blob: 390ec0c9a3af94ae815a7b7cd24fc666a1dec18c [file] [log] [blame]
Radek Krejcice24ab82015-10-08 15:37:02 +02001<?xml version="1.0" encoding="UTF-8"?>
2<module xmlns="urn:ietf:params:xml:ns:yang:yin:1" xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm" xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types" name="ietf-netconf-acm">
3 <namespace uri="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"/>
4 <prefix value="nacm"/>
5 <import module="ietf-yang-types">
6 <prefix value="yang"/>
7 </import>
8 <organization>
9 <text>IETF NETCONF (Network Configuration) Working Group</text>
10 </organization>
11 <contact>
12 <text>WG Web: &lt;http://tools.ietf.org/wg/netconf/&gt;
13WG List: &lt;mailto:netconf@ietf.org&gt;
14
15WG Chair: Mehmet Ersue
16 &lt;mailto:mehmet.ersue@nsn.com&gt;
17
18WG Chair: Bert Wijnen
19 &lt;mailto:bertietf@bwijnen.net&gt;
20
21Editor: Andy Bierman
22 &lt;mailto:andy@yumaworks.com&gt;
23
24Editor: Martin Bjorklund
25 &lt;mailto:mbj@tail-f.com&gt;</text>
26 </contact>
27 <description>
28 <text>NETCONF Access Control Model.
29
30Copyright (c) 2012 IETF Trust and the persons identified as
31authors of the code. All rights reserved.
32
33Redistribution and use in source and binary forms, with or
34without modification, is permitted pursuant to, and subject
35to the license terms contained in, the Simplified BSD
36License set forth in Section 4.c of the IETF Trust's
37Legal Provisions Relating to IETF Documents
38(http://trustee.ietf.org/license-info).
39
40This version of this YANG module is part of RFC 6536; see
41the RFC itself for full legal notices.</text>
42 </description>
43 <revision date="2012-02-22">
44 <description>
45 <text>Initial version</text>
46 </description>
47 <reference>
48 <text>RFC 6536: Network Configuration Protocol (NETCONF)
49 Access Control Model</text>
50 </reference>
51 </revision>
52 <extension name="default-deny-write">
53 <description>
54 <text>Used to indicate that the data model node
55represents a sensitive security system parameter.
56
57If present, and the NACM module is enabled (i.e.,
58/nacm/enable-nacm object equals 'true'), the NETCONF server
59will only allow the designated 'recovery session' to have
60write access to the node. An explicit access control rule is
61required for all other users.
62
63The 'default-deny-write' extension MAY appear within a data
64definition statement. It is ignored otherwise.</text>
65 </description>
66 </extension>
67 <extension name="default-deny-all">
68 <description>
69 <text>Used to indicate that the data model node
70controls a very sensitive security system parameter.
71
72If present, and the NACM module is enabled (i.e.,
73/nacm/enable-nacm object equals 'true'), the NETCONF server
74will only allow the designated 'recovery session' to have
75read, write, or execute access to the node. An explicit
76access control rule is required for all other users.
77
78The 'default-deny-all' extension MAY appear within a data
79definition statement, 'rpc' statement, or 'notification'
80statement. It is ignored otherwise.</text>
81 </description>
82 </extension>
83 <typedef name="user-name-type">
84 <type name="string">
85 <length value="1..max"/>
86 </type>
87 <description>
88 <text>General Purpose Username string.</text>
89 </description>
90 </typedef>
91 <typedef name="matchall-string-type">
92 <type name="string">
93 <pattern value="\*"/>
94 </type>
95 <description>
96 <text>The string containing a single asterisk '*' is used
97to conceptually represent all possible values
98for the particular leaf using this data type.</text>
99 </description>
100 </typedef>
101 <typedef name="access-operations-type">
102 <type name="bits">
103 <bit name="create">
104 <description>
105 <text>Any protocol operation that creates a
106new data node.</text>
107 </description>
108 </bit>
109 <bit name="read">
110 <description>
111 <text>Any protocol operation or notification that
112returns the value of a data node.</text>
113 </description>
114 </bit>
115 <bit name="update">
116 <description>
117 <text>Any protocol operation that alters an existing
118data node.</text>
119 </description>
120 </bit>
121 <bit name="delete">
122 <description>
123 <text>Any protocol operation that removes a data node.</text>
124 </description>
125 </bit>
126 <bit name="exec">
127 <description>
128 <text>Execution access to the specified protocol operation.</text>
129 </description>
130 </bit>
131 </type>
132 <description>
133 <text>NETCONF Access Operation.</text>
134 </description>
135 </typedef>
136 <typedef name="group-name-type">
137 <type name="string">
138 <length value="1..max"/>
139 <pattern value="[^\*].*"/>
140 </type>
141 <description>
142 <text>Name of administrative group to which
143users can be assigned.</text>
144 </description>
145 </typedef>
146 <typedef name="action-type">
147 <type name="enumeration">
148 <enum name="permit">
149 <description>
150 <text>Requested action is permitted.</text>
151 </description>
152 </enum>
153 <enum name="deny">
154 <description>
155 <text>Requested action is denied.</text>
156 </description>
157 </enum>
158 </type>
159 <description>
160 <text>Action taken by the server when a particular
161rule matches.</text>
162 </description>
163 </typedef>
164 <typedef name="node-instance-identifier">
165 <type name="yang:xpath1.0"/>
166 <description>
167 <text>Path expression used to represent a special
168data node instance identifier string.
169
170A node-instance-identifier value is an
171unrestricted YANG instance-identifier expression.
172All the same rules as an instance-identifier apply
173except predicates for keys are optional. If a key
174predicate is missing, then the node-instance-identifier
175represents all possible server instances for that key.
176
177This XPath expression is evaluated in the following context:
178
179 o The set of namespace declarations are those in scope on
180 the leaf element where this type is used.
181
182 o The set of variable bindings contains one variable,
183 'USER', which contains the name of the user of the current
184 session.
185
186 o The function library is the core function library, but
187 note that due to the syntax restrictions of an
188 instance-identifier, no functions are allowed.
189
190 o The context node is the root node in the data tree.</text>
191 </description>
192 </typedef>
193 <container name="nacm">
194 <nacm:default-deny-all/>
195 <description>
196 <text>Parameters for NETCONF Access Control Model.</text>
197 </description>
198 <leaf name="enable-nacm">
199 <type name="boolean"/>
200 <default value="true"/>
201 <description>
202 <text>Enables or disables all NETCONF access control
203enforcement. If 'true', then enforcement
204is enabled. If 'false', then enforcement
205is disabled.</text>
206 </description>
207 </leaf>
208 <leaf name="read-default">
209 <type name="action-type"/>
210 <default value="permit"/>
211 <description>
212 <text>Controls whether read access is granted if
213no appropriate rule is found for a
214particular read request.</text>
215 </description>
216 </leaf>
217 <leaf name="write-default">
218 <type name="action-type"/>
219 <default value="deny"/>
220 <description>
221 <text>Controls whether create, update, or delete access
222is granted if no appropriate rule is found for a
223particular write request.</text>
224 </description>
225 </leaf>
226 <leaf name="exec-default">
227 <type name="action-type"/>
228 <default value="permit"/>
229 <description>
230 <text>Controls whether exec access is granted if no appropriate
231rule is found for a particular protocol operation request.</text>
232 </description>
233 </leaf>
234 <leaf name="enable-external-groups">
235 <type name="boolean"/>
236 <default value="true"/>
237 <description>
238 <text>Controls whether the server uses the groups reported by the
239NETCONF transport layer when it assigns the user to a set of
240NACM groups. If this leaf has the value 'false', any group
241names reported by the transport layer are ignored by the
242server.</text>
243 </description>
244 </leaf>
245 <leaf name="denied-operations">
246 <type name="yang:zero-based-counter32"/>
247 <config value="false"/>
248 <mandatory value="true"/>
249 <description>
250 <text>Number of times since the server last restarted that a
251protocol operation request was denied.</text>
252 </description>
253 </leaf>
254 <leaf name="denied-data-writes">
255 <type name="yang:zero-based-counter32"/>
256 <config value="false"/>
257 <mandatory value="true"/>
258 <description>
259 <text>Number of times since the server last restarted that a
260protocol operation request to alter
261a configuration datastore was denied.</text>
262 </description>
263 </leaf>
264 <leaf name="denied-notifications">
265 <type name="yang:zero-based-counter32"/>
266 <config value="false"/>
267 <mandatory value="true"/>
268 <description>
269 <text>Number of times since the server last restarted that
270a notification was dropped for a subscription because
271access to the event type was denied.</text>
272 </description>
273 </leaf>
274 <container name="groups">
275 <description>
276 <text>NETCONF Access Control Groups.</text>
277 </description>
278 <list name="group">
279 <key value="name"/>
280 <description>
281 <text>One NACM Group Entry. This list will only contain
282configured entries, not any entries learned from
283any transport protocols.</text>
284 </description>
285 <leaf name="name">
286 <type name="group-name-type"/>
287 <description>
288 <text>Group name associated with this entry.</text>
289 </description>
290 </leaf>
291 <leaf-list name="user-name">
292 <type name="user-name-type"/>
293 <description>
294 <text>Each entry identifies the username of
295a member of the group associated with
296this entry.</text>
297 </description>
298 </leaf-list>
299 </list>
300 </container>
301 <list name="rule-list">
302 <key value="name"/>
303 <ordered-by value="user"/>
304 <description>
305 <text>An ordered collection of access control rules.</text>
306 </description>
307 <leaf name="name">
308 <type name="string">
309 <length value="1..max"/>
310 </type>
311 <description>
312 <text>Arbitrary name assigned to the rule-list.</text>
313 </description>
314 </leaf>
315 <leaf-list name="group">
316 <type name="union">
317 <type name="matchall-string-type"/>
318 <type name="group-name-type"/>
319 </type>
320 <description>
321 <text>List of administrative groups that will be
322assigned the associated access rights
323defined by the 'rule' list.
324
325The string '*' indicates that all groups apply to the
326entry.</text>
327 </description>
328 </leaf-list>
329 <list name="rule">
330 <key value="name"/>
331 <ordered-by value="user"/>
332 <description>
333 <text>One access control rule.
334
335Rules are processed in user-defined order until a match is
336found. A rule matches if 'module-name', 'rule-type', and
337'access-operations' match the request. If a rule
338matches, the 'action' leaf determines if access is granted
339or not.</text>
340 </description>
341 <leaf name="name">
342 <type name="string">
343 <length value="1..max"/>
344 </type>
345 <description>
346 <text>Arbitrary name assigned to the rule.</text>
347 </description>
348 </leaf>
349 <leaf name="module-name">
350 <type name="union">
351 <type name="matchall-string-type"/>
352 <type name="string"/>
353 </type>
354 <default value="*"/>
355 <description>
356 <text>Name of the module associated with this rule.
357
358This leaf matches if it has the value '*' or if the
359object being accessed is defined in the module with the
360specified module name.</text>
361 </description>
362 </leaf>
363 <choice name="rule-type">
364 <description>
365 <text>This choice matches if all leafs present in the rule
366match the request. If no leafs are present, the
367choice matches all requests.</text>
368 </description>
369 <case name="protocol-operation">
370 <leaf name="rpc-name">
371 <type name="union">
372 <type name="matchall-string-type"/>
373 <type name="string"/>
374 </type>
375 <description>
376 <text>This leaf matches if it has the value '*' or if
377its value equals the requested protocol operation
378name.</text>
379 </description>
380 </leaf>
381 </case>
382 <case name="notification">
383 <leaf name="notification-name">
384 <type name="union">
385 <type name="matchall-string-type"/>
386 <type name="string"/>
387 </type>
388 <description>
389 <text>This leaf matches if it has the value '*' or if its
390value equals the requested notification name.</text>
391 </description>
392 </leaf>
393 </case>
394 <case name="data-node">
395 <leaf name="path">
396 <type name="node-instance-identifier"/>
397 <mandatory value="true"/>
398 <description>
399 <text>Data Node Instance Identifier associated with the
400data node controlled by this rule.
401
402Configuration data or state data instance
403identifiers start with a top-level data node. A
404complete instance identifier is required for this
405type of path value.
406
407The special value '/' refers to all possible
408datastore contents.</text>
409 </description>
410 </leaf>
411 </case>
412 </choice>
413 <leaf name="access-operations">
414 <type name="union">
415 <type name="matchall-string-type"/>
416 <type name="access-operations-type"/>
417 </type>
418 <default value="*"/>
419 <description>
420 <text>Access operations associated with this rule.
421
422This leaf matches if it has the value '*' or if the
423bit corresponding to the requested operation is set.</text>
424 </description>
425 </leaf>
426 <leaf name="action">
427 <type name="action-type"/>
428 <mandatory value="true"/>
429 <description>
430 <text>The access control action associated with the
431rule. If a rule is determined to match a
432particular request, then this object is used
433to determine whether to permit or deny the
434request.</text>
435 </description>
436 </leaf>
437 <leaf name="comment">
438 <type name="string"/>
439 <description>
440 <text>A textual description of the access rule.</text>
441 </description>
442 </leaf>
443 </list>
444 </list>
445 </container>
446</module>