blob: dc3655e08c500e633d2e7131636bfa2b5e1e20b7 [file] [log] [blame]
Radek Krejcied5acc52019-04-25 15:57:04 +02001module ietf-netconf-acm {
2 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
3 prefix nacm;
4
5 import ietf-yang-types {
6 prefix yang;
7 }
8
9 organization
10 "IETF NETCONF (Network Configuration) Working Group";
11 contact
12 "WG Web: <http://tools.ietf.org/wg/netconf/>
13 WG List: <mailto:netconf@ietf.org>
14
15 WG Chair: Mehmet Ersue
16 <mailto:mehmet.ersue@nsn.com>
17
18 WG Chair: Bert Wijnen
19 <mailto:bertietf@bwijnen.net>
20
21 Editor: Andy Bierman
22 <mailto:andy@yumaworks.com>
23
24 Editor: Martin Bjorklund
25 <mailto:mbj@tail-f.com>";
26 description
27 "NETCONF Access Control Model.
28
29 Copyright (c) 2012 IETF Trust and the persons identified as
30 authors of the code. All rights reserved.
31
32 Redistribution and use in source and binary forms, with or
33 without modification, is permitted pursuant to, and subject
34 to the license terms contained in, the Simplified BSD
35 License set forth in Section 4.c of the IETF Trust's
36 Legal Provisions Relating to IETF Documents
37 (http://trustee.ietf.org/license-info).
38
39 This version of this YANG module is part of RFC 6536; see
40 the RFC itself for full legal notices.";
41
42 revision 2012-02-22 {
43 description
44 "Initial version";
45 reference
46 "RFC 6536: Network Configuration Protocol (NETCONF)
47 Access Control Model";
48 }
49
50 extension default-deny-write {
51 description
52 "Used to indicate that the data model node
53 represents a sensitive security system parameter.
54
55 If present, and the NACM module is enabled (i.e.,
56 /nacm/enable-nacm object equals 'true'), the NETCONF server
57 will only allow the designated 'recovery session' to have
58 write access to the node. An explicit access control rule is
59 required for all other users.
60
61 The 'default-deny-write' extension MAY appear within a data
62 definition statement. It is ignored otherwise.";
63 }
64
65 extension default-deny-all {
66 description
67 "Used to indicate that the data model node
68 controls a very sensitive security system parameter.
69
70 If present, and the NACM module is enabled (i.e.,
71 /nacm/enable-nacm object equals 'true'), the NETCONF server
72 will only allow the designated 'recovery session' to have
73 read, write, or execute access to the node. An explicit
74 access control rule is required for all other users.
75
76 The 'default-deny-all' extension MAY appear within a data
77 definition statement, 'rpc' statement, or 'notification'
78 statement. It is ignored otherwise.";
79 }
80
81 typedef user-name-type {
82 type string {
83 length "1..max";
84 }
85 description
86 "General Purpose Username string.";
87 }
88
89 typedef matchall-string-type {
90 type string {
91 pattern "\\*";
92 }
93 description
94 "The string containing a single asterisk '*' is used
95 to conceptually represent all possible values
96 for the particular leaf using this data type.";
97 }
98
99 typedef access-operations-type {
100 type bits {
101 bit create {
102 description
103 "Any protocol operation that creates a
104 new data node.";
105 }
106 bit read {
107 description
108 "Any protocol operation or notification that
109 returns the value of a data node.";
110 }
111 bit update {
112 description
113 "Any protocol operation that alters an existing
114 data node.";
115 }
116 bit delete {
117 description
118 "Any protocol operation that removes a data node.";
119 }
120 bit exec {
121 description
122 "Execution access to the specified protocol operation.";
123 }
124 }
125 description
126 "NETCONF Access Operation.";
127 }
128
129 typedef group-name-type {
130 type string {
131 length "1..max";
132 pattern "[^\\*].*";
133 }
134 description
135 "Name of administrative group to which
136 users can be assigned.";
137 }
138
139 typedef action-type {
140 type enumeration {
141 enum "permit" {
142 description
143 "Requested action is permitted.";
144 }
145 enum "deny" {
146 description
147 "Requested action is denied.";
148 }
149 }
150 description
151 "Action taken by the server when a particular
152 rule matches.";
153 }
154
155 typedef node-instance-identifier {
156 type yang:xpath1.0;
157 description
158 "Path expression used to represent a special
159 data node instance identifier string.
160
161 A node-instance-identifier value is an
162 unrestricted YANG instance-identifier expression.
163 All the same rules as an instance-identifier apply
164 except predicates for keys are optional. If a key
165 predicate is missing, then the node-instance-identifier
166 represents all possible server instances for that key.
167
168 This XPath expression is evaluated in the following context:
169
170 o The set of namespace declarations are those in scope on
171 the leaf element where this type is used.
172
173 o The set of variable bindings contains one variable,
174 'USER', which contains the name of the user of the current
175 session.
176
177 o The function library is the core function library, but
178 note that due to the syntax restrictions of an
179 instance-identifier, no functions are allowed.
180
181 o The context node is the root node in the data tree.";
182 }
183
184 container nacm {
185 nacm:default-deny-all;
186 description
187 "Parameters for NETCONF Access Control Model.";
188 leaf enable-nacm {
189 type boolean;
190 default "true";
191 description
192 "Enables or disables all NETCONF access control
193 enforcement. If 'true', then enforcement
194 is enabled. If 'false', then enforcement
195 is disabled.";
196 }
197 leaf read-default {
198 type action-type;
199 default "permit";
200 description
201 "Controls whether read access is granted if
202 no appropriate rule is found for a
203 particular read request.";
204 }
205 leaf write-default {
206 type action-type;
207 default "deny";
208 description
209 "Controls whether create, update, or delete access
210 is granted if no appropriate rule is found for a
211 particular write request.";
212 }
213 leaf exec-default {
214 type action-type;
215 default "permit";
216 description
217 "Controls whether exec access is granted if no appropriate
218 rule is found for a particular protocol operation request.";
219 }
220 leaf enable-external-groups {
221 type boolean;
222 default "true";
223 description
224 "Controls whether the server uses the groups reported by the
225 NETCONF transport layer when it assigns the user to a set of
226 NACM groups. If this leaf has the value 'false', any group
227 names reported by the transport layer are ignored by the
228 server.";
229 }
230 leaf denied-operations {
231 type yang:zero-based-counter32;
232 config false;
233 mandatory true;
234 description
235 "Number of times since the server last restarted that a
236 protocol operation request was denied.";
237 }
238 leaf denied-data-writes {
239 type yang:zero-based-counter32;
240 config false;
241 mandatory true;
242 description
243 "Number of times since the server last restarted that a
244 protocol operation request to alter
245 a configuration datastore was denied.";
246 }
247 leaf denied-notifications {
248 type yang:zero-based-counter32;
249 config false;
250 mandatory true;
251 description
252 "Number of times since the server last restarted that
253 a notification was dropped for a subscription because
254 access to the event type was denied.";
255 }
256 container groups {
257 description
258 "NETCONF Access Control Groups.";
259 list group {
260 key "name";
261 description
262 "One NACM Group Entry. This list will only contain
263 configured entries, not any entries learned from
264 any transport protocols.";
265 leaf name {
266 type group-name-type;
267 description
268 "Group name associated with this entry.";
269 }
270 leaf-list user-name {
271 type user-name-type;
272 description
273 "Each entry identifies the username of
274 a member of the group associated with
275 this entry.";
276 }
277 }
278 }
279 list rule-list {
280 key "name";
281 ordered-by user;
282 description
283 "An ordered collection of access control rules.";
284 leaf name {
285 type string {
286 length "1..max";
287 }
288 description
289 "Arbitrary name assigned to the rule-list.";
290 }
291 leaf-list group {
292 type union {
293 type matchall-string-type;
294 type group-name-type;
295 }
296 description
297 "List of administrative groups that will be
298 assigned the associated access rights
299 defined by the 'rule' list.
300
301 The string '*' indicates that all groups apply to the
302 entry.";
303 }
304 list rule {
305 key "name";
306 ordered-by user;
307 description
308 "One access control rule.
309
310 Rules are processed in user-defined order until a match is
311 found. A rule matches if 'module-name', 'rule-type', and
312 'access-operations' match the request. If a rule
313 matches, the 'action' leaf determines if access is granted
314 or not.";
315 leaf name {
316 type string {
317 length "1..max";
318 }
319 description
320 "Arbitrary name assigned to the rule.";
321 }
322 leaf module-name {
323 type union {
324 type matchall-string-type;
325 type string;
326 }
327 default "*";
328 description
329 "Name of the module associated with this rule.
330
331 This leaf matches if it has the value '*' or if the
332 object being accessed is defined in the module with the
333 specified module name.";
334 }
335 choice rule-type {
336 description
337 "This choice matches if all leafs present in the rule
338 match the request. If no leafs are present, the
339 choice matches all requests.";
340 case protocol-operation {
341 leaf rpc-name {
342 type union {
343 type matchall-string-type;
344 type string;
345 }
346 description
347 "This leaf matches if it has the value '*' or if
348 its value equals the requested protocol operation
349 name.";
350 }
351 }
352 case notification {
353 leaf notification-name {
354 type union {
355 type matchall-string-type;
356 type string;
357 }
358 description
359 "This leaf matches if it has the value '*' or if its
360 value equals the requested notification name.";
361 }
362 }
363 case data-node {
364 leaf path {
365 type node-instance-identifier;
366 mandatory true;
367 description
368 "Data Node Instance Identifier associated with the
369 data node controlled by this rule.
370
371 Configuration data or state data instance
372 identifiers start with a top-level data node. A
373 complete instance identifier is required for this
374 type of path value.
375
376 The special value '/' refers to all possible
377 datastore contents.";
378 }
379 }
380 }
381 leaf access-operations {
382 type union {
383 type matchall-string-type;
384 type access-operations-type;
385 }
386 default "*";
387 description
388 "Access operations associated with this rule.
389
390 This leaf matches if it has the value '*' or if the
391 bit corresponding to the requested operation is set.";
392 }
393 leaf action {
394 type action-type;
395 mandatory true;
396 description
397 "The access control action associated with the
398 rule. If a rule is determined to match a
399 particular request, then this object is used
400 to determine whether to permit or deny the
401 request.";
402 }
403 leaf comment {
404 type string;
405 description
406 "A textual description of the access rule.";
407 }
408 }
409 }
410 }
411}