15:11:24 #startmeeting FriApr25 MODEL - Mickey's notes 15:11:24 Meeting started Sat Apr 26 15:11:24 2014 UTC. The chair is alagalah. Information about MeetBot at http://ci.openstack.org/meetbot.html. 15:11:24 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:11:24 The meeting name has been set to 'friapr25_model___mickey_s_notes' 15:11:37 #topic Consumers, Providers, formula 15:11:37 #info Mike notes once you xxx contract, set of clauses 15:11:41 #info These consumer rules, under the conditions, can talk to these provider capabilities, under these conditions 15:11:41 #info That maps you into a set of subjects that are within scope 15:11:42 #info This way we can say consumers have roles 15:11:44 #info Providers have capabilities 15:11:46 #info We can change the names, think about them as properties that indicate something 15:11:50 #info You have providers, capabilities, and conditions 15:11:51 #info Consumers have roles and conditions 15:11:52 #info Whenever consumers have certain roles, certain conditions, providers have certain capabilities, conditions, they can talk to each other, results in certain subjects being in scope 15:11:54 #info Mickey notes only one endpoint group per endpoint 15:11:57 #info But that endpoint group can have many capabilities and roles 15:11:58 #info Mike clarifies there can be many, not restricted to one 15:12:02 #info Ryan asks to explain symbology 15:12:03 #info Understand F is some sort of match or formula, might be different for consumers and providers 15:12:05 #info Mike explains we have consumer roles that can be fed into a formula 15:12:06 #info Ryan’s first stupid question 15:12:08 #info Mathematically speaking, if you use the same capital F, you mean they are the same formula 15:12:10 #info Mike does not mean that 15:12:12 #info Some sort of formula at each point, not the same 15:12:14 #info Daljeet asks if roles are published by providers? 15:12:17 #info Mike notes provider has capabilities, consumer has roles 15:12:18 #info They meet together in the contract 15:12:21 #info Have different formulas, match on roles, can specify ANDs, ORs, XORs 15:12:22 #info Have access to provider capabilities under these conditions 15:12:24 #info When met, these subjects are in scope 15:12:27 #info This set of roles under these conditions, logical multiplier, modulate 15:12:28 #info Change “F” to “F1”, “F2”, “F3”, not the same function 15:12:31 #info Mike notes meant to communicate an idea, not meant to be mathematically sound 15:12:32 #info What it means, for these roles under these conditions, however you combine those things, you can talk to providers under those conditions 15:12:34 #info You map to a set of subjects on which you can communicate 15:12:36 #info Ryan would love to have a concrete example 15:12:38 #info Not today, but thinking there will be a whole lot of folks who look at this, go WTF 15:12:40 #info Concrete example would help 15:12:43 #info Rob suggests adding onto the end, a network 15:12:45 #info That is what it looks like in UML, trying to express 15:12:46 #info Role matchers can match themselves, allows for nested formulas 15:12:48 #info Keith shows nested inheritance 15:12:50 #info Rob notes it is a matcher, implemented the way matchers are implemented 15:12:52 #info Basically have a group 15:12:55 #info Through relator, normal selector or names 15:12:57 #info Select contract 15:12:58 #info Then you have clauses, based on roles and conditions, this is how you can talk to capabilities under certain conditions 15:13:00 #info Roles, conditions, capabilities, if want to rename them, propose names 15:13:02 #info Does not matter what they are 15:13:09 #info Just felt like these names made sense 15:13:09 #info Mickey is not thrilled about capability, have to think of something to change to 15:13:09 #info Rob usually associates a role with a user 15:13:11 #info Mike cannot find words that are vague enough, not used today 15:13:13 #info Tried to use requirement before, people did not like it 15:13:15 #info Rob prefers requirement to role 15:13:17 #action Keith to create plain English definitions of each “noun” 15:13:18 #info Definition of concepts, then show how concepts worked together 15:13:20 #info Rob asks if this is something that can be understood by normal human users? 15:13:22 #info Or something you have to be a programmer to understand? 15:13:26 #info Mike ran it by people who do firewalls, enterprise applications 15:13:27 #info They can understand it 15:13:29 #info We can reduce it to English grammar 15:13:31 #info Just a formal UML diagram 15:13:32 #info Translating to word grammar 15:13:34 #info For example group name has selector that points to this thing 15:13:38 #info Then within this thing there is a contract, rule, for these roles under these conditions talk to the capabilities under those conditions 15:13:38 #info Jan asks why not take to Yang directly? 15:13:41 #info Mike wants to agree on concepts first 15:13:42 #info At a given time, object only contained by one, either relator or the group 15:13:44 #info Some requirements can be defined at group level, some at relator level 15:13:48 #info If define at relator level, specified in context of relationship with a given contract 15:13:48 #info Jan asks, configure role and condition directly? 15:13:51 #info Mike notes scope to which it applies 15:13:53 #info If role under selector, only evaluated in contracts that this selector refers to 15:13:54 #info If put in group, applies to all contracts 15:13:57 #info Certain roles you have in life regardless of your current function 15:13:59 #info Special roles when poor, at home, when you visit your grandmother 15:14:01 #info Work is your contract, expressed through relator 15:14:03 #info Certain roles defined within context of that relationship 15:14:04 #info Those roles do not apply to you when you are at home 15:14:07 #info Jan notes one kind of uber selector, where roles and conditions apply by default 15:14:08 #info Mike notes you do, under the group 15:14:10 #info Mike notes certain roles are universal regardless of where you are 15:14:12 #info Jan asks why clause and subject both? 15:14:14 #info Mike notes only clause under contract 15:14:17 #info Mickey notes clause is choosing a subject 15:14:19 #info Consumers under these conditions can talk to the provider capabilities under these conditions, on these subjects 15:14:20 #info Can you have subject without clause? 15:14:22 #info Mike notes subject is contained, within contract 15:14:24 #info Clause is who can talk to whom on what subject 15:14:26 #info Jan asks why clause not contained in a subject? 15:14:28 #info Mike notes clause can map to 20 subjects, a tree 15:14:31 #info Keith notes sigma symbol 15:14:32 #info Mickey asks about condition again? 15:14:34 #info Mike notes can mark endpoint group, or endpoint, saying this one is insecure 15:14:37 #info Things meant to be more or less transient, think about them as modulators 15:14:38 #info For example, posture 15:14:41 #info Discussion of Affinity (not the project, the VM concept) 15:14:42 #info Mike notes not how we are reasoning about this 15:14:44 #info Put secure as a condition 15:14:46 #info Secure is allowed to talk to anybody on all of the subjects 15:14:48 #info Conditions can be on consumer or provider side, do not have to be the same conditions on either side 15:14:50 #info Don’t have to think about identifiers 15:14:52 #info Mike’s example 15:14:55 #info You can assign a score to an endpoint 15:14:56 #info Go to scorer table, that maps you into a condition, gets inherited 15:14:58 #info Relates how you enforce the policy 15:15:01 #info Circumstances, how connected, where you came from, whatever 15:15:03 #info Allows inheritance of conditions based on circumstances 15:15:04 #info Group can be put into a circumstance, or an endpoint can be put into a circumstance 15:15:06 #info When you come to Cisco building 7, connect through wireless, subjected to different set of rules, versus connected directly to Ethernet port 15:15:08 #info Under circumstance of being connected in Cisco building, through Ethernet port rather than wireless 15:15:12 #info Also circumstance, connected on your laptop versus iPad 15:15:12 #info Condition inheritance mechanism 15:15:16 #info Jan notes applying label to whole bunch of conditions 15:15:17 #info Asks if it is inheritance or grouping? 15:15:19 #info Mike claims both, can inherit a bunch of conditions 15:15:20 #info Circumstance can be a tree, at each level define conditions, when terminate at one of the leafs or nodes, inherit everything 15:15:22 #info Jan asks if conditions point to endpoints? 15:15:24 #info Mike notes endpoint ends up containing the condition, a string 15:15:31 #info In xxx, this computer is deemed evil 15:15:31 #info Say congress application from OpenStack makes call to Endpoint Registry, says mark this endpoint as insecure 15:15:31 #info You are under this circumstance, know which labels to inherit 15:15:32 #info Keith notes can force into contract where do IPS or IDS 15:15:34 #info Jan notes endpoints in registry independent of our policies, then reference them in our policies? 15:15:37 #info Mike counters, in our endpoint registry, you always know which group you belong to 15:15:38 #info How you get there, will not discuss here 15:15:41 #info Also know which xxx you are subjected to 15:15:42 #info Those conditions are used in determining what rules apply to you, who can talk to you, and how 15:15:45 #info Keith notes previously in formula, consumer modulated by conditions, determined which providers it can talk to, modulated by its conditions, … 15:15:46 #info Can circumstances modulate the conditions? 15:15:49 #info Mike notes if endpoint assigned to a circumstance, you inherit a bunch of conditions 15:15:51 #info Keith realizes it is additive, augments condition string 15:15:52 #info Mike notes group can have a circumstance 15:15:59 #topic Tenant 15:15:59 #info Mike notes need to distinguish between tenant and VRF-like xxx concepts 15:16:00 #info One way to think about tenant, the object that contains everything we talked about 15:16:00 #info Can have 3 categories of tenant 15:16:03 #info One is regular tenant, organization 15:16:05 #info Common tenant where all shared stuff is sitting 15:16:06 #info Infrastructure tenant 15:16:08 #info Common tenant, when tenants need to consume services from each other, publish into common tenant, that is how you know who you can access 15:16:10 #info Someone asks about infra tenant? 15:16:12 #info Mickey asks more like provider or group within a provider? 15:16:14 #info Yes 15:16:16 #info Keith notes questions whether inventory part would go into that 15:16:18 #info Mike notes can provide DNS, DHCP as part of infrastructure, and others can use it 15:16:21 #info Regular tenant cannot provide services to anybody else 15:16:22 #info Mickey asks, if looking under specific tenant, cannot resolve to shared? 15:16:24 #info Mike notes from context of where you are towards root of the tree 15:16:27 #info If cannot find it, go to common 15:16:29 #info Mickey notes have to jump 15:16:31 #info Mickey notes trying to do in one dimension rather than multiple dimensions as was done in UCSM and other older products 15:16:32 #info Jan asks one level of tenants? 15:16:35 #info Mike notes we can have more 15:16:37 #info Downside of having nested tenants is how do you shard in a consistent way 15:16:38 #info This is where implementation drives the model, icky, but that is the reality 15:16:41 #info Not opposed to solving the problem, as long as solve the sharding part 15:16:42 #info Mickey notes if shard based on tenant, we need to think about common tenant, whether that becomes a sharding problem 15:16:44 #info Jan notes other apps may not shard based on tenant 15:16:47 #info Mickey hopes all who talk to group-based policy will use asynchronous, then MD-SAL will determine how to get to the appropriate shard 15:16:48 #action Keith to rename Consumer "ROLE" references to "REQUIREMENTS" 15:16:51 #endmeeting