>; Zhangxiaoping (C) <zhang.xiaoping@huawei.com<mailto:zhang.xiaoping@huawei.com>>; liuzhiying <liuzhiying@huawei.com<mailto:liuzhiying@huawei.com>>
> Subject: Re: [netmod] a question about 'when'
>
> Andy Bierman <andy@yumaworks.com<mailto:andy@yumaworks.com>> writes:
>
>> On Mon, Aug 5, 2019 at 2:49 AM Ladislav Lhotka <lhotka@nic.cz<mailto:lhotka@nic.cz>> wrote:
>>
>>> "Fengchong (frank)" <frank.fengchong@huawei.com<mailto:frank.fengchong@huawei.com>> writes:
>>>
>>> > Hi all,
>>> >
>>> > I encounter a question about 'when', when I implement yang model
>>> associated when condition.
>>> >
>>> > Yang model:
>>> >
>>> > leaf password-type {
>>> >    type enumeration {
>>> >       enum null;
>>> >       enum simple;
>>> >       enum cipher;
>>> >    }
>>> > }
>>> >
>>> > leaf password-text {
>>> > type string;
>>> > when "../password-type != null";
>>> > }
>>> >
>>> > I config these two leafs as below:
>>> > <password-type>simple</password-type>
>>> > <password-text>123456</password-text>
>>> >
>>> > And I changed password-type to null, I get the config like below:
>>> > <password-type>null</password-type>
>>> >
>>> > And then, I reconfig the password-type to simple, what data should
>>> > be
>>> returned?
>>> >
>>> > Is
>>> >   <password-type>simple</password-type>
>>>
>>> According to RFC 7950, sec. 8.2, the server deleted "password-text"
>>> after you changed "password-type" to null but the original value
>>> isn't recovered after you change the type back.
>>>
>>> This server behaviour means that a typo or similar trivial error may
>>> have catastrophic consequences such as auto-deletion of entire
>>> configuration subtrees. That's why our RESTCONF implementation
>>> (jetconf) does something
>>> else: it won't permit you to change "password-type" to null as long
>>> as the "password-text" exists.
>>>
>>>
>> It seems odd to optimize the server for client mistakes.
>
> This is just the principle of least embarrassment. The problem is that it is not indicated in the data model that deleting or changing something may have far-reaching consequences.
>
>> It is far more likely (99 to 1?) that the client knows what it is
>> doing and expects the standard to be followed.  Consider the burden on
>> the client deleting all the "false-when" nodes manually. This is
>
> If it is a significant burden, then it's also quite likely that the client may not be completely aware of what's going to be auto-deleted.
>
>> also inconsistent with the standard behavior for choice-stmt (new case
>> deletes the old case automatically).
>
> This is quite different in that the impact is localized: one can easily see that a given leaf is a case in a choice so that it cannot exist along with another case.
>
> Lada
>
>>
>> Lada
>>>
>>>
>> Andy
>>
>>
>>> >
>>> > Or
>>> >
>>> >   <password-type>simple</password-type>
>>> >   <password-text>123456</password-type>
>>> > _______________________________________________
>>> > netmod mailing list
>>> > netmod@ietf.org<mailto:netmod@ietf.org>
>>> > https://www.ietf.org/mailman/listinfo/netmod
>>>
>>> --
>>> Ladislav Lhotka
>>> Head, CZ.NIC Labs
>>> PGP Key ID: 0xB8F92B08A9F76C67
>>>
>>> _______________________________________________
>>> netmod mailing list
>>> netmod@ietf.org<mailto:netmod@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/netmod
>>>
>> _______________________________________________
>> netmod mailing list
>> netmod@ietf.org<mailto:netmod@ietf.org>
>> https://www.ietf.org/mailman/listinfo/netmod
>
> --
> Ladislav Lhotka
> Head, CZ.NIC Labs
> PGP Key ID: 0xB8F92B08A9F76C67
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org<mailto:netmod@ietf.org>
> https://www.ietf.org/mailman/listinfo/netmod

-- 
Ladislav Lhotka 
Head, CZ.NIC Labs
PGP Key ID: 0xB8F92B08A9F76C67