Blame - tools/lint/examples/ietf-netconf-acm-when.yin - github/CESNET/libyang

blob: cbff758703bcb1422202ecbca518ea441e4c7ffc [file] [log] [blame]

Radek Krejci	ed5acc5	2019-04-25 15:57:04 +0200	[diff] [blame]	1	<?xml version="1.0" encoding="UTF-8"?>
				2	<module xmlns="urn:ietf:params:xml:ns:yang:yin:1" xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm" xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types" name="ietf-netconf-acm-when">
				3	<namespace uri="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"/>
				4	<prefix value="nacm"/>
				5	<import module="ietf-yang-types">
				6	<prefix value="yang"/>
				7	</import>
				8	<organization>
				9	<text>IETF NETCONF (Network Configuration) Working Group</text>
				10	</organization>
				11	<contact>
				12	<text>WG Web: <http://tools.ietf.org/wg/netconf/>
				13	WG List: <mailto:netconf@ietf.org>
				14
				15	WG Chair: Mehmet Ersue
				16	<mailto:mehmet.ersue@nsn.com>
				17
				18	WG Chair: Bert Wijnen
				19	<mailto:bertietf@bwijnen.net>
				20
				21	Editor: Andy Bierman
				22	<mailto:andy@yumaworks.com>
				23
				24	Editor: Martin Bjorklund
				25	<mailto:mbj@tail-f.com></text>
				26	</contact>
				27	<description>
				28	<text>NETCONF Access Control Model.
				29
				30	Copyright (c) 2012 IETF Trust and the persons identified as
				31	authors of the code. All rights reserved.
				32
				33	Redistribution and use in source and binary forms, with or
				34	without modification, is permitted pursuant to, and subject
				35	to the license terms contained in, the Simplified BSD
				36	License set forth in Section 4.c of the IETF Trust's
				37	Legal Provisions Relating to IETF Documents
				38	(http://trustee.ietf.org/license-info).
				39
				40	This version of this YANG module is part of RFC 6536; see
				41	the RFC itself for full legal notices.</text>
				42	</description>
				43	<revision date="2012-02-22">
				44	<description>
				45	<text>Initial version</text>
				46	</description>
				47	<reference>
				48	<text>RFC 6536: Network Configuration Protocol (NETCONF)
				49	Access Control Model</text>
				50	</reference>
				51	</revision>
				52	<extension name="default-deny-write">
				53	<description>
				54	<text>Used to indicate that the data model node
				55	represents a sensitive security system parameter.
				56
				57	If present, and the NACM module is enabled (i.e.,
				58	/nacm/enable-nacm object equals 'true'), the NETCONF server
				59	will only allow the designated 'recovery session' to have
				60	write access to the node. An explicit access control rule is
				61	required for all other users.
				62
				63	The 'default-deny-write' extension MAY appear within a data
				64	definition statement. It is ignored otherwise.</text>
				65	</description>
				66	</extension>
				67	<extension name="default-deny-all">
				68	<description>
				69	<text>Used to indicate that the data model node
				70	controls a very sensitive security system parameter.
				71
				72	If present, and the NACM module is enabled (i.e.,
				73	/nacm/enable-nacm object equals 'true'), the NETCONF server
				74	will only allow the designated 'recovery session' to have
				75	read, write, or execute access to the node. An explicit
				76	access control rule is required for all other users.
				77
				78	The 'default-deny-all' extension MAY appear within a data
				79	definition statement, 'rpc' statement, or 'notification'
				80	statement. It is ignored otherwise.</text>
				81	</description>
				82	</extension>
				83	<typedef name="user-name-type">
				84	<type name="string">
				85	<length value="1..max"/>
				86	</type>
				87	<description>
				88	<text>General Purpose Username string.</text>
				89	</description>
				90	</typedef>
				91	<typedef name="matchall-string-type">
				92	<type name="string">
				93	<pattern value="\*"/>
				94	</type>
				95	<description>
				96	<text>The string containing a single asterisk '*' is used
				97	to conceptually represent all possible values
				98	for the particular leaf using this data type.</text>
				99	</description>
				100	</typedef>
				101	<typedef name="access-operations-type">
				102	<type name="bits">
				103	<bit name="create">
				104	<description>
				105	<text>Any protocol operation that creates a
				106	new data node.</text>
				107	</description>
				108	</bit>
				109	<bit name="read">
				110	<description>
				111	<text>Any protocol operation or notification that
				112	returns the value of a data node.</text>
				113	</description>
				114	</bit>
				115	<bit name="update">
				116	<description>
				117	<text>Any protocol operation that alters an existing
				118	data node.</text>
				119	</description>
				120	</bit>
				121	<bit name="delete">
				122	<description>
				123	<text>Any protocol operation that removes a data node.</text>
				124	</description>
				125	</bit>
				126	<bit name="exec">
				127	<description>
				128	<text>Execution access to the specified protocol operation.</text>
				129	</description>
				130	</bit>
				131	</type>
				132	<description>
				133	<text>NETCONF Access Operation.</text>
				134	</description>
				135	</typedef>
				136	<typedef name="group-name-type">
				137	<type name="string">
				138	<length value="1..max"/>
				139	<pattern value="[^\]."/>
				140	</type>
				141	<description>
				142	<text>Name of administrative group to which
				143	users can be assigned.</text>
				144	</description>
				145	</typedef>
				146	<typedef name="action-type">
				147	<type name="enumeration">
				148	<enum name="permit">
				149	<description>
				150	<text>Requested action is permitted.</text>
				151	</description>
				152	</enum>
				153	<enum name="deny">
				154	<description>
				155	<text>Requested action is denied.</text>
				156	</description>
				157	</enum>
				158	</type>
				159	<description>
				160	<text>Action taken by the server when a particular
				161	rule matches.</text>
				162	</description>
				163	</typedef>
				164	<typedef name="node-instance-identifier">
				165	<type name="yang:xpath1.0"/>
				166	<description>
				167	<text>Path expression used to represent a special
				168	data node instance identifier string.
				169
				170	A node-instance-identifier value is an
				171	unrestricted YANG instance-identifier expression.
				172	All the same rules as an instance-identifier apply
				173	except predicates for keys are optional. If a key
				174	predicate is missing, then the node-instance-identifier
				175	represents all possible server instances for that key.
				176
				177	This XPath expression is evaluated in the following context:
				178
				179	o The set of namespace declarations are those in scope on
				180	the leaf element where this type is used.
				181
				182	o The set of variable bindings contains one variable,
				183	'USER', which contains the name of the user of the current
				184	session.
				185
				186	o The function library is the core function library, but
				187	note that due to the syntax restrictions of an
				188	instance-identifier, no functions are allowed.
				189
				190	o The context node is the root node in the data tree.</text>
				191	</description>
				192	</typedef>
				193	<container name="nacm">
				194	<nacm:default-deny-all/>
				195	<description>
				196	<text>Parameters for NETCONF Access Control Model.</text>
				197	</description>
				198	<leaf name="enable-nacm">
				199	<type name="boolean"/>
				200	<default value="true"/>
				201	<description>
				202	<text>Enables or disables all NETCONF access control
				203	enforcement. If 'true', then enforcement
				204	is enabled. If 'false', then enforcement
				205	is disabled.</text>
				206	</description>
				207	</leaf>
				208	<leaf name="read-default">
				209	<type name="action-type"/>
				210	<default value="permit"/>
				211	<description>
				212	<text>Controls whether read access is granted if
				213	no appropriate rule is found for a
				214	particular read request.</text>
				215	</description>
				216	</leaf>
				217	<leaf name="write-default">
				218	<type name="action-type"/>
				219	<default value="deny"/>
				220	<description>
				221	<text>Controls whether create, update, or delete access
				222	is granted if no appropriate rule is found for a
				223	particular write request.</text>
				224	</description>
				225	</leaf>
				226	<leaf name="exec-default">
				227	<type name="action-type"/>
				228	<default value="permit"/>
				229	<description>
				230	<text>Controls whether exec access is granted if no appropriate
				231	rule is found for a particular protocol operation request.</text>
				232	</description>
				233	</leaf>
				234	<leaf name="enable-external-groups">
				235	<type name="boolean"/>
				236	<default value="true"/>
				237	<description>
				238	<text>Controls whether the server uses the groups reported by the
				239	NETCONF transport layer when it assigns the user to a set of
				240	NACM groups. If this leaf has the value 'false', any group
				241	names reported by the transport layer are ignored by the
				242	server.</text>
				243	</description>
				244	</leaf>
				245	<leaf name="denied-operations">
				246	<type name="yang:zero-based-counter32"/>
				247	<config value="false"/>
				248	<mandatory value="true"/>
				249	<description>
				250	<text>Number of times since the server last restarted that a
				251	protocol operation request was denied.</text>
				252	</description>
				253	</leaf>
				254	<leaf name="denied-data-writes">
				255	<type name="yang:zero-based-counter32"/>
				256	<config value="false"/>
				257	<mandatory value="true"/>
				258	<when value="../denied-operations > 0"/>
				259	<description>
				260	<text>Number of times since the server last restarted that a
				261	protocol operation request to alter
				262	a configuration datastore was denied.</text>
				263	</description>
				264	</leaf>
				265	<leaf name="denied-notifications">
				266	<type name="yang:zero-based-counter32"/>
				267	<config value="false"/>
				268	<mandatory value="true"/>
				269	<description>
				270	<text>Number of times since the server last restarted that
				271	a notification was dropped for a subscription because
				272	access to the event type was denied.</text>
				273	</description>
				274	</leaf>
				275	<container name="groups">
				276	<description>
				277	<text>NETCONF Access Control Groups.</text>
				278	</description>
				279	<list name="group">
				280	<key value="name"/>
				281	<description>
				282	<text>One NACM Group Entry. This list will only contain
				283	configured entries, not any entries learned from
				284	any transport protocols.</text>
				285	</description>
				286	<leaf name="name">
				287	<type name="group-name-type"/>
				288	<description>
				289	<text>Group name associated with this entry.</text>
				290	</description>
				291	</leaf>
				292	<leaf-list name="user-name">
				293	<type name="user-name-type"/>
				294	<description>
				295	<text>Each entry identifies the username of
				296	a member of the group associated with
				297	this entry.</text>
				298	</description>
				299	</leaf-list>
				300	</list>
				301	</container>
				302	<list name="rule-list">
				303	<key value="name"/>
				304	<ordered-by value="user"/>
				305	<description>
				306	<text>An ordered collection of access control rules.</text>
				307	</description>
				308	<leaf name="name">
				309	<type name="string">
				310	<length value="1..max"/>
				311	</type>
				312	<description>
				313	<text>Arbitrary name assigned to the rule-list.</text>
				314	</description>
				315	</leaf>
				316	<leaf-list name="group">
				317	<type name="union">
				318	<type name="matchall-string-type"/>
				319	<type name="group-name-type"/>
				320	</type>
				321	<description>
				322	<text>List of administrative groups that will be
				323	assigned the associated access rights
				324	defined by the 'rule' list.
				325
				326	The string '*' indicates that all groups apply to the
				327	entry.</text>
				328	</description>
				329	</leaf-list>
				330	<list name="rule">
				331	<key value="name"/>
				332	<ordered-by value="user"/>
				333	<description>
				334	<text>One access control rule.
				335
				336	Rules are processed in user-defined order until a match is
				337	found. A rule matches if 'module-name', 'rule-type', and
				338	'access-operations' match the request. If a rule
				339	matches, the 'action' leaf determines if access is granted
				340	or not.</text>
				341	</description>
				342	<leaf name="name">
				343	<type name="string">
				344	<length value="1..max"/>
				345	</type>
				346	<description>
				347	<text>Arbitrary name assigned to the rule.</text>
				348	</description>
				349	</leaf>
				350	<leaf name="module-name">
				351	<type name="union">
				352	<type name="matchall-string-type"/>
				353	<type name="string"/>
				354	</type>
				355	<default value="*"/>
				356	<description>
				357	<text>Name of the module associated with this rule.
				358
				359	This leaf matches if it has the value '*' or if the
				360	object being accessed is defined in the module with the
				361	specified module name.</text>
				362	</description>
				363	</leaf>
				364	<choice name="rule-type">
				365	<description>
				366	<text>This choice matches if all leafs present in the rule
				367	match the request. If no leafs are present, the
				368	choice matches all requests.</text>
				369	</description>
				370	<case name="protocol-operation">
				371	<leaf name="rpc-name">
				372	<type name="union">
				373	<type name="matchall-string-type"/>
				374	<type name="string"/>
				375	</type>
				376	<description>
				377	<text>This leaf matches if it has the value '*' or if
				378	its value equals the requested protocol operation
				379	name.</text>
				380	</description>
				381	</leaf>
				382	</case>
				383	<case name="notification">
				384	<leaf name="notification-name">
				385	<type name="union">
				386	<type name="matchall-string-type"/>
				387	<type name="string"/>
				388	</type>
				389	<description>
				390	<text>This leaf matches if it has the value '*' or if its
				391	value equals the requested notification name.</text>
				392	</description>
				393	</leaf>
				394	</case>
				395	<case name="data-node">
				396	<leaf name="path">
				397	<type name="node-instance-identifier"/>
				398	<mandatory value="true"/>
				399	<description>
				400	<text>Data Node Instance Identifier associated with the
				401	data node controlled by this rule.
				402
				403	Configuration data or state data instance
				404	identifiers start with a top-level data node. A
				405	complete instance identifier is required for this
				406	type of path value.
				407
				408	The special value '/' refers to all possible
				409	datastore contents.</text>
				410	</description>
				411	</leaf>
				412	</case>
				413	</choice>
				414	<leaf name="access-operations">
				415	<type name="union">
				416	<type name="matchall-string-type"/>
				417	<type name="access-operations-type"/>
				418	</type>
				419	<default value="*"/>
				420	<description>
				421	<text>Access operations associated with this rule.
				422
				423	This leaf matches if it has the value '*' or if the
				424	bit corresponding to the requested operation is set.</text>
				425	</description>
				426	</leaf>
				427	<leaf name="action">
				428	<type name="action-type"/>
				429	<mandatory value="true"/>
				430	<description>
				431	<text>The access control action associated with the
				432	rule. If a rule is determined to match a
				433	particular request, then this object is used
				434	to determine whether to permit or deny the
				435	request.</text>
				436	</description>
				437	</leaf>
				438	<leaf name="comment">
				439	<type name="string"/>
				440	<description>
				441	<text>A textual description of the access rule.</text>
				442	</description>
				443	</leaf>
				444	</list>
				445	</list>
				446	</container>
				447	</module>