blob: bf4855faf0508a152471f6c6c8f756581b8ebb96 [file] [log] [blame]
Tomáš Peckaf98ce032021-01-14 13:35:00 +01001module ietf-netconf-acm {
2
3 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
4
5 prefix nacm;
6
7 import ietf-yang-types {
8 prefix yang;
9 }
10
11 organization
12 "IETF NETCONF (Network Configuration) Working Group";
13
14 contact
15 "WG Web: <https://datatracker.ietf.org/wg/netconf/>
16 WG List: <mailto:netconf@ietf.org>
17
18 Author: Andy Bierman
19 <mailto:andy@yumaworks.com>
20
21 Author: Martin Bjorklund
22 <mailto:mbj@tail-f.com>";
23
24 description
25 "Network Configuration Access Control Model.
26
27 Copyright (c) 2012 - 2018 IETF Trust and the persons
28 identified as authors of the code. All rights reserved.
29
30 Redistribution and use in source and binary forms, with or
31 without modification, is permitted pursuant to, and subject
32 to the license terms contained in, the Simplified BSD
33 License set forth in Section 4.c of the IETF Trust's
34 Legal Provisions Relating to IETF Documents
35 (https://trustee.ietf.org/license-info).
36
37 This version of this YANG module is part of RFC 8341; see
38 the RFC itself for full legal notices.";
39
40 revision "2018-02-14" {
41 description
42 "Added support for YANG 1.1 actions and notifications tied to
43 data nodes. Clarified how NACM extensions can be used by
44 other data models.";
45 reference
46 "RFC 8341: Network Configuration Access Control Model";
47 }
48
49 revision "2012-02-22" {
50 description
51 "Initial version.";
52 reference
53 "RFC 6536: Network Configuration Protocol (NETCONF)
54 Access Control Model";
55 }
56
57 /*
58 * Extension statements
59 */
60
61 extension default-deny-write {
62 description
63 "Used to indicate that the data model node
64 represents a sensitive security system parameter.
65
66 If present, the NETCONF server will only allow the designated
67 'recovery session' to have write access to the node. An
68 explicit access control rule is required for all other users.
69
70 If the NACM module is used, then it must be enabled (i.e.,
71 /nacm/enable-nacm object equals 'true'), or this extension
72 is ignored.
73
74 The 'default-deny-write' extension MAY appear within a data
75 definition statement. It is ignored otherwise.";
76 }
77
78 extension default-deny-all {
79 description
80 "Used to indicate that the data model node
81 controls a very sensitive security system parameter.
82
83 If present, the NETCONF server will only allow the designated
84 'recovery session' to have read, write, or execute access to
85 the node. An explicit access control rule is required for all
86 other users.
87
88 If the NACM module is used, then it must be enabled (i.e.,
89 /nacm/enable-nacm object equals 'true'), or this extension
90 is ignored.
91
92 The 'default-deny-all' extension MAY appear within a data
93 definition statement, 'rpc' statement, or 'notification'
94 statement. It is ignored otherwise.";
95 }
96
97 /*
98 * Derived types
99 */
100
101 typedef user-name-type {
102 type string {
103 length "1..max";
104 }
105 description
106 "General-purpose username string.";
107 }
108
109 typedef matchall-string-type {
110 type string {
111 pattern '\*';
112 }
113 description
114 "The string containing a single asterisk '*' is used
115 to conceptually represent all possible values
116 for the particular leaf using this data type.";
117 }
118
119 typedef access-operations-type {
120 type bits {
121 bit create {
122 description
123 "Any protocol operation that creates a
124 new data node.";
125 }
126 bit read {
127 description
128 "Any protocol operation or notification that
129 returns the value of a data node.";
130 }
131 bit update {
132 description
133 "Any protocol operation that alters an existing
134 data node.";
135 }
136 bit delete {
137 description
138 "Any protocol operation that removes a data node.";
139 }
140 bit exec {
141 description
142 "Execution access to the specified protocol operation.";
143 }
144 }
145 description
146 "Access operation.";
147 }
148
149 typedef group-name-type {
150 type string {
151 length "1..max";
152 pattern '[^\*].*';
153 }
154 description
155 "Name of administrative group to which
156 users can be assigned.";
157 }
158
159 typedef action-type {
160 type enumeration {
161 enum permit {
162 description
163 "Requested action is permitted.";
164 }
165 enum deny {
166 description
167 "Requested action is denied.";
168 }
169 }
170 description
171 "Action taken by the server when a particular
172 rule matches.";
173 }
174
175 typedef node-instance-identifier {
176 type yang:xpath1.0;
177 description
178 "Path expression used to represent a special
179 data node, action, or notification instance-identifier
180 string.
181
182 A node-instance-identifier value is an
183 unrestricted YANG instance-identifier expression.
184 All the same rules as an instance-identifier apply,
185 except that predicates for keys are optional. If a key
186 predicate is missing, then the node-instance-identifier
187 represents all possible server instances for that key.
188
189 This XML Path Language (XPath) expression is evaluated in the
190 following context:
191
192 o The set of namespace declarations are those in scope on
193 the leaf element where this type is used.
194
195 o The set of variable bindings contains one variable,
196 'USER', which contains the name of the user of the
197 current session.
198
199 o The function library is the core function library, but
200 note that due to the syntax restrictions of an
201 instance-identifier, no functions are allowed.
202
203 o The context node is the root node in the data tree.
204
205 The accessible tree includes actions and notifications tied
206 to data nodes.";
207 }
208
209 /*
210 * Data definition statements
211 */
212
213 container nacm {
214 nacm:default-deny-all;
215
216 description
217 "Parameters for NETCONF access control model.";
218
219 leaf enable-nacm {
220 type boolean;
221 default "true";
222 description
223 "Enables or disables all NETCONF access control
224 enforcement. If 'true', then enforcement
225 is enabled. If 'false', then enforcement
226 is disabled.";
227 }
228
229 leaf read-default {
230 type action-type;
231 default "permit";
232 description
233 "Controls whether read access is granted if
234 no appropriate rule is found for a
235 particular read request.";
236 }
237
238 leaf write-default {
239 type action-type;
240 default "deny";
241 description
242 "Controls whether create, update, or delete access
243 is granted if no appropriate rule is found for a
244 particular write request.";
245 }
246
247 leaf exec-default {
248 type action-type;
249 default "permit";
250 description
251 "Controls whether exec access is granted if no appropriate
252 rule is found for a particular protocol operation request.";
253 }
254
255 leaf enable-external-groups {
256 type boolean;
257 default "true";
258 description
259 "Controls whether the server uses the groups reported by the
260 NETCONF transport layer when it assigns the user to a set of
261 NACM groups. If this leaf has the value 'false', any group
262 names reported by the transport layer are ignored by the
263 server.";
264 }
265
266 leaf denied-operations {
267 type yang:zero-based-counter32;
268 config false;
269 mandatory true;
270 description
271 "Number of times since the server last restarted that a
272 protocol operation request was denied.";
273 }
274
275 leaf denied-data-writes {
276 type yang:zero-based-counter32;
277 config false;
278 mandatory true;
279 description
280 "Number of times since the server last restarted that a
281 protocol operation request to alter
282 a configuration datastore was denied.";
283 }
284
285 leaf denied-notifications {
286 type yang:zero-based-counter32;
287 config false;
288 mandatory true;
289 description
290 "Number of times since the server last restarted that
291 a notification was dropped for a subscription because
292 access to the event type was denied.";
293 }
294
295 container groups {
296 description
297 "NETCONF access control groups.";
298
299 list group {
300 key name;
301
302 description
303 "One NACM group entry. This list will only contain
304 configured entries, not any entries learned from
305 any transport protocols.";
306
307 leaf name {
308 type group-name-type;
309 description
310 "Group name associated with this entry.";
311 }
312
313 leaf-list user-name {
314 type user-name-type;
315 description
316 "Each entry identifies the username of
317 a member of the group associated with
318 this entry.";
319 }
320 }
321 }
322
323 list rule-list {
324 key name;
325 ordered-by user;
326 description
327 "An ordered collection of access control rules.";
328
329 leaf name {
330 type string {
331 length "1..max";
332 }
333 description
334 "Arbitrary name assigned to the rule-list.";
335 }
336 leaf-list group {
337 type union {
338 type matchall-string-type;
339 type group-name-type;
340 }
341 description
342 "List of administrative groups that will be
343 assigned the associated access rights
344 defined by the 'rule' list.
345
346 The string '*' indicates that all groups apply to the
347 entry.";
348 }
349
350 list rule {
351 key name;
352 ordered-by user;
353 description
354 "One access control rule.
355
356 Rules are processed in user-defined order until a match is
357 found. A rule matches if 'module-name', 'rule-type', and
358 'access-operations' match the request. If a rule
359 matches, the 'action' leaf determines whether or not
360 access is granted.";
361
362 leaf name {
363 type string {
364 length "1..max";
365 }
366 description
367 "Arbitrary name assigned to the rule.";
368 }
369
370 leaf module-name {
371 type union {
372 type matchall-string-type;
373 type string;
374 }
375 default "*";
376 description
377 "Name of the module associated with this rule.
378
379 This leaf matches if it has the value '*' or if the
380 object being accessed is defined in the module with the
381 specified module name.";
382 }
383 choice rule-type {
384 description
385 "This choice matches if all leafs present in the rule
386 match the request. If no leafs are present, the
387 choice matches all requests.";
388 case protocol-operation {
389 leaf rpc-name {
390 type union {
391 type matchall-string-type;
392 type string;
393 }
394 description
395 "This leaf matches if it has the value '*' or if
396 its value equals the requested protocol operation
397 name.";
398 }
399 }
400 case notification {
401 leaf notification-name {
402 type union {
403 type matchall-string-type;
404 type string;
405 }
406 description
407 "This leaf matches if it has the value '*' or if its
408 value equals the requested notification name.";
409 }
410 }
411
412 case data-node {
413 leaf path {
414 type node-instance-identifier;
415 mandatory true;
416 description
417 "Data node instance-identifier associated with the
418 data node, action, or notification controlled by
419 this rule.
420
421 Configuration data or state data
422 instance-identifiers start with a top-level
423 data node. A complete instance-identifier is
424 required for this type of path value.
425
426 The special value '/' refers to all possible
427 datastore contents.";
428 }
429 }
430 }
431
432 leaf access-operations {
433 type union {
434 type matchall-string-type;
435 type access-operations-type;
436 }
437 default "*";
438 description
439 "Access operations associated with this rule.
440
441 This leaf matches if it has the value '*' or if the
442 bit corresponding to the requested operation is set.";
443 }
444
445 leaf action {
446 type action-type;
447 mandatory true;
448 description
449 "The access control action associated with the
450 rule. If a rule has been determined to match a
451 particular request, then this object is used
452 to determine whether to permit or deny the
453 request.";
454 }
455
456 leaf comment {
457 type string;
458 description
459 "A textual description of the access rule.";
460 }
461 }
462 }
463 }
464}