OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

obix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [obix] Issues with 0.7 draft of standard

Hi Keith,

I think REST and the object model are two separate issues.

1. The object model doesn't require knowledge of new data types.  New types will be created using only syntax and concepts from the base object model, so parsers can generically handle new types with requiring knowledge of say, a vendor's specialized types.   Also, I think you are confusing specification versus implementation and that you fear every vendor will implement points in a different way.  That is not the case, we will define the standard point type that everyone will use.  While we create the standard types, vendors can extend them and create their own (the same way the various oBIX verticals may create their own standard types).

2. REST implies two things (to me at least):
  A. Every resource is addressable as a uri.  Having every resource be uniquely addressable is no different than WS-Addressing (every resource has it's own WSDL document) being pushed by SOA heavy-weights, so I don't think there is a conflict with SOA.  I think it's the WSDL port type, or contract, of each resource one really cares about in SOA (but now we're out of my territory).  I don't like the idea of every resource having it's own WSDL simply because no one's tools support that kind of environment (for now) and I, like you, prefer a single uri for the SOAP service.

I don't think REST differentiates between the two uri's you gave, so in fact, the real identifier could be in the query string.

As for wild card queries, that is at a different level than us, it's not something we ever intended on implementing because it puts to much pressure on the control vendor who is not a search/software vendor.  That can be implemented on top of what we are doing; easily if your vendor implements a pure HTTP interface... Google and the other search vendors have solutions that you can purchase to index your web resources (IMHO this is really the whole point of REST).

  B. Every resource can only support a small set of operations (the HTTP ops - GET, POST, PUT, DELETE, TRACE, OPTIONS).  The new spec only specifies four in the same vein at WS-Transfer (get, put, create, delete).  If WS-Transfer was a standard and we used it, I don't think anyone would be complaining.  oBIX will have only one WSDL port type so once again, new types don't introduce new stuff.  However, how a resource interprets an operation is specialized.   Posting to point would have different consequences that posting to a schedule, and each would take different arguments (see #1).  The name of the operation is a hint at best, think of what addSpecialEvent would mean in a non-English speaking country.  The real meaning is in the documentation.

Anyway, I've spent way too much time on this email.  I hope I haven't made too many mistakes, and in some way addressed your comments.


Keith Gipson wrote:
I agree with you Toby. 

Although REST is an architectural "style", it moves oBIX in a direction where a
user has to have full understanding of the data (types) they are looking for?
This is exactly why API's are so difficult to use in the first place, because
of strongly typed parameters and functions.

One of the main principles of REST is that the resources (URL's) should be
nouns, instead of verbs? For example:

instead of:

Doesn't this obviously get away from the SERVICES-oriented nature of web
services? What about partial matches and wildcards? "AHU12*", etc. where you
only have partial information available (such as the name only and not the
point type?).

Currently, if I need to access any one of several "Big 5" controls vendor's
systems, I have to figure out which service to use from their API, if it's an
Analog Input point, I have to use 

LPCSTR GetAnalogInputValue(pszPtName, LPCSTR *rgszPtParams, BOOL fFromCache);
if it's an AnalogOutput, it's:
LPCSTR GetAnalogOutputValue(pszPtName, LPCSTR *rgszPtParams, BOOL fFromCache);

and so on, and so on...

So, when I'm developing my interface, I have to explicitly know the "type" of
point it that I'm dealing with. 

Easy enough? 

Well, what if it's a user setpoint for an Air Handler? Is that a Pseudo Analog
Input (or Output), an Analog In, ??? I'm stuck with having to know "too much"
about the system I'm trying to get the data from.

This is the danger of coming up with a rigorous, (too) well defined
architectural style that will not be simple and extensible. Clearly, as you
pointed out, this is a major issue. Maybe I'm issing something, if so, it won't
be the first time; but it just seems like it's getting way to complicated.

Keith E. Gipson
Chief Technology Officer
Impact Facility Solutions, Inc.
www.myfacility.com and soon...
"facility management, on demand!"

--- "Considine, Toby (Facilities Technology Office)" <Toby.Considine@unc.edu>

I am very concerned about direction the specification takes in v0.7,
specifically retreating from SOAP to REST. With this change, oBIX retreats
entirely from being "Control Interface for the Enterprise" to being
"traditional control protocol with angle brackets". This means that except
for a few specialized consultants, oBIX will become oblique to the
enterprise developer. My sense from talking to companies in the wider OASIS,
whose votes will be required to make oBIX an OASIS standard, is that if this
direction persists, the oBIX draft will fail to get OASIS votes, and thereby
not be accepted as a standard.



The charm of REST is, clearly, its simplicity, and its similarity to the way
things have always been done. To the extent that a point service is all that
we want, it is the simplest way to get there. Clearly it is the easiest way
to put "angle brackets in the control stream". It fails, though in several
important ways:


1)    WSDL does not support REST, either 1.1, 1.2, or 2.0.

2)    REST is not composable, breaking one of the two basic principles of
Web services

3)    REST supports no security standard other than encryption. This means
any security will have to rely on either multiple calls to establish
cookie-based security for session management, or perhaps hard-coding those
IP addresses an oBIX gateway is able to communicate with. Because of (2) you
can toss out such specs as WS-Security, WS-Trust, WS-SecureConversation,
WS-Policy, and WS-SAML. There is no way to hold a Kerberos token inside
REST. This will require oBIX to implement its own security. These concerns
will have to be implemented by the provider at the application level.  HTTPS
is *not* an answer to this. In essence, we will have recreated the
architectural problems of Johnson's NAEs and NIEs, which had no security
model and so retrteated to custom encryption DLL's to cover up this fact.

4)    HTTPS does not encrypt the URL; the entire action is included in the
URL. While URL-based APIs are simple to use, they have no defense against,
for example, play-back attacks.

5)    Enterprise developer tools do not handle or support REST. Enterprise
developers are tool users, at least in all enterprises that reward provable
code, predictable delivery dates, team development, and programmer

6)    REST is not transport agnostic meaning that with this transition, we
have eliminated all Message-Oriented Middleware-based transport schemes,
eliminating many major tools relied upon in the enterprise environment.

7)    REST violates extensibility, because REST parameters cannot
distinguish between parts of the message that the recipient "Must
Understand" and parts that can be ignored - increasing the demands on the
developer whose application will have to implement these features while
reducing interoperability between systems.

8)    The poorly understood distinctions between XML and HTML, including
case, Unicode overlaying, escaping, et al. make URI-based API's prone to
breaking and unpredictable results.

9)    Without WSDL, there is no way to define ad hoc discoverable
interactions between systems. This means every application can only be as
good as the individual integrators up front understanding of every component
of the system; I had hoped this is what we were getting away from with oBIX.

10)                       We will not be able to use reliability standards
such as WS-RX keeping oBIX from producing streams that can handle
life-safety issues (composability again)



It can be argued that large-scale REST applications do exist. It is true
that you can use REST for interactions with eBAY, Google, and Amazon. I must
point out that every developer interacting with these services is committed
to developing a custom interface with the one big player in their space.
This works only because:


*	information is public and encryption/authentication are unnecessary;

*	nothing terribly bad happens if a message is lost or duplicated; 
*	there are few demands for multi-part transaction management beyond
what can be implemented with HTTP sessions or cookies;  
*	There are no requirements for any transport other than HTTP


Each of these interfaces took a strong focus on careful, standard, and
particular business process, the type of effort I have not sensed a lot of
enthusiasm for w/i the TC. 


Web services toolkits are oriented toward use cases that demand
high-security, support for existing enterprise messaging systems, message
failure is not an option, and industrial-strength transaction processing is
assumed.  The REST approach assumes that all these features are provided at
the application level rather than being provided by the infrastructure.
There are some variants of REST for which it might be tolerable. It is a
great way to easily access Read Only points. It would be nice for an oBIX
discoverable node to be able to reference the stand-alone sensor across the
hall. To me, this would be more appropriately accomplished by something like
XML-RPC, which fits better into WSDL-2.


Overall, this is retreating from the document-based transfer model of Web
Services to the old-fashioned API. An API method looks like


Function fnAPI( float par1, string par2, date par3)


Each part of the API must be known and understood by the end point. A Web
Services method tends toward something like


Function fnService( document doc1)


In the WS-Interoperability spec (http://www.ws-i.org/), this argument is
summarized  in the WS-I Basic Profile by specifying document/literal as the
preferred style of communication. RPC/literal is also supported but



This document-centric approach is what gives services their power and
flexibility. Different parts of the document might be focused on business
process, others on a whole set of interactions, still others on defining a
set of [subscription points]. An identical document might be sent to
multiple ERPs with different results, as it may be successful, if indicated
in the document, for an ERP to accept a request that it only understands
partially. Different parts of the document may be marked "must understand";
others can be marked as optional. Any ERP that understands the "must
understand" part can accept the entire request. This flexibility, which the
enterprise expects, is tossed out entirely by the move to REST.


Clearly, this is a contentious matter outside the oBIX community and some
research does reveal that REST does have some strong partisans. There is
some effort to support something REST-like in future versions of WSDL. But
these are only in edge-cases and we shouldn't rely on edge-cases to build a
standard. I feel we have mistaken simplicity of mock-up for completeness of
solution. Many of the readings on REST vs. SOAP are strongly slanted one way
or another. Members of the committee that want to read some other
perspectives may want to review the following fairly balanced treatments:








http://www.w3.org/TR/ws-arch/ <http://www.w3.org/TR/ws-arch/>  


A quick Google of SOAP and REST will find many more contentious versions.


In short, if the charter of oBIX is to bring Controls Systems to the
Enterprise, it fails if it moves to REST.  



Toby Considine      ! "Do the right thing. It will 
UNC Chapel Hill     ! gratify some people and 
Chapel Hill, NC     ! astonish the rest." 
Phone (919)962-9073 ! 
Fax (919)962-1102   !            --Mark Twain 
tobias@fac.unc.edu  ! 

=== message truncated ===


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]