Radek Krejci | 0935f41 | 2019-08-20 16:15:18 +0200 | [diff] [blame^] | 1 | module ietf-netconf-acm { |
| 2 | |
| 3 | namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm"; |
| 4 | |
| 5 | prefix nacm; |
| 6 | |
| 7 | import ietf-yang-types { |
| 8 | prefix yang; |
| 9 | } |
| 10 | |
| 11 | organization |
| 12 | "IETF NETCONF (Network Configuration) Working Group"; |
| 13 | |
| 14 | contact |
| 15 | "WG Web: <https://datatracker.ietf.org/wg/netconf/> |
| 16 | WG List: <mailto:netconf@ietf.org> |
| 17 | |
| 18 | Author: Andy Bierman |
| 19 | <mailto:andy@yumaworks.com> |
| 20 | |
| 21 | Author: Martin Bjorklund |
| 22 | <mailto:mbj@tail-f.com>"; |
| 23 | |
| 24 | description |
| 25 | "Network Configuration Access Control Model. |
| 26 | |
| 27 | Copyright (c) 2012 - 2018 IETF Trust and the persons |
| 28 | identified as authors of the code. All rights reserved. |
| 29 | |
| 30 | Redistribution and use in source and binary forms, with or |
| 31 | without modification, is permitted pursuant to, and subject |
| 32 | to the license terms contained in, the Simplified BSD |
| 33 | License set forth in Section 4.c of the IETF Trust's |
| 34 | Legal Provisions Relating to IETF Documents |
| 35 | (https://trustee.ietf.org/license-info). |
| 36 | |
| 37 | This version of this YANG module is part of RFC 8341; see |
| 38 | the RFC itself for full legal notices."; |
| 39 | |
| 40 | revision "2018-02-14" { |
| 41 | description |
| 42 | "Added support for YANG 1.1 actions and notifications tied to |
| 43 | data nodes. Clarified how NACM extensions can be used by |
| 44 | other data models."; |
| 45 | reference |
| 46 | "RFC 8341: Network Configuration Access Control Model"; |
| 47 | } |
| 48 | |
| 49 | revision "2012-02-22" { |
| 50 | description |
| 51 | "Initial version."; |
| 52 | reference |
| 53 | "RFC 6536: Network Configuration Protocol (NETCONF) |
| 54 | Access Control Model"; |
| 55 | } |
| 56 | |
| 57 | /* |
| 58 | * Extension statements |
| 59 | */ |
| 60 | |
| 61 | extension default-deny-write { |
| 62 | description |
| 63 | "Used to indicate that the data model node |
| 64 | represents a sensitive security system parameter. |
| 65 | |
| 66 | If present, the NETCONF server will only allow the designated |
| 67 | 'recovery session' to have write access to the node. An |
| 68 | explicit access control rule is required for all other users. |
| 69 | |
| 70 | If the NACM module is used, then it must be enabled (i.e., |
| 71 | /nacm/enable-nacm object equals 'true'), or this extension |
| 72 | is ignored. |
| 73 | |
| 74 | The 'default-deny-write' extension MAY appear within a data |
| 75 | definition statement. It is ignored otherwise."; |
| 76 | } |
| 77 | |
| 78 | extension default-deny-all { |
| 79 | description |
| 80 | "Used to indicate that the data model node |
| 81 | controls a very sensitive security system parameter. |
| 82 | |
| 83 | If present, the NETCONF server will only allow the designated |
| 84 | 'recovery session' to have read, write, or execute access to |
| 85 | the node. An explicit access control rule is required for all |
| 86 | other users. |
| 87 | |
| 88 | If the NACM module is used, then it must be enabled (i.e., |
| 89 | /nacm/enable-nacm object equals 'true'), or this extension |
| 90 | is ignored. |
| 91 | |
| 92 | The 'default-deny-all' extension MAY appear within a data |
| 93 | definition statement, 'rpc' statement, or 'notification' |
| 94 | statement. It is ignored otherwise."; |
| 95 | } |
| 96 | |
| 97 | /* |
| 98 | * Derived types |
| 99 | */ |
| 100 | |
| 101 | typedef user-name-type { |
| 102 | type string { |
| 103 | length "1..max"; |
| 104 | } |
| 105 | description |
| 106 | "General-purpose username string."; |
| 107 | } |
| 108 | |
| 109 | typedef matchall-string-type { |
| 110 | type string { |
| 111 | pattern '\*'; |
| 112 | } |
| 113 | description |
| 114 | "The string containing a single asterisk '*' is used |
| 115 | to conceptually represent all possible values |
| 116 | for the particular leaf using this data type."; |
| 117 | } |
| 118 | |
| 119 | typedef access-operations-type { |
| 120 | type bits { |
| 121 | bit create { |
| 122 | description |
| 123 | "Any protocol operation that creates a |
| 124 | new data node."; |
| 125 | } |
| 126 | bit read { |
| 127 | description |
| 128 | "Any protocol operation or notification that |
| 129 | returns the value of a data node."; |
| 130 | } |
| 131 | bit update { |
| 132 | description |
| 133 | "Any protocol operation that alters an existing |
| 134 | data node."; |
| 135 | } |
| 136 | bit delete { |
| 137 | description |
| 138 | "Any protocol operation that removes a data node."; |
| 139 | } |
| 140 | bit exec { |
| 141 | description |
| 142 | "Execution access to the specified protocol operation."; |
| 143 | } |
| 144 | } |
| 145 | description |
| 146 | "Access operation."; |
| 147 | } |
| 148 | |
| 149 | typedef group-name-type { |
| 150 | type string { |
| 151 | length "1..max"; |
| 152 | pattern '[^\*].*'; |
| 153 | } |
| 154 | description |
| 155 | "Name of administrative group to which |
| 156 | users can be assigned."; |
| 157 | } |
| 158 | |
| 159 | typedef action-type { |
| 160 | type enumeration { |
| 161 | enum permit { |
| 162 | description |
| 163 | "Requested action is permitted."; |
| 164 | } |
| 165 | enum deny { |
| 166 | description |
| 167 | "Requested action is denied."; |
| 168 | } |
| 169 | } |
| 170 | description |
| 171 | "Action taken by the server when a particular |
| 172 | rule matches."; |
| 173 | } |
| 174 | |
| 175 | typedef node-instance-identifier { |
| 176 | type yang:xpath1.0; |
| 177 | description |
| 178 | "Path expression used to represent a special |
| 179 | data node, action, or notification instance-identifier |
| 180 | string. |
| 181 | |
| 182 | A node-instance-identifier value is an |
| 183 | unrestricted YANG instance-identifier expression. |
| 184 | All the same rules as an instance-identifier apply, |
| 185 | except that predicates for keys are optional. If a key |
| 186 | predicate is missing, then the node-instance-identifier |
| 187 | represents all possible server instances for that key. |
| 188 | |
| 189 | This XML Path Language (XPath) expression is evaluated in the |
| 190 | following context: |
| 191 | |
| 192 | o The set of namespace declarations are those in scope on |
| 193 | the leaf element where this type is used. |
| 194 | |
| 195 | o The set of variable bindings contains one variable, |
| 196 | 'USER', which contains the name of the user of the |
| 197 | current session. |
| 198 | |
| 199 | o The function library is the core function library, but |
| 200 | note that due to the syntax restrictions of an |
| 201 | instance-identifier, no functions are allowed. |
| 202 | |
| 203 | o The context node is the root node in the data tree. |
| 204 | |
| 205 | The accessible tree includes actions and notifications tied |
| 206 | to data nodes."; |
| 207 | } |
| 208 | |
| 209 | /* |
| 210 | * Data definition statements |
| 211 | */ |
| 212 | |
| 213 | container nacm { |
| 214 | nacm:default-deny-all; |
| 215 | |
| 216 | description |
| 217 | "Parameters for NETCONF access control model."; |
| 218 | |
| 219 | leaf enable-nacm { |
| 220 | type boolean; |
| 221 | default "true"; |
| 222 | description |
| 223 | "Enables or disables all NETCONF access control |
| 224 | enforcement. If 'true', then enforcement |
| 225 | is enabled. If 'false', then enforcement |
| 226 | is disabled."; |
| 227 | } |
| 228 | |
| 229 | leaf read-default { |
| 230 | type action-type; |
| 231 | default "permit"; |
| 232 | description |
| 233 | "Controls whether read access is granted if |
| 234 | no appropriate rule is found for a |
| 235 | particular read request."; |
| 236 | } |
| 237 | |
| 238 | leaf write-default { |
| 239 | type action-type; |
| 240 | default "deny"; |
| 241 | description |
| 242 | "Controls whether create, update, or delete access |
| 243 | is granted if no appropriate rule is found for a |
| 244 | particular write request."; |
| 245 | } |
| 246 | |
| 247 | leaf exec-default { |
| 248 | type action-type; |
| 249 | default "permit"; |
| 250 | description |
| 251 | "Controls whether exec access is granted if no appropriate |
| 252 | rule is found for a particular protocol operation request."; |
| 253 | } |
| 254 | |
| 255 | leaf enable-external-groups { |
| 256 | type boolean; |
| 257 | default "true"; |
| 258 | description |
| 259 | "Controls whether the server uses the groups reported by the |
| 260 | NETCONF transport layer when it assigns the user to a set of |
| 261 | NACM groups. If this leaf has the value 'false', any group |
| 262 | names reported by the transport layer are ignored by the |
| 263 | server."; |
| 264 | } |
| 265 | |
| 266 | leaf denied-operations { |
| 267 | type yang:zero-based-counter32; |
| 268 | config false; |
| 269 | mandatory true; |
| 270 | description |
| 271 | "Number of times since the server last restarted that a |
| 272 | protocol operation request was denied."; |
| 273 | } |
| 274 | |
| 275 | leaf denied-data-writes { |
| 276 | type yang:zero-based-counter32; |
| 277 | config false; |
| 278 | mandatory true; |
| 279 | description |
| 280 | "Number of times since the server last restarted that a |
| 281 | protocol operation request to alter |
| 282 | a configuration datastore was denied."; |
| 283 | } |
| 284 | |
| 285 | leaf denied-notifications { |
| 286 | type yang:zero-based-counter32; |
| 287 | config false; |
| 288 | mandatory true; |
| 289 | description |
| 290 | "Number of times since the server last restarted that |
| 291 | a notification was dropped for a subscription because |
| 292 | access to the event type was denied."; |
| 293 | } |
| 294 | |
| 295 | container groups { |
| 296 | description |
| 297 | "NETCONF access control groups."; |
| 298 | |
| 299 | list group { |
| 300 | key name; |
| 301 | |
| 302 | description |
| 303 | "One NACM group entry. This list will only contain |
| 304 | configured entries, not any entries learned from |
| 305 | any transport protocols."; |
| 306 | |
| 307 | leaf name { |
| 308 | type group-name-type; |
| 309 | description |
| 310 | "Group name associated with this entry."; |
| 311 | } |
| 312 | |
| 313 | leaf-list user-name { |
| 314 | type user-name-type; |
| 315 | description |
| 316 | "Each entry identifies the username of |
| 317 | a member of the group associated with |
| 318 | this entry."; |
| 319 | } |
| 320 | } |
| 321 | } |
| 322 | |
| 323 | list rule-list { |
| 324 | key name; |
| 325 | ordered-by user; |
| 326 | description |
| 327 | "An ordered collection of access control rules."; |
| 328 | |
| 329 | leaf name { |
| 330 | type string { |
| 331 | length "1..max"; |
| 332 | } |
| 333 | description |
| 334 | "Arbitrary name assigned to the rule-list."; |
| 335 | } |
| 336 | leaf-list group { |
| 337 | type union { |
| 338 | type matchall-string-type; |
| 339 | type group-name-type; |
| 340 | } |
| 341 | description |
| 342 | "List of administrative groups that will be |
| 343 | assigned the associated access rights |
| 344 | defined by the 'rule' list. |
| 345 | |
| 346 | The string '*' indicates that all groups apply to the |
| 347 | entry."; |
| 348 | } |
| 349 | |
| 350 | list rule { |
| 351 | key name; |
| 352 | ordered-by user; |
| 353 | description |
| 354 | "One access control rule. |
| 355 | |
| 356 | Rules are processed in user-defined order until a match is |
| 357 | found. A rule matches if 'module-name', 'rule-type', and |
| 358 | 'access-operations' match the request. If a rule |
| 359 | matches, the 'action' leaf determines whether or not |
| 360 | access is granted."; |
| 361 | |
| 362 | leaf name { |
| 363 | type string { |
| 364 | length "1..max"; |
| 365 | } |
| 366 | description |
| 367 | "Arbitrary name assigned to the rule."; |
| 368 | } |
| 369 | |
| 370 | leaf module-name { |
| 371 | type union { |
| 372 | type matchall-string-type; |
| 373 | type string; |
| 374 | } |
| 375 | default "*"; |
| 376 | description |
| 377 | "Name of the module associated with this rule. |
| 378 | |
| 379 | This leaf matches if it has the value '*' or if the |
| 380 | object being accessed is defined in the module with the |
| 381 | specified module name."; |
| 382 | } |
| 383 | choice rule-type { |
| 384 | description |
| 385 | "This choice matches if all leafs present in the rule |
| 386 | match the request. If no leafs are present, the |
| 387 | choice matches all requests."; |
| 388 | case protocol-operation { |
| 389 | leaf rpc-name { |
| 390 | type union { |
| 391 | type matchall-string-type; |
| 392 | type string; |
| 393 | } |
| 394 | description |
| 395 | "This leaf matches if it has the value '*' or if |
| 396 | its value equals the requested protocol operation |
| 397 | name."; |
| 398 | } |
| 399 | } |
| 400 | case notification { |
| 401 | leaf notification-name { |
| 402 | type union { |
| 403 | type matchall-string-type; |
| 404 | type string; |
| 405 | } |
| 406 | description |
| 407 | "This leaf matches if it has the value '*' or if its |
| 408 | value equals the requested notification name."; |
| 409 | } |
| 410 | } |
| 411 | |
| 412 | case data-node { |
| 413 | leaf path { |
| 414 | type node-instance-identifier; |
| 415 | mandatory true; |
| 416 | description |
| 417 | "Data node instance-identifier associated with the |
| 418 | data node, action, or notification controlled by |
| 419 | this rule. |
| 420 | |
| 421 | Configuration data or state data |
| 422 | instance-identifiers start with a top-level |
| 423 | data node. A complete instance-identifier is |
| 424 | required for this type of path value. |
| 425 | |
| 426 | The special value '/' refers to all possible |
| 427 | datastore contents."; |
| 428 | } |
| 429 | } |
| 430 | } |
| 431 | |
| 432 | leaf access-operations { |
| 433 | type union { |
| 434 | type matchall-string-type; |
| 435 | type access-operations-type; |
| 436 | } |
| 437 | default "*"; |
| 438 | description |
| 439 | "Access operations associated with this rule. |
| 440 | |
| 441 | This leaf matches if it has the value '*' or if the |
| 442 | bit corresponding to the requested operation is set."; |
| 443 | } |
| 444 | |
| 445 | leaf action { |
| 446 | type action-type; |
| 447 | mandatory true; |
| 448 | description |
| 449 | "The access control action associated with the |
| 450 | rule. If a rule has been determined to match a |
| 451 | particular request, then this object is used |
| 452 | to determine whether to permit or deny the |
| 453 | request."; |
| 454 | } |
| 455 | |
| 456 | leaf comment { |
| 457 | type string; |
| 458 | description |
| 459 | "A textual description of the access rule."; |
| 460 | } |
| 461 | } |
| 462 | } |
| 463 | } |
| 464 | } |