blob: df8f801b68a59616270e01237854b1e7f184851a [file] [log] [blame]
Radek Krejcied5acc52019-04-25 15:57:04 +02001module ietf-netconf-acm-when2 {
2 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
3 prefix nacm;
4
5 import ietf-yang-types {
6 prefix yang;
7 }
8
9 organization
10 "IETF NETCONF (Network Configuration) Working Group";
11 contact
12 "WG Web: <http://tools.ietf.org/wg/netconf/>
13 WG List: <mailto:netconf@ietf.org>
14
15 WG Chair: Mehmet Ersue
16 <mailto:mehmet.ersue@nsn.com>
17
18 WG Chair: Bert Wijnen
19 <mailto:bertietf@bwijnen.net>
20
21 Editor: Andy Bierman
22 <mailto:andy@yumaworks.com>
23
24 Editor: Martin Bjorklund
25 <mailto:mbj@tail-f.com>";
26 description
27 "NETCONF Access Control Model.
28
29 Copyright (c) 2012 IETF Trust and the persons identified as
30 authors of the code. All rights reserved.
31
32 Redistribution and use in source and binary forms, with or
33 without modification, is permitted pursuant to, and subject
34 to the license terms contained in, the Simplified BSD
35 License set forth in Section 4.c of the IETF Trust's
36 Legal Provisions Relating to IETF Documents
37 (http://trustee.ietf.org/license-info).
38
39 This version of this YANG module is part of RFC 6536; see
40 the RFC itself for full legal notices.";
41
42 revision 2012-02-22 {
43 description
44 "Initial version";
45 reference
46 "RFC 6536: Network Configuration Protocol (NETCONF)
47 Access Control Model";
48 }
49
50 extension default-deny-write {
51 description
52 "Used to indicate that the data model node
53 represents a sensitive security system parameter.
54
55 If present, and the NACM module is enabled (i.e.,
56 /nacm/enable-nacm object equals 'true'), the NETCONF server
57 will only allow the designated 'recovery session' to have
58 write access to the node. An explicit access control rule is
59 required for all other users.
60
61 The 'default-deny-write' extension MAY appear within a data
62 definition statement. It is ignored otherwise.";
63 }
64
65 extension default-deny-all {
66 description
67 "Used to indicate that the data model node
68 controls a very sensitive security system parameter.
69
70 If present, and the NACM module is enabled (i.e.,
71 /nacm/enable-nacm object equals 'true'), the NETCONF server
72 will only allow the designated 'recovery session' to have
73 read, write, or execute access to the node. An explicit
74 access control rule is required for all other users.
75
76 The 'default-deny-all' extension MAY appear within a data
77 definition statement, 'rpc' statement, or 'notification'
78 statement. It is ignored otherwise.";
79 }
80
81 typedef user-name-type {
82 type string {
83 length "1..max";
84 }
85 description
86 "General Purpose Username string.";
87 }
88
89 typedef matchall-string-type {
90 type string {
91 pattern "\\*";
92 }
93 description
94 "The string containing a single asterisk '*' is used
95 to conceptually represent all possible values
96 for the particular leaf using this data type.";
97 }
98
99 typedef access-operations-type {
100 type bits {
101 bit create {
102 description
103 "Any protocol operation that creates a
104 new data node.";
105 }
106 bit read {
107 description
108 "Any protocol operation or notification that
109 returns the value of a data node.";
110 }
111 bit update {
112 description
113 "Any protocol operation that alters an existing
114 data node.";
115 }
116 bit delete {
117 description
118 "Any protocol operation that removes a data node.";
119 }
120 bit exec {
121 description
122 "Execution access to the specified protocol operation.";
123 }
124 }
125 description
126 "NETCONF Access Operation.";
127 }
128
129 typedef group-name-type {
130 type string {
131 length "1..max";
132 pattern "[^\\*].*";
133 }
134 description
135 "Name of administrative group to which
136 users can be assigned.";
137 }
138
139 typedef action-type {
140 type enumeration {
141 enum "permit" {
142 description
143 "Requested action is permitted.";
144 }
145 enum "deny" {
146 description
147 "Requested action is denied.";
148 }
149 }
150 description
151 "Action taken by the server when a particular
152 rule matches.";
153 }
154
155 typedef node-instance-identifier {
156 type yang:xpath1.0;
157 description
158 "Path expression used to represent a special
159 data node instance identifier string.
160
161 A node-instance-identifier value is an
162 unrestricted YANG instance-identifier expression.
163 All the same rules as an instance-identifier apply
164 except predicates for keys are optional. If a key
165 predicate is missing, then the node-instance-identifier
166 represents all possible server instances for that key.
167
168 This XPath expression is evaluated in the following context:
169
170 o The set of namespace declarations are those in scope on
171 the leaf element where this type is used.
172
173 o The set of variable bindings contains one variable,
174 'USER', which contains the name of the user of the current
175 session.
176
177 o The function library is the core function library, but
178 note that due to the syntax restrictions of an
179 instance-identifier, no functions are allowed.
180
181 o The context node is the root node in the data tree.";
182 }
183
184 container nacm {
185 nacm:default-deny-all;
186 description
187 "Parameters for NETCONF Access Control Model.";
188 leaf enable-nacm {
189 type boolean;
190 default "true";
191 description
192 "Enables or disables all NETCONF access control
193 enforcement. If 'true', then enforcement
194 is enabled. If 'false', then enforcement
195 is disabled.";
196 }
197 leaf read-default {
198 type action-type;
199 default "permit";
200 description
201 "Controls whether read access is granted if
202 no appropriate rule is found for a
203 particular read request.";
204 }
205 leaf write-default {
206 type action-type;
207 default "deny";
208 description
209 "Controls whether create, update, or delete access
210 is granted if no appropriate rule is found for a
211 particular write request.";
212 }
213 leaf exec-default {
214 type action-type;
215 default "permit";
216 description
217 "Controls whether exec access is granted if no appropriate
218 rule is found for a particular protocol operation request.";
219 }
220 leaf enable-external-groups {
221 type boolean;
222 default "true";
223 description
224 "Controls whether the server uses the groups reported by the
225 NETCONF transport layer when it assigns the user to a set of
226 NACM groups. If this leaf has the value 'false', any group
227 names reported by the transport layer are ignored by the
228 server.";
229 }
230 leaf denied-operations {
231 type yang:zero-based-counter32;
232 config false;
233 mandatory true;
234 description
235 "Number of times since the server last restarted that a
236 protocol operation request was denied.";
237 }
238 leaf denied-data-writes {
239 type yang:zero-based-counter32;
240 config false;
241 mandatory true;
242 when "../denied-operations > 0";
243 description
244 "Number of times since the server last restarted that a
245 protocol operation request to alter
246 a configuration datastore was denied.";
247 }
248 leaf denied-notifications {
249 type yang:zero-based-counter32;
250 config false;
251 mandatory true;
252 description
253 "Number of times since the server last restarted that
254 a notification was dropped for a subscription because
255 access to the event type was denied.";
256 }
257 container groups {
258 description
259 "NETCONF Access Control Groups.";
260 list group {
261 key "name";
262 description
263 "One NACM Group Entry. This list will only contain
264 configured entries, not any entries learned from
265 any transport protocols.";
266 leaf name {
267 type group-name-type;
268 description
269 "Group name associated with this entry.";
270 }
271 leaf-list user-name {
272 type user-name-type;
273 description
274 "Each entry identifies the username of
275 a member of the group associated with
276 this entry.";
277 }
278 }
279 }
280 list rule-list {
281 key "name";
282 ordered-by user;
283 description
284 "An ordered collection of access control rules.";
285 leaf name {
286 type string {
287 length "1..max";
288 }
289 description
290 "Arbitrary name assigned to the rule-list.";
291 }
292 leaf-list group {
293 type union {
294 type matchall-string-type;
295 type group-name-type;
296 }
297 description
298 "List of administrative groups that will be
299 assigned the associated access rights
300 defined by the 'rule' list.
301
302 The string '*' indicates that all groups apply to the
303 entry.";
304 }
305 list rule {
306 key "name";
307 ordered-by user;
308 description
309 "One access control rule.
310
311 Rules are processed in user-defined order until a match is
312 found. A rule matches if 'module-name', 'rule-type', and
313 'access-operations' match the request. If a rule
314 matches, the 'action' leaf determines if access is granted
315 or not.";
316 leaf name {
317 type string {
318 length "1..max";
319 }
320 description
321 "Arbitrary name assigned to the rule.";
322 }
323 leaf module-name {
324 type union {
325 type matchall-string-type;
326 type string;
327 }
328 default "*";
329 description
330 "Name of the module associated with this rule.
331
332 This leaf matches if it has the value '*' or if the
333 object being accessed is defined in the module with the
334 specified module name.";
335 }
336 choice rule-type {
337 description
338 "This choice matches if all leafs present in the rule
339 match the request. If no leafs are present, the
340 choice matches all requests.";
341 case protocol-operation {
342 leaf rpc-name {
343 type union {
344 type matchall-string-type;
345 type string;
346 }
347 description
348 "This leaf matches if it has the value '*' or if
349 its value equals the requested protocol operation
350 name.";
351 }
352 }
353 case notification {
354 leaf notification-name {
355 type union {
356 type matchall-string-type;
357 type string;
358 }
359 description
360 "This leaf matches if it has the value '*' or if its
361 value equals the requested notification name.";
362 }
363 }
364 case data-node {
365 leaf path {
366 type node-instance-identifier;
367 mandatory true;
368 description
369 "Data Node Instance Identifier associated with the
370 data node controlled by this rule.
371
372 Configuration data or state data instance
373 identifiers start with a top-level data node. A
374 complete instance identifier is required for this
375 type of path value.
376
377 The special value '/' refers to all possible
378 datastore contents.";
379 }
380 }
381 }
382 leaf access-operations {
383 type union {
384 type matchall-string-type;
385 type access-operations-type;
386 }
387 default "*";
388 description
389 "Access operations associated with this rule.
390
391 This leaf matches if it has the value '*' or if the
392 bit corresponding to the requested operation is set.";
393 }
394 leaf action {
395 type action-type;
396 mandatory true;
397 description
398 "The access control action associated with the
399 rule. If a rule is determined to match a
400 particular request, then this object is used
401 to determine whether to permit or deny the
402 request.";
403 }
404 leaf comment {
405 type string;
406 description
407 "A textual description of the access rule.";
408 }
409 }
410 }
411 }
412}