| module ietf-system { |
| namespace "urn:ietf:params:xml:ns:yang:ietf-system"; |
| prefix "sys"; |
| |
| import ietf-yang-types { |
| prefix yang; |
| } |
| |
| import ietf-inet-types { |
| prefix inet; |
| } |
| |
| import ietf-netconf-acm { |
| prefix nacm; |
| } |
| |
| import iana-crypt-hash { |
| prefix ianach; |
| } |
| |
| import msea-types { |
| prefix msea; |
| revision-date 2016-02-29; |
| } |
| |
| organization |
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; |
| |
| contact |
| "WG Web: <http://tools.ietf.org/wg/netmod/> |
| WG List: <mailto:netmod@ietf.org> |
| |
| WG Chair: Thomas Nadeau |
| <mailto:tnadeau@lucidvision.com> |
| |
| WG Chair: Juergen Schoenwaelder |
| <mailto:j.schoenwaelder@jacobs-university.de> |
| |
| Editor: Andy Bierman |
| <mailto:andy@yumaworks.com> |
| |
| Editor: Martin Bjorklund |
| <mailto:mbj@tail-f.com>"; |
| |
| description |
| "This module contains a collection of YANG definitions for the |
| configuration and identification of some common system |
| properties within a device containing a NETCONF server. This |
| includes data node definitions for system identification, |
| time-of-day management, user management, DNS resolver |
| configuration, and some protocol operations for system |
| management. |
| |
| Copyright (c) 2014 IETF Trust and the persons identified as |
| authors of the code. All rights reserved. |
| |
| Redistribution and use in source and binary forms, with or |
| without modification, is permitted pursuant to, and subject |
| to the license terms contained in, the Simplified BSD License |
| set forth in Section 4.c of the IETF Trust's Legal Provisions |
| Relating to IETF Documents |
| (http://trustee.ietf.org/license-info). |
| |
| This version of this YANG module is part of RFC 7317; see |
| the RFC itself for full legal notices."; |
| |
| revision 2014-08-06 { |
| description |
| "Initial revision."; |
| reference |
| "RFC 7317: A YANG Data Model for System Management"; |
| } |
| |
| /* |
| * Typedefs |
| */ |
| |
| typedef timezone-name { |
| type string; |
| description |
| "A time zone name as used by the Time Zone Database, |
| sometimes referred to as the 'Olson Database'. |
| |
| The exact set of valid values is an implementation-specific |
| matter. Client discovery of the exact set of time zone names |
| for a particular server is out of scope."; |
| reference |
| "RFC 6557: Procedures for Maintaining the Time Zone Database"; |
| } |
| |
| /* |
| * Features |
| */ |
| |
| feature radius { |
| description |
| "Indicates that the device can be configured as a RADIUS |
| client."; |
| reference |
| "RFC 2865: Remote Authentication Dial In User Service (RADIUS)"; |
| } |
| |
| feature authentication { |
| description |
| "Indicates that the device supports configuration of |
| user authentication."; |
| } |
| |
| feature local-users { |
| if-feature authentication; |
| description |
| "Indicates that the device supports configuration of |
| local user authentication."; |
| } |
| |
| feature radius-authentication { |
| if-feature radius; |
| if-feature authentication; |
| description |
| "Indicates that the device supports configuration of user |
| authentication over RADIUS."; |
| reference |
| "RFC 2865: Remote Authentication Dial In User Service (RADIUS) |
| RFC 5607: Remote Authentication Dial-In User Service (RADIUS) |
| Authorization for Network Access Server (NAS) |
| Management"; |
| } |
| |
| feature ntp { |
| description |
| "Indicates that the device can be configured to use one or |
| more NTP servers to set the system date and time."; |
| } |
| |
| feature ntp-udp-port { |
| if-feature ntp; |
| description |
| "Indicates that the device supports the configuration of |
| the UDP port for NTP servers. |
| |
| This is a 'feature', since many implementations do not support |
| any port other than the default port."; |
| } |
| |
| feature timezone-name { |
| description |
| "Indicates that the local time zone on the device |
| can be configured to use the TZ database |
| to set the time zone and manage daylight saving time."; |
| reference |
| "RFC 6557: Procedures for Maintaining the Time Zone Database"; |
| } |
| |
| feature dns-udp-tcp-port { |
| description |
| "Indicates that the device supports the configuration of |
| the UDP and TCP port for DNS servers. |
| |
| This is a 'feature', since many implementations do not support |
| any port other than the default port."; |
| } |
| |
| /* |
| * Identities |
| */ |
| |
| identity authentication-method { |
| description |
| "Base identity for user authentication methods."; |
| } |
| |
| identity radius { |
| base authentication-method; |
| description |
| "Indicates user authentication using RADIUS."; |
| reference |
| "RFC 2865: Remote Authentication Dial In User Service (RADIUS) |
| RFC 5607: Remote Authentication Dial-In User Service (RADIUS) |
| Authorization for Network Access Server (NAS) |
| Management"; |
| } |
| |
| identity local-users { |
| base authentication-method; |
| description |
| "Indicates password-based authentication of locally |
| configured users."; |
| } |
| |
| identity radius-authentication-type { |
| description |
| "Base identity for RADIUS authentication types."; |
| } |
| |
| identity radius-pap { |
| base radius-authentication-type; |
| description |
| "The device requests Password Authentication Protocol (PAP) |
| authentication from the RADIUS server."; |
| reference |
| "RFC 2865: Remote Authentication Dial In User Service (RADIUS)"; |
| } |
| |
| identity radius-chap { |
| base radius-authentication-type; |
| description |
| "The device requests Challenge Handshake Authentication |
| Protocol (CHAP) authentication from the RADIUS server."; |
| reference |
| "RFC 2865: Remote Authentication Dial In User Service (RADIUS)"; |
| } |
| |
| /* |
| * Configuration data nodes |
| */ |
| |
| container system { |
| description |
| "System group configuration."; |
| |
| leaf contact { |
| type string; |
| description |
| "The administrator contact information for the system. |
| |
| A server implementation MAY map this leaf to the sysContact |
| MIB object. Such an implementation needs to use some |
| mechanism to handle the differences in size and characters |
| allowed between this leaf and sysContact. The definition of |
| such a mechanism is outside the scope of this document."; |
| reference |
| "RFC 3418: Management Information Base (MIB) for the |
| Simple Network Management Protocol (SNMP) |
| SNMPv2-MIB.sysContact"; |
| } |
| |
| leaf hostname { |
| type inet:domain-name; |
| description |
| "The name of the host. This name can be a single domain |
| label or the fully qualified domain name of the host."; |
| |
| } |
| |
| leaf location { |
| type string; |
| description |
| "The system location. |
| |
| A server implementation MAY map this leaf to the sysLocation |
| MIB object. Such an implementation needs to use some |
| mechanism to handle the differences in size and characters |
| allowed between this leaf and sysLocation. The definition |
| of such a mechanism is outside the scope of this document."; |
| |
| reference |
| "RFC 3418: Management Information Base (MIB) for the |
| Simple Network Management Protocol (SNMP) |
| SNMPv2-MIB.sysLocation"; |
| } |
| |
| container clock { |
| description |
| "Configuration of the system date and time properties."; |
| |
| choice timezone { |
| description |
| "The system time zone information."; |
| |
| case timezone-name { |
| if-feature timezone-name; |
| leaf timezone-name { |
| type timezone-name; |
| description |
| "The TZ database name to use for the system, such |
| as 'Europe/Stockholm'."; |
| } |
| } |
| case timezone-utc-offset { |
| leaf timezone-utc-offset { |
| type int16 { |
| range "-1500 .. 1500"; |
| } |
| units "minutes"; |
| description |
| "The number of minutes to add to UTC time to |
| identify the time zone for this system. For example, |
| 'UTC - 8:00 hours' would be represented as '-480'. |
| Note that automatic daylight saving time adjustment |
| is not provided if this object is used."; |
| } |
| } |
| } |
| } |
| |
| container ntp { |
| if-feature ntp; |
| presence |
| "Enables the NTP client unless the 'enabled' leaf |
| (which defaults to 'true') is set to 'false'"; |
| description |
| "Configuration of the NTP client."; |
| |
| leaf enabled { |
| type boolean; |
| default true; |
| description |
| "Indicates that the system should attempt to |
| synchronize the system clock with an NTP server |
| from the 'ntp/server' list."; |
| } |
| list server { |
| key name; |
| max-elements 3; |
| description |
| "List of NTP servers to use for system clock |
| synchronization. If '/system/ntp/enabled' |
| is 'true', then the system will attempt to |
| contact and utilize the specified NTP servers. |
| If DHCP retrieves NTP servers then these values |
| are used in addition to those"; |
| |
| leaf name { |
| type string; |
| description |
| "An arbitrary name for the NTP server."; |
| } |
| choice transport { |
| mandatory true; |
| description |
| "The transport-protocol-specific parameters for this |
| server."; |
| |
| case udp { |
| container udp { |
| description |
| "Contains UDP-specific configuration parameters |
| for NTP."; |
| leaf address { |
| type inet:host; |
| mandatory true; |
| description |
| "The address of the NTP server."; |
| } |
| // leaf port { |
| // if-feature ntp-udp-port; |
| // type inet:port-number; |
| // default 123; |
| // description |
| // "The port number of the NTP server."; |
| // } |
| } |
| } |
| } |
| |
| // leaf association-type { //These elements are omitted because MSEA1000 does not support these options |
| // type enumeration { |
| // enum server { |
| // description |
| // "Use client association mode. This device |
| // will not provide synchronization to the |
| // configured NTP server."; |
| // } |
| // enum peer { |
| // description |
| // "Use symmetric active association mode. |
| // This device may provide synchronization |
| // to the configured NTP server."; |
| // } |
| // enum pool { |
| // description |
| // "Use client association mode with one or |
| // more of the NTP servers found by DNS |
| // resolution of the domain name given by |
| // the 'address' leaf. This device will not |
| // provide synchronization to the servers."; |
| // } |
| // } |
| // default server; |
| // description |
| // "The desired association type for this NTP server."; |
| // } |
| // leaf iburst { |
| // type boolean; |
| // default false; |
| // description |
| // "Indicates whether this server should enable burst |
| // synchronization or not."; |
| // } |
| // leaf prefer { |
| // type boolean; |
| // default false; |
| // description |
| // "Indicates whether this server should be preferred |
| // or not."; |
| // } |
| } |
| } |
| |
| container dns-resolver { |
| presence "If defined enables the DNS servers to be configured."; |
| |
| description |
| "Configuration of the DNS resolver. If DHCP retrieves DNS |
| servers or search domains then these values are used in |
| addition to those"; |
| |
| leaf-list search { |
| type inet:domain-name; |
| max-elements 3; |
| ordered-by user; |
| description |
| "An ordered list of domains to search when resolving |
| a host name."; |
| } |
| list server { |
| key name; |
| max-elements 3; |
| ordered-by user; |
| description |
| "List of the DNS servers that the resolver should query. |
| |
| When the resolver is invoked by a calling application, it |
| sends the query to the first name server in this list. If |
| no response has been received within 'timeout' seconds, |
| the resolver continues with the next server in the list. |
| If no response is received from any server, the resolver |
| continues with the first server again. When the resolver |
| has traversed the list 'attempts' times without receiving |
| any response, it gives up and returns an error to the |
| calling application. |
| |
| Implementations MAY limit the number of entries in this |
| list."; |
| |
| leaf name { |
| type string; |
| description |
| "An arbitrary name for the DNS server."; |
| } |
| choice transport { |
| mandatory true; |
| description |
| "The transport-protocol-specific parameters for this |
| server."; |
| |
| case udp-and-tcp { |
| container udp-and-tcp { |
| description |
| "Contains UDP- and TCP-specific configuration |
| parameters for DNS."; |
| reference |
| "RFC 1035: Domain Names - Implementation and |
| Specification |
| RFC 5966: DNS Transport over TCP - Implementation |
| Requirements"; |
| |
| leaf address { |
| type inet:ip-address; |
| mandatory true; |
| description |
| "The address of the DNS server."; |
| } |
| // leaf port { |
| // if-feature dns-udp-tcp-port; |
| // type inet:port-number; |
| // default 53; |
| // description |
| // "The UDP and TCP port number of the DNS server."; |
| // } |
| } |
| } |
| } |
| } |
| // container options { //These elements are omitted because MSEA1000 does not support these options |
| // description |
| // "Resolver options. The set of available options has been |
| // limited to those that are generally available across |
| // different resolver implementations and generally useful."; |
| // leaf timeout { |
| // type uint8 { |
| // range "1..max"; |
| // } |
| // units "seconds"; |
| // default "5"; |
| // description |
| // "The amount of time the resolver will wait for a |
| // response from each remote name server before |
| // retrying the query via a different name server."; |
| // } |
| // leaf attempts { |
| // type uint8 { |
| // range "1..max"; |
| // } |
| // default "2"; |
| // description |
| // "The number of times the resolver will send a query to |
| // all of its name servers before giving up and returning |
| // an error to the calling application."; |
| // } |
| // } |
| } |
| |
| container radius { |
| if-feature radius; |
| |
| description |
| "Configuration of the RADIUS client."; |
| |
| list server { |
| key name; |
| ordered-by user; |
| description |
| "List of RADIUS servers used by the device. |
| |
| When the RADIUS client is invoked by a calling |
| application, it sends the query to the first server in |
| this list. If no response has been received within |
| 'timeout' seconds, the client continues with the next |
| server in the list. If no response is received from any |
| server, the client continues with the first server again. |
| When the client has traversed the list 'attempts' times |
| without receiving any response, it gives up and returns an |
| error to the calling application."; |
| |
| leaf name { |
| type string; |
| description |
| "An arbitrary name for the RADIUS server."; |
| } |
| choice transport { |
| mandatory true; |
| description |
| "The transport-protocol-specific parameters for this |
| server."; |
| |
| case udp { |
| container udp { |
| description |
| "Contains UDP-specific configuration parameters |
| for RADIUS."; |
| leaf address { |
| type inet:host; |
| mandatory true; |
| description |
| "The address of the RADIUS server."; |
| } |
| |
| leaf authentication-port { |
| type inet:port-number; |
| default "1812"; |
| description |
| "The port number of the RADIUS server."; |
| } |
| leaf shared-secret { |
| type string; |
| mandatory true; |
| // nacm:default-deny-all; |
| description |
| "The shared secret, which is known to both the |
| RADIUS client and server."; |
| reference |
| "RFC 2865: Remote Authentication Dial In User |
| Service (RADIUS)"; |
| } |
| } |
| } |
| } |
| leaf authentication-type { |
| type identityref { |
| base radius-authentication-type; |
| } |
| default radius-pap; |
| description |
| "The authentication type requested from the RADIUS |
| server."; |
| } |
| } |
| container options { |
| description |
| "RADIUS client options."; |
| |
| leaf timeout { |
| type uint8 { |
| range "1..max"; |
| } |
| units "seconds"; |
| default "5"; |
| description |
| "The number of seconds the device will wait for a |
| response from each RADIUS server before trying with a |
| different server."; |
| } |
| |
| leaf attempts { |
| type uint8 { |
| range "1..max"; |
| } |
| default "2"; |
| description |
| "The number of times the device will send a query to |
| all of its RADIUS servers before giving up."; |
| } |
| } |
| } |
| |
| container authentication { |
| // nacm:default-deny-write; |
| if-feature authentication; |
| |
| description |
| "The authentication configuration subtree."; |
| |
| leaf-list user-authentication-order { |
| type identityref { |
| base authentication-method; |
| } |
| must '(. != "sys:radius" or ../../radius/server)' { |
| error-message |
| "When 'radius' is used, a RADIUS server" |
| + " must be configured."; |
| description |
| "When 'radius' is used as an authentication method, |
| a RADIUS server must be configured."; |
| } |
| ordered-by user; |
| |
| description |
| "When the device authenticates a user with a password, |
| it tries the authentication methods in this leaf-list in |
| order. If authentication with one method fails, the next |
| method is used. If no method succeeds, the user is |
| denied access. |
| |
| An empty user-authentication-order leaf-list still allows |
| authentication of users using mechanisms that do not |
| involve a password. |
| |
| If the 'radius-authentication' feature is advertised by |
| the NETCONF server, the 'radius' identity can be added to |
| this list. |
| |
| If the 'local-users' feature is advertised by the |
| NETCONF server, the 'local-users' identity can be |
| added to this list."; |
| } |
| |
| list user { |
| if-feature local-users; |
| key name; |
| description |
| "The list of local users configured on this device."; |
| |
| leaf name { |
| type string; |
| description |
| "The user name string identifying this entry."; |
| |
| must ".='netconf' or .='admin' or .='readonly'" { |
| error-message "The set of users is not changeable on this device. Must have admin, netconf and readonly"; |
| error-app-tag "msea-sys-must-01"; |
| } |
| } |
| leaf password { |
| type ianach:crypt-hash; |
| description |
| "The password for this entry."; |
| } |
| list authorized-key { |
| key name; |
| description |
| "A list of public SSH keys for this user. These keys |
| are allowed for SSH authentication, as described in |
| RFC 4253."; |
| reference |
| "RFC 4253: The Secure Shell (SSH) Transport Layer |
| Protocol"; |
| |
| leaf name { |
| type string; |
| description |
| "An arbitrary name for the SSH key."; |
| } |
| |
| leaf algorithm { |
| type string; |
| mandatory true; |
| description |
| "The public key algorithm name for this SSH key. |
| |
| Valid values are the values in the IANA 'Secure Shell |
| (SSH) Protocol Parameters' registry, Public Key |
| Algorithm Names."; |
| reference |
| "IANA 'Secure Shell (SSH) Protocol Parameters' |
| registry, Public Key Algorithm Names"; |
| } |
| leaf key-data { |
| type binary; |
| mandatory true; |
| description |
| "The binary public key data for this SSH key, as |
| specified by RFC 4253, Section 6.6, i.e.: |
| |
| string certificate or public key format |
| identifier |
| byte[n] key/certificate data."; |
| reference |
| "RFC 4253: The Secure Shell (SSH) Transport Layer |
| Protocol"; |
| } |
| } |
| } |
| } |
| } |
| |
| /* |
| * Operational state data nodes |
| */ |
| |
| container system-state { |
| config false; |
| description |
| "System group operational state."; |
| |
| container platform { |
| description |
| "Contains vendor-specific information for |
| identifying the system platform and operating system."; |
| reference |
| "IEEE Std 1003.1-2008 - sys/utsname.h"; |
| |
| leaf os-name { |
| type string; |
| description |
| "The name of the operating system in use - |
| for example, 'Linux'."; |
| reference |
| "IEEE Std 1003.1-2008 - utsname.sysname"; |
| } |
| leaf os-release { |
| type string; |
| description |
| "The current release level of the operating |
| system in use. This string MAY indicate |
| the OS source code revision."; |
| reference |
| "IEEE Std 1003.1-2008 - utsname.release"; |
| } |
| leaf os-version { |
| type string; |
| description |
| "The current version level of the operating |
| system in use. This string MAY indicate |
| the specific OS build date and target variant |
| information."; |
| reference |
| "IEEE Std 1003.1-2008 - utsname.version"; |
| } |
| leaf machine { |
| type string; |
| description |
| "A vendor-specific identifier string representing |
| the hardware in use."; |
| reference |
| "IEEE Std 1003.1-2008 - utsname.machine"; |
| } |
| } |
| |
| container clock { |
| description |
| "Monitoring of the system date and time properties."; |
| |
| leaf current-datetime { |
| type yang:date-and-time; |
| description |
| "The current system date and time."; |
| } |
| |
| leaf boot-datetime { |
| type yang:date-and-time; |
| description |
| "The system date and time when the system last restarted."; |
| } |
| } |
| } |
| |
| rpc set-current-datetime { |
| // nacm:default-deny-all; |
| description |
| "Set the /system-state/clock/current-datetime leaf |
| to the specified value. |
| |
| If the system is using NTP (i.e., /system/ntp/enabled |
| is set to 'true'), then this operation will fail with |
| error-tag 'operation-failed' and error-app-tag value of |
| 'ntp-active'."; |
| input { |
| leaf current-datetime { |
| type yang:date-and-time; |
| mandatory true; |
| description |
| "The current system date and time."; |
| } |
| } |
| } |
| |
| rpc system-restart { |
| // nacm:default-deny-all; |
| description |
| "Request that the entire system be restarted immediately. |
| A server SHOULD send an rpc reply to the client before |
| restarting the system."; |
| input { |
| leaf reset-option { |
| type msea:reset-config-options; |
| description "Optionally specify a parameter that can be |
| used to reset the configuration on the device or |
| reset it to factory defaults"; |
| } |
| } |
| } |
| |
| rpc system-shutdown { |
| // nacm:default-deny-all; |
| description |
| "Request that the entire system be shut down immediately. |
| A server SHOULD send an rpc reply to the client before |
| shutting down the system."; |
| } |
| |
| } |