RE: [Policy] FW: I-D ACTION:draft-reyes-policy-core-ext-schema-04 .txt
"John Strassner" <John.Strassner@intelliden.com> Wed, 05 May 2004 19:55 UTC
Received: from optimus.ietf.org (www.iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA08406 for <policy-archive@odin.ietf.org>; Wed, 5 May 2004 15:55:36 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BLSPc-0006UZ-9r for policy-archive@odin.ietf.org; Wed, 05 May 2004 15:50:37 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i45Joaqp024952 for policy-archive@odin.ietf.org; Wed, 5 May 2004 15:50:36 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BLSEP-0001oy-3t; Wed, 05 May 2004 15:39:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BHzCR-0005hH-DS for policy@optimus.ietf.org; Mon, 26 Apr 2004 02:02:39 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA13339 for <policy@ietf.org>; Mon, 26 Apr 2004 02:02:36 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BHzCN-0004bP-QG for policy@ietf.org; Mon, 26 Apr 2004 02:02:35 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BHzBN-0004Oy-00 for policy@ietf.org; Mon, 26 Apr 2004 02:01:39 -0400
Received: from cosium03.intelliden.net ([12.41.186.100]) by ietf-mx with esmtp (Exim 4.12) id 1BHzAQ-00041V-00 for policy@ietf.org; Mon, 26 Apr 2004 02:00:34 -0400
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C42B53.AE30CC10"
Subject: RE: [Policy] FW: I-D ACTION:draft-reyes-policy-core-ext-schema-04 .txt
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Date: Sun, 25 Apr 2004 23:59:47 -0600
Message-ID: <AE723009E85E224CB00132C7FF0B34E1F33DFE@cosium02.intelliden.net>
Thread-Topic: [Policy] FW: I-D ACTION:draft-reyes-policy-core-ext-schema-04 .txt
Thread-Index: AcQUKc5Rt4ZRSr0JSji/8NQ2XLWjZQXDwBCA
From: John Strassner <John.Strassner@intelliden.com>
To: mpana@metasolv.com, policy@ietf.org
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.5 required=5.0 tests=AWL,HTML_20_30, HTML_FONTCOLOR_BLUE,HTML_MESSAGE autolearn=no version=2.60
Sender: policy-admin@ietf.org
Errors-To: policy-admin@ietf.org
X-BeenThere: policy@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/policy>, <mailto:policy-request@ietf.org?subject=unsubscribe>
List-Id: Policy Framework <policy.ietf.org>
List-Post: <mailto:policy@ietf.org>
List-Help: <mailto:policy-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/policy>, <mailto:policy-request@ietf.org?subject=subscribe>
Hi Mircea, thanks for addressing these issues, and apologies for the delay in response. Please see inline (<js>..</js>) for clarifications. regards, John -----Original Message----- From: policy-admin@ietf.org [mailto:policy-admin@ietf.org] Sent: Thursday, March 25, 2004 7:59 PM To: John Strassner; policy@ietf.org Subject: RE: [Policy] FW: I-D ACTION:draft-reyes-policy-core-ext-schema-04 .txt John, I have reviewed your comments in detail and made several changes to the PCELS text (to be submitted in a few days) to address these issues. While for the most part I understand your concerns, there are a few items that I would like to discuss in more detail. See my comments below marked <mircea></mircea>. Thank You, Mircea. -----Original Message----- From: John Strassner [mailto:John.Strassner@intelliden.com] Sent: Friday, February 13, 2004 9:32 PM To: 'mpana@metasolv.com'; 'policy@ietf.org' Subject: RE: [Policy] FW: I-D ACTION:draft-reyes-policy-core-ext-schema-04 .txt First, I support Kurt's comments on LDAP, and will reply to those in a separate email. <mircea>Kurt's recommendations will be addressed in the next revision. </mircea> Second, I list below a set of additional comments on this draft. Third, the lack of an overall diagram makes it very difficult to evaluate the correctness of this model. This draft is not complete enough to construct such a model. <mircea>Can you be more specific. The document includes several diagrams and tables. What is it missing? </mircea> <js> True, there are several diagrams and tables. However, the draft lacks an overall conceptual model. For example, if you look at RFC3060, Figure 1 shows an overview of all of the classes and their relationships. Note that there is no need to show attributes in such a picture - I'm just looking for a **visual** overview of how the different classes fit together. </js> Fourth, a cursory scan revealed that there is no pcelsPolicyGroup class. This is strange, since PolicyGroup is listed as a subclass of PolicySet in RFC 3460. Why is this? <mircea>pcelsGroup will be added in the new revision. </mircea> Fifth, why is there a pcelsRule and a pcimRule class? <mircea>I do not understand the issue. </mircea> <js> Sorry for not being clearer. I understand that you wanted to create your own class (pcelsRule) because the semantics of RFC3460 were different (for PolicyRules) than those of RFC3460. I support your mentioning both in the draft, since there was feedback (e.g., from Ryan) that some implementations were still using pcimRule. However, I think that given this feedback, this draft needs some guidelines as to when one would use pcelsRule and one would use pcimRule, and what the implications of doing this are (e.g., how priority is implemented). </js> Sixth, why is there no pcelsRuleValidityAssociation subclass? At this point, <mircea>I do not understand the issue. PCELS reuses pcimRuleValidityAssociation that is defined in PCLS </mircea> <js> True, this is addressed in Note 1 in page 27 of the draft. Looking at your class structure, since you subclassed other associations, I was surprised that you didn't subclass this one as well. This is because pcelsRule and pcimRule are siblings, and pcimRuleValidityPeriod (in PCIM) is defined to exist between pcimRule and policyConditionTimePeriod only. So, how do pcelsRule instances use a policyConditionTimePeriod? </js> I started to go through the document in detail with my developers to try and implement it. We couldn't. We give you inconsistencies that we noticed (grammatical and otherwise) through page 31). Finally, I was surprised to see a lack of an Acknowledgments section, especially given the amount of feedback that several people on this list gave the authors. That's in poor form. <mircea>Acknowledgments will be added in the new revision. </mircea> Comments are as follows: - s/RFC zzzz/RFC 3703 <mircea>Fixed. </mircea> - page 3. You write: "...the combined class hierarchy for the LDAP object classes defined in [PCLS] and in this document". You should include concepts from 3460 that you mapped into new classes, and add that you defined new classes not in 3460 or 3703. <mircea>Fixed. </mircea> - page 4-7, class diagram - this diagram has no caption. Please add one. In addition, I find the diagram inpenetrable, in that the reader has no idea where these classes came from. I think you need a simpler introduction saying 3060 provided this, 3460 did this, and thus we came up with this. Take this key and show, for any class that isn't new in this document, where it came from. <mircea>Fixed. </mircea> - page 4 - why is your class named pcelsFilerEntry, when 3460 names its class FilterEntryBase? - page 4 - why is your class named pcelsIPHeaders, when 3460 names its class IPHeadersFilter? The Filter part is important! - page 4 - why is your class named pcels8021Headers, when 3460 names its class 8021Filter? The Filter part is important! - page 4 - why is your class named pcelsCompoundFilterAuxClass, when a more consistent name would be pcelsCompoundFilterConditionAuxClass? The Condition part is important! <mircea>All renamed. </mircea> - general reflections on the class diagram: part of the problem is that you are building a schema from three different sources: (1) RFC 3703, (2) RFC 3460, and (3) your own additions. I see no discussion on how these relate to each other, which would have been helpful. <mircea>The new revision will indicate all these sources explicitly. </mircea> - page 7 - you didn't state whether this is for all associations. This is exacerbated by you saying: "...might need to implement the association..." - which implies a single association. In addition, this is a terse description - the naive reader won't understand why aux classes are being used - you need a reference or a couple of sentences explaining this. <mircea>Added example in support of the generic text. Please note that the reader is not going to be that naive. Section 2. ("Relationship to other Policy Framework Documents") will also indicate that "These three documents ([PCIM], [PCIM_EXT] and [PCLS]) are a prerequisite for reading and understanding this document." </mircea> - page 7 - you state: "The LDAP object classes defined in this document are a direct mapping from the corresponding classes and, in some cases, the associations defined in [PCIM_EXT] ". Not strictly true, as you are also seeking to update RFC 3703 (e.g., where is pcimSubtreesPtrAuxClass defined in RFC 3460?). <mircea>The text in section 4.1 will be revised for a better description of the mapping techniques utilised by PCELS. However, I do not understand your reference to pcimSubtreesPtrAuxClass. That class is not defined in PCELS. <mircea> <js> If you look at RFC3703, we defined two aux classes (pcimElementAuxClass and pcimSubtreesPtrAuxClass) to simplify navigation through the DIT, as well as retrieval of entries found more efficient. I think that you should take another look at the rationale behind these classes, and consider again whether they should be included in this draft. </js> - pages 8-11: your table has no caption <mircea>Fixed. </mircea> - pages 8-11: Where are classes like pcimSubtreesPtrAuxClass? They aren't listed in this table, and better be, if you are "updating" RFC 3703. <mircea>The two tables list PCIM_EXT classes mapped by PCELS. Why should the tables include PCLS classes? </mircea> <js> Because this draft is supposed to be updating RFC3703, which means that you need to deal with classes defined in that RFC (such as pcimSubtreesPtrAuxClass) as well as your own classes. Or, at the very least, state why these classes do not need to be defined. </js> - once again, I see lots of irksome naming issues. The LDAP schema shouldn't change the name of a class defined in another RFC. Why have you done this? <mircea>All are going to be renamed to follow the *exact* PCIM_EXT names, but I fail to see where is the problem with the old names. </mircea> <js> It's all about implementation ease. If an earlier RFC exists, the naming in that RFC should be respected and not changed. </js> - page 8, 4th row. How can you give two different mappings to a single object class? And how can a RULE (i.e., pcelsRule) map to a GROUP? <mircea>pcelsGroup will be added in the new revision. </mircea> - page 10, 1st row. How can a single info model association map to two different associations? And do you mean "and" in this row? This would mean that I would have to instantiate both pcelsPolicySet and pcelsPolicySetAssociation, which is clearly wrong. This comment also applies for the other rows on this page where you have "and". <mircea> ...means that the PolicySetComponent aggregation is realised by a pcelsPolicySetComponentList value in the aggregating pcelsPolicySet. This attribute value is a DN reference to a pcelsPolicySetAsociation entry. The pcelsPolicySetAsociation entry includes a pcelsPolicySetDN attribute value that is a reference to the aggregated pcelsPolicySet. The details are in section 5. The table only gives an overview of the mapping. </mircea> <js> OK, that makes sense, but I suggest you add a note saying "See section 5.x" so the impatient reader won't get frustrated. ;-) </js> - page 10 - it is of no help to say "see PolicySetInSystem" in this table for the 3rd and 4th rows - that only confuses the reader. Please spell out what you mean here. <mircea>Fixed. Details are in section 5. </mircea> - Page 11 - the reader will wonder why ReusablePolicy and PolicyRoleCollectionInSystem are only implementable via DIT containment, when every other association has an association defined (independent of whether DIT containment could be used). <mircea>I fail to see the issue. </mircea> <js> Good schemata are consistent. Why are these two associations only implementable via DIT containment? </js> - Section 4.2, line 3, you write: "The concept of an ordered set of policies...". LDAP doesn't have ordered sets. How are you going to implement this? <mircea>replaced "ordered" with "coherent" (from PCIM_EXT) </mircea> <js> That's certainly better than incoherent ;-) but I don't see how this solves the problem, as the two aren't synonymous. </js> - Page 13, Section 4.3, second paragraph - s/deprecates/deprecate <mircea>Fixed. </mircea> - Page 13, Note - actually, PCLS does NOT have anything to do with PCIMe, so this note needs to be reworded <mircea>Fixed. </mircea> - Page 14, Section 4.5 - s/an other/another (and other places) - s/"rule /group"/"rule/group" (5 places) (and other places) <mircea>Fixed. </mircea> - Page 16, section 4.6, - s/CompoundPolicyActionclasses/CompoundPolicyAction classes - conditions /actions/"conditions/actions" (and other places) <mircea>Fixed. </mircea> - Page 22. How are you going to enforce an "ordered set of rules /groups"? That is, how can you guarantee that the DSA stores your rules/groups [sic] in the order that you want, and where is that order specified? What if a DSA doesn't have ordering controls? - Same section as above - you say that the "association entries enable relative ordering of the aggregated pcelsPolicySet instances within the scope of the aggregating pcelsPolicySet" - how is this accomplished with a plain, vanilla LDAP server with no controls? <mircea>Text revised and note added to indicate that applications must not expect the LDAP data store to implement sorting and ordering. </mircea> - Page 23 - the DESC for pcelsPolicySetList should say that it contains an UNORDERED list of DN references. <mircea>Fixed. </mircea> - Page 23, note above Section 5.2, is slightly incorrect. Only those implementations that WANT TO BE COMPATIBLE WITH PCELS should use this aggregation mechanism instead of those defined by PCLS. Not every implementation mechanism is going to want to change. <mircea>Revised. The section defining pcelsRule for example will include the following compatibility note: "Note 2: PCELS implementations SHOULD support pcelsRule and its two subclasses and MAY also support pcimRule and its two subclasses [PCLS]. Applications that choose to support pcelsRule and its two subclasses MUST use the aggregation mechanism provided by pcelsPolicySetAssociation for aggregating policy groups or policy rules in policy rules represented as instances of pcelsRule. Applications that intend to be compatible with [PCIM_EXT] MUST support pcelsRule and its two subclasses." </mircea> <js> The last MUST contradicts the first SHOULD in the above statement; please change it to SHOULD. The first MUSt in the above statement is OK. </js> - Page 23, Section 5.2, says "The pcelsPolicySetAssociation class is used to aggregate instances of pcelsPolicySet into other entries." This is incorrect, as pcelsPolicySet is abstract and thus cannot be instantiated. <mircea> I fail to see a problem with "instance of <abstract_class>". It is obvious that it means "instance of non-abstract subclass of <abstract_class>". The "non-abstract subclass of" is superfluous and has been omitted in order to improve the text readabilitiy. PCLS, for instance, uses such expressions on several occasions. E.g.: (PCLS page 50 first paragraph) "instances of pcimRules". Note that "pcimRules" is not a class name. </mircea> <js> I still disagree (and with PCLS page 50 as well) - it is imprecise. </js> - Same section, you write: "...realizes a (subclass of) PolicySetComponent aggregation [sic]. When subordinated to (subclass of) dlm1System...realizes a PolicySetInSystem association [sic]". How can the same element realize an aggregation in one usage and an association in another usage? This is semantically inconsistent. <mircea>I fail to see the issue. The semantics of pcelsPolicySetAssociation are context sensitive. </mircea> <js> The point is that there is a pronounced difference between an aggregation and an association. Although it is sadly commonplace to call everything an association. ;-( I would suggest changing your text to either only use "association" or only use "aggregation" in the same paragraph. </js> - Next paragraph says: "A non-reusable instance of (subclass of) pcelsPolicySet is attached as auxiliary class directly to the pcelsPolicySetAssociation entry." Subclasses of pcelsPolicySet that are not abstract are pcelsRuleAuxClass and pcelsRuleInstance. The above sentence only makes sense for pcelsRuleAuxClass. <mircea>The new specification will include pcelsGroup as well. As result, the current text will make more sense. </mircea> - Next paragraph doesn't make sense. First, you clearly mean a non- abstract subclass of pcelsPolicySet. Second, you are recommending that an ERROR be ignored? Why don't you stop operation? <mircea>Revised text: "When reading a pcelsPolicySetAssociation instance that has a pcelsPolicySet attached, the attribute pcelsPolicySetDN MUST be ignored. Applications SHOULD remove the pcelsPolicySetDN value from a pcelsPolicySetAssociation upon attachment of a pcelsPolicySet to the entry." This gives applications some flexibility. </mircea> <js> That's much better </js> - Page 24, DESC of pcelsPriority is insufficient, as "0" has special semantics that you haven't mentioned. This should, of course, also be present in accompanying prose, as Kurt points out. <mircea>The PCIM_EXT property and the attribute value restrictions going to be described in more detail (in prose). However I fail to find the meaning of "0" in PCIM_EXT. Can you help me locate the text? </mircea> <js> My mistake, the RFC states that this is simply the default value. </js> - Page 24, DESC of pcelsPolicySetDN should state that this is an UNORDERED list of DNs. <mircea>Fixed. </mircea> - Page 24, Section 5.3, s/The Three Classes pcelsRule/The pcelsRule Class and Its Subclasses <mircea>Fixed. </mircea> <note: at this point I'm not going to correct any remaining grammar errors, such as the next line ("The pcelsRule is...") because there are too many of them.> - Page 24, Section 5.3, you say: "The pcelsRule is the base class representing policy rules." Does this mean that an implementation can NOT use the subclasses of pcimRule anymore? <mircea>I fail to see the issue. </mircea> - Page 24, next paragraph, you say: "This class shares the Condition/Action aggregation methods with the pcelsCompoundConditionAuxClass and pcelsCompoundActionAuxClass object classes.". Why does it also not share the pcelsSimpleConditionAuxClass and pcelsSimpleActionAuxClass object classes as well? <mircea>Revised text. It was actually trying to say that: " Like pcelsRule, instances of pcelsCompoundConditionAuxClass use pcelsConditionList values and subordinated pcelsConditionAssociation entries to aggregate policy conditions." and " Like pcelsRule, instances of pcelsCompoundActionAuxClass use pcelsActionList values and subordinated pcelsActionAssociation entries to aggregate policy actions." </mircea> - Page 25, top paragraph, again says that the implementer should ignore an error condition. This isn't a good idea. - Page 25, next paragraph has the same problem. <mircea>Already discussed </mircea> - Page 26, the pcelsConditionListType attribute has a constraint. No text is provided that instructs the implementer what to do, aside from Note 5 on page 21, which says: "Text has been added to instruct servers and applications what to do if a value outside of this range is encountered" - which is exactly the problem - no text is here. Note that this is a systemic problem with any constrained attribute defined in this draft. Thus, I will only mention this once. <mircea>All Fixed. </mircea> - Page 27, WHY isn't a PolicyGroup class implemented? You give no reason for not doing this. Note also that Note 2 talks about ORDERED policy rules - I don't see how you can construct those. <mircea>Already discussed </mircea> - Page 27, section 5.4, again you say "pcelsRule" instead of "non- abstract subclasses of pcelsRule". <mircea>Already discussed </mircea> - Page 28, top paragraph, another error that you are recommending should be ignored <mircea>Already discussed </mircea> - Page 28, DESC for pcelsConditionAssociation is wrong; you say that it can be used for a pcelsRule instead of a non-abstract subclass of pcelsRule <mircea>Already discussed </mircea> - Page 28, section 5.5, again you say "pcelsRule" instead of "non- abstract subclasses of pcelsRule". <mircea>Already discussed </mircea> - Page 28, last paragraph, another error that you are recommending should be ignored. <mircea>Already discussed </mircea> - Page 29, DESC for pcelsActionAssociation is wrong; you say that it can be used for a pcelsRule instead of a non-abstract subclass of pcelsRule <mircea>Already discussed </mircea> - Page 29, last paragraph above Section 5.6, another error that you are recommending should be ignored. <mircea>Already discussed </mircea> - Page 29, Section 5.6, last two paragraphs are errors that you are recommending should be ignored. <At this point, I'm going to stop listing these, as it is a systemic problem that should be fixed in the next release> <mircea>Already discussed </mircea> - Page 29, last paragraph above Section 5.6, another error that you are recommending should be ignored. <mircea>Already discussed </mircea> - Page 30, the DESC for pcelsVariableDN is wrong. You say that it is a "DN reference to a pcelsVariable entry", when it should be a DN reference to a subclass of either pcelsExplicitVariableAuxClass or pcelsImplicitVariableAuxClass or pcelsVendorVariableAuxClass <mircea>Already discussed </mircea> - Page 30, the DESC for pcelsValueDN is wrong - it should be a subclass of pcelsValueDN. <mircea>Already discussed </mircea> regards, John
- RE: [Policy] FW: I-D ACTION:draft-reyes-policy-co… John Strassner
- RE: [Policy] FW: I-D ACTION:draft-reyes-policy-co… mpana
- RE: [Policy] FW: I-D ACTION:draft-reyes-policy-co… mpana
- RE: [Policy] FW: I-D ACTION:draft-reyes-policy-co… John Strassner
- RE: [Policy] FW: I-D ACTION:draft-reyes-policy-co… mpana
- RE: [Policy] FW: I-D ACTION:draft-reyes-policy-co… John Strassner