| module openconfig-aaa { |
| |
| yang-version "1"; |
| |
| // namespace |
| namespace "http://openconfig.net/yang/aaa"; |
| |
| prefix "oc-aaa"; |
| |
| // import some basic types |
| import openconfig-extensions { prefix oc-ext; } |
| import ietf-inet-types { prefix inet; } |
| import ietf-yang-types { prefix yang; } |
| import openconfig-aaa-types { prefix oc-aaa-types; } |
| |
| include openconfig-aaa-tacacs; |
| include openconfig-aaa-radius; |
| |
| |
| // meta |
| organization "OpenConfig working group"; |
| |
| contact |
| "OpenConfig working group |
| www.openconfig.net"; |
| |
| description |
| "This module defines configuration and operational state data |
| related to authorization, authentication, and accounting (AAA) |
| management. |
| |
| Portions of this model reuse data definitions or structure from |
| RFC 7317 - A YANG Data Model for System Management"; |
| |
| oc-ext:openconfig-version "0.2.0"; |
| |
| revision "2017-07-06" { |
| description |
| "Move to oc-inet types, add IETF attribution, add RADIUS |
| counters, changed password leaf names to indicate hashed"; |
| reference "0.2.0"; |
| } |
| |
| revision "2017-01-29" { |
| description |
| "Initial public release"; |
| reference "0.1.0"; |
| } |
| |
| // identity statements |
| |
| // grouping statements |
| grouping aaa-servergroup-common-config { |
| description |
| "Configuration data for AAA server groups"; |
| |
| leaf name { |
| type string; |
| description |
| "Name for the server group"; |
| } |
| |
| leaf type { |
| type identityref { |
| base oc-aaa-types:AAA_SERVER_TYPE; |
| } |
| description |
| "AAA server type -- all servers in the group must be of this |
| type"; |
| } |
| } |
| |
| grouping aaa-servergroup-common-state { |
| description |
| "Operational state data for AAA server groups"; |
| |
| //TODO: add list of group members as opstate |
| } |
| |
| grouping aaa-servergroup-common-top { |
| description |
| "Top-level grouping for AAA server groups"; |
| |
| container server-groups { |
| description |
| "Enclosing container for AAA server groups"; |
| |
| list server-group { |
| key "name"; |
| description |
| "List of AAA server groups. All servers in a group |
| must have the same type as indicated by the server |
| type."; |
| |
| leaf name { |
| type leafref { |
| path "../config/name"; |
| } |
| description |
| "Reference to configured name of the server group"; |
| } |
| |
| container config { |
| description |
| "Configuration data for each server group"; |
| |
| uses aaa-servergroup-common-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for each server group"; |
| |
| uses aaa-servergroup-common-config; |
| uses aaa-servergroup-common-state; |
| } |
| |
| uses aaa-server-top; |
| } |
| } |
| } |
| |
| grouping aaa-server-config { |
| description |
| "Common configuration data for AAA servers"; |
| |
| leaf name { |
| type string; |
| description |
| "Name assigned to the server"; |
| } |
| |
| |
| leaf address { |
| type inet:ip-address; |
| description "Address of the authentication server"; |
| } |
| |
| leaf timeout { |
| type uint16; |
| units seconds; |
| description |
| "Set the timeout in seconds on responses from the AAA |
| server"; |
| } |
| } |
| |
| grouping aaa-server-state { |
| description |
| "Common operational state data for AAA servers"; |
| |
| leaf connection-opens { |
| type yang:counter64; |
| description |
| "Number of new connection requests sent to the server, e.g. |
| socket open"; |
| } |
| |
| leaf connection-closes { |
| type yang:counter64; |
| description |
| "Number of connection close requests sent to the server, e.g. |
| socket close"; |
| } |
| |
| leaf connection-aborts { |
| type yang:counter64; |
| description |
| "Number of aborted connections to the server. These do |
| not include connections that are close gracefully."; |
| } |
| |
| leaf connection-failures { |
| type yang:counter64; |
| description |
| "Number of connection failures to the server"; |
| } |
| |
| leaf connection-timeouts { |
| type yang:counter64; |
| description |
| "Number of connection timeouts to the server"; |
| } |
| |
| leaf messages-sent { |
| type yang:counter64; |
| description |
| "Number of messages sent to the server"; |
| } |
| |
| leaf messages-received { |
| type yang:counter64; |
| description |
| "Number of messages received by the server"; |
| } |
| |
| leaf errors-received { |
| type yang:counter64; |
| description |
| "Number of error messages received from the server"; |
| } |
| |
| } |
| |
| grouping aaa-server-top { |
| description |
| "Top-level grouping for list of AAA servers"; |
| |
| container servers { |
| description |
| "Enclosing container the list of servers"; |
| |
| list server { |
| key "address"; |
| description |
| "List of AAA servers"; |
| |
| leaf address { |
| type leafref { |
| path "../config/address"; |
| } |
| description |
| "Reference to the configured address of the AAA server"; |
| } |
| |
| container config { |
| description |
| "Configuration data "; |
| |
| uses aaa-server-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data "; |
| |
| uses aaa-server-config; |
| uses aaa-server-state; |
| } |
| uses aaa-tacacs-server-top; |
| uses aaa-radius-server-top; |
| } |
| } |
| } |
| |
| grouping aaa-admin-config { |
| description |
| "Configuration data for the system built-in |
| administrator / root user account"; |
| |
| leaf admin-password { |
| type string; |
| oc-ext:openconfig-hashed-value; |
| description |
| "The admin/root password, supplied as a cleartext string. |
| The system should hash and only store the password as a |
| hashed value."; |
| } |
| |
| leaf admin-password-hashed { |
| type oc-aaa-types:crypt-password-type; |
| description |
| "The admin/root password, supplied as a hashed value |
| using the notation described in the definition of the |
| crypt-password-type."; |
| } |
| } |
| |
| grouping aaa-admin-state { |
| description |
| "Operational state data for the root user"; |
| |
| leaf admin-username { |
| type string; |
| description |
| "Name of the administrator user account, e.g., admin, root, |
| etc."; |
| } |
| } |
| |
| grouping aaa-authentication-admin-top { |
| description |
| "Top-level grouping for root user configuration and state |
| data"; |
| |
| container admin-user { |
| description |
| "Top-level container for the system root or admin user |
| configuration and operational state"; |
| |
| container config { |
| description |
| "Configuration data for the root user account"; |
| |
| uses aaa-admin-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for the root user account"; |
| |
| uses aaa-admin-config; |
| uses aaa-admin-state; |
| } |
| } |
| } |
| grouping aaa-authentication-user-config { |
| description |
| "Configuration data for local users"; |
| |
| leaf username { |
| type string; |
| description |
| "Assigned username for this user"; |
| } |
| |
| leaf password { |
| type string; |
| oc-ext:openconfig-hashed-value; |
| description |
| "The user password, supplied as cleartext. The system |
| must hash the value and only store the hashed value."; |
| } |
| |
| leaf password-hashed { |
| type oc-aaa-types:crypt-password-type; |
| description |
| "The user password, supplied as a hashed value |
| using the notation described in the definition of the |
| crypt-password-type."; |
| } |
| |
| leaf ssh-key { |
| type string; |
| description |
| "SSH public key for the user (RSA or DSA)"; |
| } |
| |
| leaf role { |
| type union { |
| type string; |
| type identityref { |
| base oc-aaa-types:SYSTEM_DEFINED_ROLES; |
| } |
| } |
| description |
| "Role assigned to the user. The role may be supplied |
| as a string or a role defined by the SYSTEM_DEFINED_ROLES |
| identity."; |
| } |
| } |
| |
| grouping aaa-authentication-user-state { |
| description |
| "Operational state data for local users"; |
| } |
| |
| grouping aaa-authentication-user-top { |
| description |
| "Top-level grouping for local users"; |
| |
| container users { |
| description |
| "Enclosing container list of local users"; |
| |
| list user { |
| key "username"; |
| description |
| "List of local users on the system"; |
| |
| leaf username { |
| type leafref { |
| path "../config/username"; |
| } |
| description |
| "References the configured username for the user"; |
| } |
| |
| container config { |
| description |
| "Configuration data for local users"; |
| |
| uses aaa-authentication-user-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for local users"; |
| |
| uses aaa-authentication-user-config; |
| uses aaa-authentication-user-state; |
| } |
| } |
| |
| } |
| } |
| |
| grouping aaa-accounting-methods-common { |
| description |
| "Common definitions for accounting methods"; |
| |
| leaf-list accounting-method { |
| type union { |
| type identityref { |
| base oc-aaa-types:AAA_METHOD_TYPE; |
| } |
| type string; |
| //TODO: in YANG 1.1 this should be converted to a leafref to |
| //point to the server group name. |
| } |
| description |
| "The method used for AAA accounting for this event |
| type. The method is defined by the destination for |
| accounting data, which may be specified as the group of |
| all TACACS+/RADIUS servers, a defined server group, or |
| the local system."; |
| } |
| } |
| |
| |
| grouping aaa-accounting-events-config { |
| description |
| "Configuration data for AAA accounting events"; |
| |
| leaf event-type { |
| type identityref { |
| base oc-aaa-types:AAA_ACCOUNTING_EVENT_TYPE; |
| } |
| description |
| "The type of activity to record at the AAA accounting |
| server"; |
| } |
| |
| leaf record { |
| type enumeration { |
| enum START_STOP { |
| description |
| "Send START record to the accounting server at the |
| beginning of the activity, and STOP record at the |
| end of the activity."; |
| } |
| enum STOP { |
| description |
| "Send STOP record to the accounting server when the |
| user activity completes"; |
| } |
| } |
| description |
| "Type of record to send to the accounting server for this |
| activity type"; |
| } |
| } |
| |
| grouping aaa-accounting-events-state { |
| description |
| "Operational state data for accounting events"; |
| } |
| |
| grouping aaa-accounting-events-top { |
| description |
| "Top-level grouping for accounting events"; |
| |
| container events { |
| description |
| "Enclosing container for defining handling of events |
| for accounting"; |
| |
| list event { |
| key "event-type"; |
| description |
| "List of events subject to accounting"; |
| |
| leaf event-type { |
| type leafref { |
| path "../config/event-type"; |
| } |
| description |
| "Reference to the event-type being logged at the |
| accounting server"; |
| } |
| |
| container config { |
| description |
| "Configuration data for accounting events"; |
| |
| uses aaa-accounting-events-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for accounting events"; |
| |
| uses aaa-accounting-events-config; |
| uses aaa-accounting-events-state; |
| } |
| } |
| } |
| } |
| |
| grouping aaa-accounting-config { |
| description |
| "Configuration data for event accounting"; |
| |
| uses aaa-accounting-methods-common; |
| |
| } |
| |
| grouping aaa-accounting-state { |
| description |
| "Operational state data for event accounting services"; |
| } |
| |
| grouping aaa-accounting-top { |
| description |
| "Top-level grouping for user activity accounting"; |
| |
| container accounting { |
| description |
| "Top-level container for AAA accounting"; |
| |
| container config { |
| description |
| "Configuration data for user activity accounting."; |
| |
| uses aaa-accounting-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for user accounting."; |
| |
| uses aaa-accounting-config; |
| uses aaa-accounting-state; |
| } |
| |
| uses aaa-accounting-events-top; |
| |
| } |
| } |
| |
| grouping aaa-authorization-methods-config { |
| description |
| "Common definitions for authorization methods for global |
| and per-event type"; |
| |
| leaf-list authorization-method { |
| type union { |
| type identityref { |
| base oc-aaa-types:AAA_METHOD_TYPE; |
| } |
| type string; |
| } |
| description |
| "Ordered list of methods for authorizing commands. The first |
| method that provides a response (positive or negative) should |
| be used. The list may contain a well-defined method such |
| as the set of all TACACS or RADIUS servers, or the name of |
| a defined AAA server group. The system must validate |
| that the named server group exists."; |
| } |
| } |
| |
| grouping aaa-authorization-events-config { |
| description |
| "Configuration data for AAA authorization events"; |
| |
| leaf event-type { |
| type identityref { |
| base oc-aaa-types:AAA_AUTHORIZATION_EVENT_TYPE; |
| } |
| description |
| "The type of event to record at the AAA authorization |
| server"; |
| } |
| } |
| |
| grouping aaa-authorization-events-state { |
| description |
| "Operational state data for AAA authorization events"; |
| } |
| |
| grouping aaa-authorization-events-top { |
| description |
| "Top-level grouping for authorization events"; |
| |
| container events { |
| description |
| "Enclosing container for the set of events subject |
| to authorization"; |
| |
| list event { |
| key "event-type"; |
| description |
| "List of events subject to AAA authorization"; |
| |
| leaf event-type { |
| type leafref { |
| path "../config/event-type"; |
| } |
| description |
| "Reference to the event-type list key"; |
| } |
| |
| container config { |
| description |
| "Configuration data for each authorized event"; |
| |
| uses aaa-authorization-events-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for each authorized activity"; |
| |
| uses aaa-authorization-events-config; |
| uses aaa-authorization-events-state; |
| } |
| } |
| } |
| } |
| |
| grouping aaa-authorization-config { |
| description |
| "Configuration data for AAA authorization"; |
| |
| uses aaa-authorization-methods-config; |
| } |
| |
| grouping aaa-authorization-state { |
| description |
| "Operational state data for AAA authorization"; |
| } |
| |
| grouping aaa-authorization-top { |
| description |
| "Top-level grouping for AAA authorization"; |
| |
| container authorization { |
| description |
| "Top-level container for AAA authorization configuration |
| and operational state data"; |
| |
| container config { |
| description |
| "Configuration data for authorization based on AAA |
| methods"; |
| |
| uses aaa-authorization-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for authorization based on AAA"; |
| |
| uses aaa-authorization-config; |
| uses aaa-authorization-state; |
| } |
| |
| uses aaa-authorization-events-top; |
| |
| } |
| } |
| |
| grouping aaa-authentication-config { |
| description |
| "Configuration data for global authentication"; |
| |
| leaf-list authentication-method { |
| type union { |
| type identityref { |
| base oc-aaa-types:AAA_METHOD_TYPE; |
| } |
| type string; |
| //TODO: string should be a leafref to a defined |
| //server group. this will be possible in YANG 1.1 |
| //type leafref { |
| //path "/aaa/server-groups/server-group/config/name"; |
| //} |
| } |
| ordered-by user; |
| description |
| "Ordered list of authentication methods for users. This |
| can be either a reference to a server group, or a well- |
| defined designation in the AAA_METHOD_TYPE identity. If |
| authentication fails with one method, the next defined |
| method is tried -- failure of all methods results in the |
| user being denied access."; |
| } |
| } |
| |
| grouping aaa-authentication-state { |
| description |
| "Operational state data for global authentication"; |
| } |
| |
| grouping aaa-authentication-top { |
| description |
| "Top-level grouping for top-level authentication"; |
| |
| container authentication { |
| description |
| "Top-level container for global authentication data"; |
| |
| container config { |
| description |
| "Configuration data for global authentication services"; |
| |
| uses aaa-authentication-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for global authentication |
| services"; |
| |
| uses aaa-authentication-config; |
| uses aaa-authentication-state; |
| } |
| |
| uses aaa-authentication-admin-top; |
| uses aaa-authentication-user-top; |
| } |
| } |
| |
| grouping aaa-config { |
| description |
| "Configuration data for top level AAA"; |
| } |
| |
| grouping aaa-state { |
| description |
| "Operational state data for top level AAA"; |
| } |
| |
| grouping aaa-top { |
| description |
| "Top-level grouping for AAA services"; |
| |
| container aaa { |
| description |
| "Top-level container for AAA services"; |
| |
| container config { |
| description |
| "Configuration data for top level AAA services"; |
| |
| uses aaa-config; |
| } |
| |
| container state { |
| config false; |
| |
| description |
| "Operational state data for top level AAA services "; |
| |
| uses aaa-config; |
| uses aaa-state; |
| } |
| |
| uses aaa-authentication-top; |
| uses aaa-authorization-top; |
| uses aaa-accounting-top; |
| uses aaa-servergroup-common-top; |
| |
| } |
| } |
| |
| |
| |
| // data definition statements |
| |
| |
| } |