Michal Vasko | 0e663ec | 2022-07-13 18:35:37 +0200 | [diff] [blame] | 1 | module ietf-netconf-acm-when { |
Radek Krejci | ed5acc5 | 2019-04-25 15:57:04 +0200 | [diff] [blame] | 2 | namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm"; |
| 3 | prefix nacm; |
| 4 | |
| 5 | import ietf-yang-types { |
| 6 | prefix yang; |
| 7 | } |
| 8 | |
| 9 | organization |
| 10 | "IETF NETCONF (Network Configuration) Working Group"; |
| 11 | contact |
| 12 | "WG Web: <http://tools.ietf.org/wg/netconf/> |
| 13 | WG List: <mailto:netconf@ietf.org> |
| 14 | |
| 15 | WG Chair: Mehmet Ersue |
| 16 | <mailto:mehmet.ersue@nsn.com> |
| 17 | |
| 18 | WG Chair: Bert Wijnen |
| 19 | <mailto:bertietf@bwijnen.net> |
| 20 | |
| 21 | Editor: Andy Bierman |
| 22 | <mailto:andy@yumaworks.com> |
| 23 | |
| 24 | Editor: Martin Bjorklund |
| 25 | <mailto:mbj@tail-f.com>"; |
| 26 | description |
| 27 | "NETCONF Access Control Model. |
| 28 | |
| 29 | Copyright (c) 2012 IETF Trust and the persons identified as |
| 30 | authors of the code. All rights reserved. |
| 31 | |
| 32 | Redistribution and use in source and binary forms, with or |
| 33 | without modification, is permitted pursuant to, and subject |
| 34 | to the license terms contained in, the Simplified BSD |
| 35 | License set forth in Section 4.c of the IETF Trust's |
| 36 | Legal Provisions Relating to IETF Documents |
| 37 | (http://trustee.ietf.org/license-info). |
| 38 | |
| 39 | This version of this YANG module is part of RFC 6536; see |
| 40 | the RFC itself for full legal notices."; |
| 41 | |
| 42 | revision 2012-02-22 { |
| 43 | description |
| 44 | "Initial version"; |
| 45 | reference |
| 46 | "RFC 6536: Network Configuration Protocol (NETCONF) |
| 47 | Access Control Model"; |
| 48 | } |
| 49 | |
| 50 | extension default-deny-write { |
| 51 | description |
| 52 | "Used to indicate that the data model node |
| 53 | represents a sensitive security system parameter. |
| 54 | |
| 55 | If present, and the NACM module is enabled (i.e., |
| 56 | /nacm/enable-nacm object equals 'true'), the NETCONF server |
| 57 | will only allow the designated 'recovery session' to have |
| 58 | write access to the node. An explicit access control rule is |
| 59 | required for all other users. |
| 60 | |
| 61 | The 'default-deny-write' extension MAY appear within a data |
| 62 | definition statement. It is ignored otherwise."; |
| 63 | } |
| 64 | |
| 65 | extension default-deny-all { |
| 66 | description |
| 67 | "Used to indicate that the data model node |
| 68 | controls a very sensitive security system parameter. |
| 69 | |
| 70 | If present, and the NACM module is enabled (i.e., |
| 71 | /nacm/enable-nacm object equals 'true'), the NETCONF server |
| 72 | will only allow the designated 'recovery session' to have |
| 73 | read, write, or execute access to the node. An explicit |
| 74 | access control rule is required for all other users. |
| 75 | |
| 76 | The 'default-deny-all' extension MAY appear within a data |
| 77 | definition statement, 'rpc' statement, or 'notification' |
| 78 | statement. It is ignored otherwise."; |
| 79 | } |
| 80 | |
| 81 | typedef user-name-type { |
| 82 | type string { |
| 83 | length "1..max"; |
| 84 | } |
| 85 | description |
| 86 | "General Purpose Username string."; |
| 87 | } |
| 88 | |
| 89 | typedef matchall-string-type { |
| 90 | type string { |
| 91 | pattern "\\*"; |
| 92 | } |
| 93 | description |
| 94 | "The string containing a single asterisk '*' is used |
| 95 | to conceptually represent all possible values |
| 96 | for the particular leaf using this data type."; |
| 97 | } |
| 98 | |
| 99 | typedef access-operations-type { |
| 100 | type bits { |
| 101 | bit create { |
| 102 | description |
| 103 | "Any protocol operation that creates a |
| 104 | new data node."; |
| 105 | } |
| 106 | bit read { |
| 107 | description |
| 108 | "Any protocol operation or notification that |
| 109 | returns the value of a data node."; |
| 110 | } |
| 111 | bit update { |
| 112 | description |
| 113 | "Any protocol operation that alters an existing |
| 114 | data node."; |
| 115 | } |
| 116 | bit delete { |
| 117 | description |
| 118 | "Any protocol operation that removes a data node."; |
| 119 | } |
| 120 | bit exec { |
| 121 | description |
| 122 | "Execution access to the specified protocol operation."; |
| 123 | } |
| 124 | } |
| 125 | description |
| 126 | "NETCONF Access Operation."; |
| 127 | } |
| 128 | |
| 129 | typedef group-name-type { |
| 130 | type string { |
| 131 | length "1..max"; |
| 132 | pattern "[^\\*].*"; |
| 133 | } |
| 134 | description |
| 135 | "Name of administrative group to which |
| 136 | users can be assigned."; |
| 137 | } |
| 138 | |
| 139 | typedef action-type { |
| 140 | type enumeration { |
| 141 | enum "permit" { |
| 142 | description |
| 143 | "Requested action is permitted."; |
| 144 | } |
| 145 | enum "deny" { |
| 146 | description |
| 147 | "Requested action is denied."; |
| 148 | } |
| 149 | } |
| 150 | description |
| 151 | "Action taken by the server when a particular |
| 152 | rule matches."; |
| 153 | } |
| 154 | |
| 155 | typedef node-instance-identifier { |
| 156 | type yang:xpath1.0; |
| 157 | description |
| 158 | "Path expression used to represent a special |
| 159 | data node instance identifier string. |
| 160 | |
| 161 | A node-instance-identifier value is an |
| 162 | unrestricted YANG instance-identifier expression. |
| 163 | All the same rules as an instance-identifier apply |
| 164 | except predicates for keys are optional. If a key |
| 165 | predicate is missing, then the node-instance-identifier |
| 166 | represents all possible server instances for that key. |
| 167 | |
| 168 | This XPath expression is evaluated in the following context: |
| 169 | |
| 170 | o The set of namespace declarations are those in scope on |
| 171 | the leaf element where this type is used. |
| 172 | |
| 173 | o The set of variable bindings contains one variable, |
| 174 | 'USER', which contains the name of the user of the current |
| 175 | session. |
| 176 | |
| 177 | o The function library is the core function library, but |
| 178 | note that due to the syntax restrictions of an |
| 179 | instance-identifier, no functions are allowed. |
| 180 | |
| 181 | o The context node is the root node in the data tree."; |
| 182 | } |
| 183 | |
| 184 | container nacm { |
| 185 | nacm:default-deny-all; |
| 186 | description |
| 187 | "Parameters for NETCONF Access Control Model."; |
| 188 | leaf enable-nacm { |
| 189 | type boolean; |
| 190 | default "true"; |
| 191 | description |
| 192 | "Enables or disables all NETCONF access control |
| 193 | enforcement. If 'true', then enforcement |
| 194 | is enabled. If 'false', then enforcement |
| 195 | is disabled."; |
| 196 | } |
| 197 | leaf read-default { |
| 198 | type action-type; |
| 199 | default "permit"; |
| 200 | description |
| 201 | "Controls whether read access is granted if |
| 202 | no appropriate rule is found for a |
| 203 | particular read request."; |
| 204 | } |
| 205 | leaf write-default { |
| 206 | type action-type; |
| 207 | default "deny"; |
| 208 | description |
| 209 | "Controls whether create, update, or delete access |
| 210 | is granted if no appropriate rule is found for a |
| 211 | particular write request."; |
| 212 | } |
| 213 | leaf exec-default { |
| 214 | type action-type; |
| 215 | default "permit"; |
| 216 | description |
| 217 | "Controls whether exec access is granted if no appropriate |
| 218 | rule is found for a particular protocol operation request."; |
| 219 | } |
| 220 | leaf enable-external-groups { |
| 221 | type boolean; |
| 222 | default "true"; |
| 223 | description |
| 224 | "Controls whether the server uses the groups reported by the |
| 225 | NETCONF transport layer when it assigns the user to a set of |
| 226 | NACM groups. If this leaf has the value 'false', any group |
| 227 | names reported by the transport layer are ignored by the |
| 228 | server."; |
| 229 | } |
| 230 | leaf denied-operations { |
| 231 | type yang:zero-based-counter32; |
| 232 | config false; |
| 233 | mandatory true; |
| 234 | description |
| 235 | "Number of times since the server last restarted that a |
| 236 | protocol operation request was denied."; |
| 237 | } |
| 238 | leaf denied-data-writes { |
| 239 | type yang:zero-based-counter32; |
| 240 | config false; |
| 241 | mandatory true; |
| 242 | when "../denied-operations > 0"; |
| 243 | description |
| 244 | "Number of times since the server last restarted that a |
| 245 | protocol operation request to alter |
| 246 | a configuration datastore was denied."; |
| 247 | } |
| 248 | leaf denied-notifications { |
| 249 | type yang:zero-based-counter32; |
| 250 | config false; |
| 251 | mandatory true; |
| 252 | description |
| 253 | "Number of times since the server last restarted that |
| 254 | a notification was dropped for a subscription because |
| 255 | access to the event type was denied."; |
| 256 | } |
| 257 | container groups { |
| 258 | description |
| 259 | "NETCONF Access Control Groups."; |
| 260 | list group { |
| 261 | key "name"; |
| 262 | description |
| 263 | "One NACM Group Entry. This list will only contain |
| 264 | configured entries, not any entries learned from |
| 265 | any transport protocols."; |
| 266 | leaf name { |
| 267 | type group-name-type; |
| 268 | description |
| 269 | "Group name associated with this entry."; |
| 270 | } |
| 271 | leaf-list user-name { |
| 272 | type user-name-type; |
| 273 | description |
| 274 | "Each entry identifies the username of |
| 275 | a member of the group associated with |
| 276 | this entry."; |
| 277 | } |
| 278 | } |
| 279 | } |
| 280 | list rule-list { |
| 281 | key "name"; |
| 282 | ordered-by user; |
| 283 | description |
| 284 | "An ordered collection of access control rules."; |
| 285 | leaf name { |
| 286 | type string { |
| 287 | length "1..max"; |
| 288 | } |
| 289 | description |
| 290 | "Arbitrary name assigned to the rule-list."; |
| 291 | } |
| 292 | leaf-list group { |
| 293 | type union { |
| 294 | type matchall-string-type; |
| 295 | type group-name-type; |
| 296 | } |
| 297 | description |
| 298 | "List of administrative groups that will be |
| 299 | assigned the associated access rights |
| 300 | defined by the 'rule' list. |
| 301 | |
| 302 | The string '*' indicates that all groups apply to the |
| 303 | entry."; |
| 304 | } |
| 305 | list rule { |
| 306 | key "name"; |
| 307 | ordered-by user; |
| 308 | description |
| 309 | "One access control rule. |
| 310 | |
| 311 | Rules are processed in user-defined order until a match is |
| 312 | found. A rule matches if 'module-name', 'rule-type', and |
| 313 | 'access-operations' match the request. If a rule |
| 314 | matches, the 'action' leaf determines if access is granted |
| 315 | or not."; |
| 316 | leaf name { |
| 317 | type string { |
| 318 | length "1..max"; |
| 319 | } |
| 320 | description |
| 321 | "Arbitrary name assigned to the rule."; |
| 322 | } |
| 323 | leaf module-name { |
| 324 | type union { |
| 325 | type matchall-string-type; |
| 326 | type string; |
| 327 | } |
| 328 | default "*"; |
| 329 | description |
| 330 | "Name of the module associated with this rule. |
| 331 | |
| 332 | This leaf matches if it has the value '*' or if the |
| 333 | object being accessed is defined in the module with the |
| 334 | specified module name."; |
| 335 | } |
| 336 | choice rule-type { |
| 337 | description |
| 338 | "This choice matches if all leafs present in the rule |
| 339 | match the request. If no leafs are present, the |
| 340 | choice matches all requests."; |
| 341 | case protocol-operation { |
| 342 | leaf rpc-name { |
| 343 | type union { |
| 344 | type matchall-string-type; |
| 345 | type string; |
| 346 | } |
| 347 | description |
| 348 | "This leaf matches if it has the value '*' or if |
| 349 | its value equals the requested protocol operation |
| 350 | name."; |
| 351 | } |
| 352 | } |
| 353 | case notification { |
| 354 | leaf notification-name { |
| 355 | type union { |
| 356 | type matchall-string-type; |
| 357 | type string; |
| 358 | } |
| 359 | description |
| 360 | "This leaf matches if it has the value '*' or if its |
| 361 | value equals the requested notification name."; |
| 362 | } |
| 363 | } |
| 364 | case data-node { |
| 365 | leaf path { |
| 366 | type node-instance-identifier; |
| 367 | mandatory true; |
| 368 | description |
| 369 | "Data Node Instance Identifier associated with the |
| 370 | data node controlled by this rule. |
| 371 | |
| 372 | Configuration data or state data instance |
| 373 | identifiers start with a top-level data node. A |
| 374 | complete instance identifier is required for this |
| 375 | type of path value. |
| 376 | |
| 377 | The special value '/' refers to all possible |
| 378 | datastore contents."; |
| 379 | } |
| 380 | } |
| 381 | } |
| 382 | leaf access-operations { |
| 383 | type union { |
| 384 | type matchall-string-type; |
| 385 | type access-operations-type; |
| 386 | } |
| 387 | default "*"; |
| 388 | description |
| 389 | "Access operations associated with this rule. |
| 390 | |
| 391 | This leaf matches if it has the value '*' or if the |
| 392 | bit corresponding to the requested operation is set."; |
| 393 | } |
| 394 | leaf action { |
| 395 | type action-type; |
| 396 | mandatory true; |
| 397 | description |
| 398 | "The access control action associated with the |
| 399 | rule. If a rule is determined to match a |
| 400 | particular request, then this object is used |
| 401 | to determine whether to permit or deny the |
| 402 | request."; |
| 403 | } |
| 404 | leaf comment { |
| 405 | type string; |
| 406 | description |
| 407 | "A textual description of the access rule."; |
| 408 | } |
| 409 | } |
| 410 | } |
| 411 | } |
| 412 | } |