blob: 5a68c47b4aa54c7af3642d2ee1c9a88f077dfdcb [file] [log] [blame]
Thomas Vachuska8ca75a22017-08-24 16:12:59 -07001module openconfig-aaa {
2
3 yang-version "1";
4
5 // namespace
6 namespace "http://openconfig.net/yang/aaa";
7
8 prefix "oc-aaa";
9
10 // import some basic types
11 import openconfig-extensions { prefix oc-ext; }
12 import ietf-inet-types { prefix inet; }
13 import ietf-yang-types { prefix yang; }
14 import openconfig-aaa-types { prefix oc-aaa-types; }
15
16 include openconfig-aaa-tacacs;
17 include openconfig-aaa-radius;
18
19
20 // meta
21 organization "OpenConfig working group";
22
23 contact
24 "OpenConfig working group
25 www.openconfig.net";
26
27 description
28 "This module defines configuration and operational state data
29 related to authorization, authentication, and accounting (AAA)
30 management.
31
32 Portions of this model reuse data definitions or structure from
33 RFC 7317 - A YANG Data Model for System Management";
34
35 oc-ext:openconfig-version "0.2.0";
36
37 revision "2017-07-06" {
38 description
39 "Move to oc-inet types, add IETF attribution, add RADIUS
40 counters, changed password leaf names to indicate hashed";
41 reference "0.2.0";
42 }
43
44 revision "2017-01-29" {
45 description
46 "Initial public release";
47 reference "0.1.0";
48 }
49
50 // identity statements
51
52 // grouping statements
53 grouping aaa-servergroup-common-config {
54 description
55 "Configuration data for AAA server groups";
56
57 leaf name {
58 type string;
59 description
60 "Name for the server group";
61 }
62
63 leaf type {
64 type identityref {
65 base oc-aaa-types:AAA_SERVER_TYPE;
66 }
67 description
68 "AAA server type -- all servers in the group must be of this
69 type";
70 }
71 }
72
73 grouping aaa-servergroup-common-state {
74 description
75 "Operational state data for AAA server groups";
76
77 //TODO: add list of group members as opstate
78 }
79
80 grouping aaa-servergroup-common-top {
81 description
82 "Top-level grouping for AAA server groups";
83
84 container server-groups {
85 description
86 "Enclosing container for AAA server groups";
87
88 list server-group {
89 key "name";
90 description
91 "List of AAA server groups. All servers in a group
92 must have the same type as indicated by the server
93 type.";
94
95 leaf name {
96 type leafref {
97 path "../config/name";
98 }
99 description
100 "Reference to configured name of the server group";
101 }
102
103 container config {
104 description
105 "Configuration data for each server group";
106
107 uses aaa-servergroup-common-config;
108 }
109
110 container state {
111 config false;
112
113 description
114 "Operational state data for each server group";
115
116 uses aaa-servergroup-common-config;
117 uses aaa-servergroup-common-state;
118 }
119
120 uses aaa-server-top;
121 }
122 }
123 }
124
125 grouping aaa-server-config {
126 description
127 "Common configuration data for AAA servers";
128
129 leaf name {
130 type string;
131 description
132 "Name assigned to the server";
133 }
134
135
136 leaf address {
137 type inet:ip-address;
138 description "Address of the authentication server";
139 }
140
141 leaf timeout {
142 type uint16;
143 units seconds;
144 description
145 "Set the timeout in seconds on responses from the AAA
146 server";
147 }
148 }
149
150 grouping aaa-server-state {
151 description
152 "Common operational state data for AAA servers";
153
154 leaf connection-opens {
155 type yang:counter64;
156 description
157 "Number of new connection requests sent to the server, e.g.
158 socket open";
159 }
160
161 leaf connection-closes {
162 type yang:counter64;
163 description
164 "Number of connection close requests sent to the server, e.g.
165 socket close";
166 }
167
168 leaf connection-aborts {
169 type yang:counter64;
170 description
171 "Number of aborted connections to the server. These do
172 not include connections that are close gracefully.";
173 }
174
175 leaf connection-failures {
176 type yang:counter64;
177 description
178 "Number of connection failures to the server";
179 }
180
181 leaf connection-timeouts {
182 type yang:counter64;
183 description
184 "Number of connection timeouts to the server";
185 }
186
187 leaf messages-sent {
188 type yang:counter64;
189 description
190 "Number of messages sent to the server";
191 }
192
193 leaf messages-received {
194 type yang:counter64;
195 description
196 "Number of messages received by the server";
197 }
198
199 leaf errors-received {
200 type yang:counter64;
201 description
202 "Number of error messages received from the server";
203 }
204
205 }
206
207 grouping aaa-server-top {
208 description
209 "Top-level grouping for list of AAA servers";
210
211 container servers {
212 description
213 "Enclosing container the list of servers";
214
215 list server {
216 key "address";
217 description
218 "List of AAA servers";
219
220 leaf address {
221 type leafref {
222 path "../config/address";
223 }
224 description
225 "Reference to the configured address of the AAA server";
226 }
227
228 container config {
229 description
230 "Configuration data ";
231
232 uses aaa-server-config;
233 }
234
235 container state {
236 config false;
237
238 description
239 "Operational state data ";
240
241 uses aaa-server-config;
242 uses aaa-server-state;
243 }
244 uses aaa-tacacs-server-top;
245 uses aaa-radius-server-top;
246 }
247 }
248 }
249
250 grouping aaa-admin-config {
251 description
252 "Configuration data for the system built-in
253 administrator / root user account";
254
255 leaf admin-password {
256 type string;
257 oc-ext:openconfig-hashed-value;
258 description
259 "The admin/root password, supplied as a cleartext string.
260 The system should hash and only store the password as a
261 hashed value.";
262 }
263
264 leaf admin-password-hashed {
265 type oc-aaa-types:crypt-password-type;
266 description
267 "The admin/root password, supplied as a hashed value
268 using the notation described in the definition of the
269 crypt-password-type.";
270 }
271 }
272
273 grouping aaa-admin-state {
274 description
275 "Operational state data for the root user";
276
277 leaf admin-username {
278 type string;
279 description
280 "Name of the administrator user account, e.g., admin, root,
281 etc.";
282 }
283 }
284
285 grouping aaa-authentication-admin-top {
286 description
287 "Top-level grouping for root user configuration and state
288 data";
289
290 container admin-user {
291 description
292 "Top-level container for the system root or admin user
293 configuration and operational state";
294
295 container config {
296 description
297 "Configuration data for the root user account";
298
299 uses aaa-admin-config;
300 }
301
302 container state {
303 config false;
304
305 description
306 "Operational state data for the root user account";
307
308 uses aaa-admin-config;
309 uses aaa-admin-state;
310 }
311 }
312 }
313 grouping aaa-authentication-user-config {
314 description
315 "Configuration data for local users";
316
317 leaf username {
318 type string;
319 description
320 "Assigned username for this user";
321 }
322
323 leaf password {
324 type string;
325 oc-ext:openconfig-hashed-value;
326 description
327 "The user password, supplied as cleartext. The system
328 must hash the value and only store the hashed value.";
329 }
330
331 leaf password-hashed {
332 type oc-aaa-types:crypt-password-type;
333 description
334 "The user password, supplied as a hashed value
335 using the notation described in the definition of the
336 crypt-password-type.";
337 }
338
339 leaf ssh-key {
340 type string;
341 description
342 "SSH public key for the user (RSA or DSA)";
343 }
344
345 leaf role {
346 type union {
347 type string;
348 type identityref {
349 base oc-aaa-types:SYSTEM_DEFINED_ROLES;
350 }
351 }
352 description
353 "Role assigned to the user. The role may be supplied
354 as a string or a role defined by the SYSTEM_DEFINED_ROLES
355 identity.";
356 }
357 }
358
359 grouping aaa-authentication-user-state {
360 description
361 "Operational state data for local users";
362 }
363
364 grouping aaa-authentication-user-top {
365 description
366 "Top-level grouping for local users";
367
368 container users {
369 description
370 "Enclosing container list of local users";
371
372 list user {
373 key "username";
374 description
375 "List of local users on the system";
376
377 leaf username {
378 type leafref {
379 path "../config/username";
380 }
381 description
382 "References the configured username for the user";
383 }
384
385 container config {
386 description
387 "Configuration data for local users";
388
389 uses aaa-authentication-user-config;
390 }
391
392 container state {
393 config false;
394
395 description
396 "Operational state data for local users";
397
398 uses aaa-authentication-user-config;
399 uses aaa-authentication-user-state;
400 }
401 }
402
403 }
404 }
405
406 grouping aaa-accounting-methods-common {
407 description
408 "Common definitions for accounting methods";
409
410 leaf-list accounting-method {
411 type union {
412 type identityref {
413 base oc-aaa-types:AAA_METHOD_TYPE;
414 }
415 type string;
416 //TODO: in YANG 1.1 this should be converted to a leafref to
417 //point to the server group name.
418 }
419 description
420 "The method used for AAA accounting for this event
421 type. The method is defined by the destination for
422 accounting data, which may be specified as the group of
423 all TACACS+/RADIUS servers, a defined server group, or
424 the local system.";
425 }
426 }
427
428
429 grouping aaa-accounting-events-config {
430 description
431 "Configuration data for AAA accounting events";
432
433 leaf event-type {
434 type identityref {
435 base oc-aaa-types:AAA_ACCOUNTING_EVENT_TYPE;
436 }
437 description
438 "The type of activity to record at the AAA accounting
439 server";
440 }
441
442 leaf record {
443 type enumeration {
444 enum START_STOP {
445 description
446 "Send START record to the accounting server at the
447 beginning of the activity, and STOP record at the
448 end of the activity.";
449 }
450 enum STOP {
451 description
452 "Send STOP record to the accounting server when the
453 user activity completes";
454 }
455 }
456 description
457 "Type of record to send to the accounting server for this
458 activity type";
459 }
460 }
461
462 grouping aaa-accounting-events-state {
463 description
464 "Operational state data for accounting events";
465 }
466
467 grouping aaa-accounting-events-top {
468 description
469 "Top-level grouping for accounting events";
470
471 container events {
472 description
473 "Enclosing container for defining handling of events
474 for accounting";
475
476 list event {
477 key "event-type";
478 description
479 "List of events subject to accounting";
480
481 leaf event-type {
482 type leafref {
483 path "../config/event-type";
484 }
485 description
486 "Reference to the event-type being logged at the
487 accounting server";
488 }
489
490 container config {
491 description
492 "Configuration data for accounting events";
493
494 uses aaa-accounting-events-config;
495 }
496
497 container state {
498 config false;
499
500 description
501 "Operational state data for accounting events";
502
503 uses aaa-accounting-events-config;
504 uses aaa-accounting-events-state;
505 }
506 }
507 }
508 }
509
510 grouping aaa-accounting-config {
511 description
512 "Configuration data for event accounting";
513
514 uses aaa-accounting-methods-common;
515
516 }
517
518 grouping aaa-accounting-state {
519 description
520 "Operational state data for event accounting services";
521 }
522
523 grouping aaa-accounting-top {
524 description
525 "Top-level grouping for user activity accounting";
526
527 container accounting {
528 description
529 "Top-level container for AAA accounting";
530
531 container config {
532 description
533 "Configuration data for user activity accounting.";
534
535 uses aaa-accounting-config;
536 }
537
538 container state {
539 config false;
540
541 description
542 "Operational state data for user accounting.";
543
544 uses aaa-accounting-config;
545 uses aaa-accounting-state;
546 }
547
548 uses aaa-accounting-events-top;
549
550 }
551 }
552
553 grouping aaa-authorization-methods-config {
554 description
555 "Common definitions for authorization methods for global
556 and per-event type";
557
558 leaf-list authorization-method {
559 type union {
560 type identityref {
561 base oc-aaa-types:AAA_METHOD_TYPE;
562 }
563 type string;
564 }
565 description
566 "Ordered list of methods for authorizing commands. The first
567 method that provides a response (positive or negative) should
568 be used. The list may contain a well-defined method such
569 as the set of all TACACS or RADIUS servers, or the name of
570 a defined AAA server group. The system must validate
571 that the named server group exists.";
572 }
573 }
574
575 grouping aaa-authorization-events-config {
576 description
577 "Configuration data for AAA authorization events";
578
579 leaf event-type {
580 type identityref {
581 base oc-aaa-types:AAA_AUTHORIZATION_EVENT_TYPE;
582 }
583 description
584 "The type of event to record at the AAA authorization
585 server";
586 }
587 }
588
589 grouping aaa-authorization-events-state {
590 description
591 "Operational state data for AAA authorization events";
592 }
593
594 grouping aaa-authorization-events-top {
595 description
596 "Top-level grouping for authorization events";
597
598 container events {
599 description
600 "Enclosing container for the set of events subject
601 to authorization";
602
603 list event {
604 key "event-type";
605 description
606 "List of events subject to AAA authorization";
607
608 leaf event-type {
609 type leafref {
610 path "../config/event-type";
611 }
612 description
613 "Reference to the event-type list key";
614 }
615
616 container config {
617 description
618 "Configuration data for each authorized event";
619
620 uses aaa-authorization-events-config;
621 }
622
623 container state {
624 config false;
625
626 description
627 "Operational state data for each authorized activity";
628
629 uses aaa-authorization-events-config;
630 uses aaa-authorization-events-state;
631 }
632 }
633 }
634 }
635
636 grouping aaa-authorization-config {
637 description
638 "Configuration data for AAA authorization";
639
640 uses aaa-authorization-methods-config;
641 }
642
643 grouping aaa-authorization-state {
644 description
645 "Operational state data for AAA authorization";
646 }
647
648 grouping aaa-authorization-top {
649 description
650 "Top-level grouping for AAA authorization";
651
652 container authorization {
653 description
654 "Top-level container for AAA authorization configuration
655 and operational state data";
656
657 container config {
658 description
659 "Configuration data for authorization based on AAA
660 methods";
661
662 uses aaa-authorization-config;
663 }
664
665 container state {
666 config false;
667
668 description
669 "Operational state data for authorization based on AAA";
670
671 uses aaa-authorization-config;
672 uses aaa-authorization-state;
673 }
674
675 uses aaa-authorization-events-top;
676
677 }
678 }
679
680 grouping aaa-authentication-config {
681 description
682 "Configuration data for global authentication";
683
684 leaf-list authentication-method {
685 type union {
686 type identityref {
687 base oc-aaa-types:AAA_METHOD_TYPE;
688 }
689 type string;
690 //TODO: string should be a leafref to a defined
691 //server group. this will be possible in YANG 1.1
692 //type leafref {
693 //path "/aaa/server-groups/server-group/config/name";
694 //}
695 }
696 ordered-by user;
697 description
698 "Ordered list of authentication methods for users. This
699 can be either a reference to a server group, or a well-
700 defined designation in the AAA_METHOD_TYPE identity. If
701 authentication fails with one method, the next defined
702 method is tried -- failure of all methods results in the
703 user being denied access.";
704 }
705 }
706
707 grouping aaa-authentication-state {
708 description
709 "Operational state data for global authentication";
710 }
711
712 grouping aaa-authentication-top {
713 description
714 "Top-level grouping for top-level authentication";
715
716 container authentication {
717 description
718 "Top-level container for global authentication data";
719
720 container config {
721 description
722 "Configuration data for global authentication services";
723
724 uses aaa-authentication-config;
725 }
726
727 container state {
728 config false;
729
730 description
731 "Operational state data for global authentication
732 services";
733
734 uses aaa-authentication-config;
735 uses aaa-authentication-state;
736 }
737
738 uses aaa-authentication-admin-top;
739 uses aaa-authentication-user-top;
740 }
741 }
742
743 grouping aaa-config {
744 description
745 "Configuration data for top level AAA";
746 }
747
748 grouping aaa-state {
749 description
750 "Operational state data for top level AAA";
751 }
752
753 grouping aaa-top {
754 description
755 "Top-level grouping for AAA services";
756
757 container aaa {
758 description
759 "Top-level container for AAA services";
760
761 container config {
762 description
763 "Configuration data for top level AAA services";
764
765 uses aaa-config;
766 }
767
768 container state {
769 config false;
770
771 description
772 "Operational state data for top level AAA services ";
773
774 uses aaa-config;
775 uses aaa-state;
776 }
777
778 uses aaa-authentication-top;
779 uses aaa-authorization-top;
780 uses aaa-accounting-top;
781 uses aaa-servergroup-common-top;
782
783 }
784 }
785
786
787
788 // data definition statements
789
790
791}