blob: 397101db693c424c343b8311f1667af9f92d92b4 [file] [log] [blame]
Marc De Leenheerf20c7fb2017-05-05 10:24:41 -07001module ietf-netconf-acm {
2
3 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
4
5 prefix "nacm";
6
7 import ietf-yang-types {
8 prefix yang;
9 }
10
11 organization
12 "IETF NETCONF (Network Configuration) Working Group";
13
14 contact
15 "WG Web: <http://tools.ietf.org/wg/netconf/>
16 WG List: <mailto:netconf@ietf.org>
17
18 WG Chair: Mehmet Ersue
19 <mailto:mehmet.ersue@nsn.com>
20
21 WG Chair: Bert Wijnen
22 <mailto:bertietf@bwijnen.net>
23
24 Editor: Andy Bierman
25 <mailto:andy@yumaworks.com>
26
27 Editor: Martin Bjorklund
28 <mailto:mbj@tail-f.com>";
29
30 description
31 "NETCONF Access Control Model.
32
33 Copyright (c) 2012 IETF Trust and the persons identified as
34 authors of the code. All rights reserved.
35
36 Redistribution and use in source and binary forms, with or
37 without modification, is permitted pursuant to, and subject
38 to the license terms contained in, the Simplified BSD
39 License set forth in Section 4.c of the IETF Trust's
40 Legal Provisions Relating to IETF Documents
41 (http://trustee.ietf.org/license-info).
42
43 This version of this YANG module is part of RFC 6536; see
44 the RFC itself for full legal notices.";
45
46 revision "2012-02-22" {
47 description
48 "Initial version;
49 Errata ID: 3862 and 3863";
50 reference
51 "RFC 6536: Network Configuration Protocol (NETCONF)
52 Access Control Model";
53 }
54
55 // /*
56 // * Extension statements
57 // */
58
59 // extension default-deny-write {
60 // description
61 // "Used to indicate that the data model node
62 // represents a sensitive security system parameter.
63
64 // If present, and the NACM module is enabled (i.e.,
65 // /nacm/enable-nacm object equals 'true'), the NETCONF server
66 // will only allow the designated 'recovery session' to have
67 // write access to the node. An explicit access control rule is
68 // required for all other users.
69
70 // The 'default-deny-write' extension MAY appear within a data
71 // definition statement. It is ignored otherwise.";
72 // }
73
74 // extension default-deny-all {
75 // description
76 // "Used to indicate that the data model node
77 // controls a very sensitive security system parameter.
78
79 // If present, and the NACM module is enabled (i.e.,
80 // /nacm/enable-nacm object equals 'true'), the NETCONF server
81 // will only allow the designated 'recovery session' to have
82 // read, write, or execute access to the node. An explicit
83 // access control rule is required for all other users.
84
85 // The 'default-deny-all' extension MAY appear within a data
86 // definition statement, 'rpc' statement, or 'notification'
87 // statement. It is ignored otherwise.";
88 // }
89
90 /*
91 * Derived types
92 */
93
94 typedef user-name-type {
95 type string {
96 length "1..max";
97 }
98 description
99 "General Purpose Username string.";
100 }
101
102 typedef matchall-string-type {
103 type string {
104 pattern '\*';
105 }
106 description
107 "The string containing a single asterisk '*' is used
108 to conceptually represent all possible values
109 for the particular leaf using this data type.";
110 }
111
112 typedef access-operations-type {
113 type bits {
114 bit create {
115 description
116 "Any protocol operation that creates a
117 new data node.";
118 }
119 bit read {
120 description
121 "Any protocol operation or notification that
122 returns the value of a data node.";
123 }
124 bit update {
125 description
126 "Any protocol operation that alters an existing
127 data node.";
128 }
129 bit delete {
130 description
131 "Any protocol operation that removes a data node.";
132 }
133 bit exec {
134 description
135 "Execution access to the specified protocol operation.";
136 }
137 }
138 description
139 "NETCONF Access Operation.";
140 }
141
142 typedef group-name-type {
143 type string {
144 length "1..max";
145 pattern '[^\*].*';
146 }
147 description
148 "Name of administrative group to which
149 users can be assigned.";
150 }
151
152 typedef action-type {
153 type enumeration {
154 enum permit {
155 description
156 "Requested action is permitted.";
157 }
158 enum deny {
159 description
160 "Requested action is denied.";
161 }
162 }
163 description
164 "Action taken by the server when a particular
165 rule matches.";
166 }
167
168 typedef node-instance-identifier {
169 type yang:xpath1.0;
170 description
171 "Path expression used to represent a special
172 data node instance identifier string.
173
174 A node-instance-identifier value is an
175 unrestricted YANG instance-identifier expression.
176 All the same rules as an instance-identifier apply
177 except predicates for keys are optional. If a key
178 predicate is missing, then the node-instance-identifier
179 represents all possible server instances for that key.
180
181 This XPath expression is evaluated in the following context:
182
183 o The set of namespace declarations are those in scope on
184 the leaf element where this type is used.
185
186 o The set of variable bindings contains one variable,
187 'USER', which contains the name of the user of the current
188 session.
189
190 o The function library is the core function library, but
191 note that due to the syntax restrictions of an
192 instance-identifier, no functions are allowed.
193
194 o The context node is the root node in the data tree.";
195 }
196
197 /*
198 * Data definition statements
199 */
200
201 container nacm {
202 // nacm:default-deny-all;
203
204 description
205 "Parameters for NETCONF Access Control Model.";
206
207 leaf enable-nacm {
208 type boolean;
209 default true;
210 description
211 "Enables or disables all NETCONF access control
212 enforcement. If 'true', then enforcement
213 is enabled. If 'false', then enforcement
214 is disabled.";
215 }
216
217 leaf read-default {
218 type action-type;
219 default "permit";
220 description
221 "Controls whether read access is granted if
222 no appropriate rule is found for a
223 particular read request.";
224 }
225
226 leaf write-default {
227 type action-type;
228 default "deny";
229 description
230 "Controls whether create, update, or delete access
231 is granted if no appropriate rule is found for a
232 particular write request.";
233 }
234
235 leaf exec-default {
236 type action-type;
237 default "permit";
238 description
239 "Controls whether exec access is granted if no appropriate
240 rule is found for a particular protocol operation request.";
241 }
242
243 leaf enable-external-groups {
244 type boolean;
245 default true;
246 description
247 "Controls whether the server uses the groups reported by the
248 NETCONF transport layer when it assigns the user to a set of
249 NACM groups. If this leaf has the value 'false', any group
250 names reported by the transport layer are ignored by the
251 server.";
252 }
253
254 leaf denied-operations {
255 type yang:zero-based-counter32;
256 config false;
257 mandatory true;
258 description
259 "Number of times since the server last restarted that a
260 protocol operation request was denied.";
261 }
262
263 leaf denied-data-writes {
264 type yang:zero-based-counter32;
265 config false;
266 mandatory true;
267 description
268 "Number of times since the server last restarted that a
269 protocol operation request to alter
270 a configuration datastore was denied.";
271 }
272
273 leaf denied-notifications {
274 type yang:zero-based-counter32;
275 config false;
276 mandatory true;
277 description
278 "Number of times since the server last restarted that
279 a notification was dropped for a subscription because
280 access to the event type was denied.";
281 }
282
283 container groups {
284 description
285 "NETCONF Access Control Groups.";
286
287 list group {
288 key name;
289
290 description
291 "One NACM Group Entry. This list will only contain
292 configured entries, not any entries learned from
293 any transport protocols.";
294
295 leaf name {
296 type group-name-type;
297 description
298 "Group name associated with this entry.";
299 }
300
301 leaf-list user-name {
302 type user-name-type;
303 description
304 "Each entry identifies the username of
305 a member of the group associated with
306 this entry.";
307 }
308 }
309 }
310
311 list rule-list {
312 key "name";
313 ordered-by user;
314 description
315 "An ordered collection of access control rules.";
316
317 leaf name {
318 type string {
319 length "1..max";
320 }
321 description
322 "Arbitrary name assigned to the rule-list.";
323 }
324 leaf-list group {
325 type union {
326 type matchall-string-type;
327 type group-name-type;
328 }
329 description
330 "List of administrative groups that will be
331 assigned the associated access rights
332 defined by the 'rule' list.
333
334 The string '*' indicates that all groups apply to the
335 entry.";
336 }
337
338 list rule {
339 key "name";
340 ordered-by user;
341 description
342 "One access control rule.
343
344 Rules are processed in user-defined order until a match is
345 found. A rule matches if 'module-name', 'rule-type', and
346 'access-operations' match the request. If a rule
347 matches, the 'action' leaf determines if access is granted
348 or not.";
349
350 leaf name {
351 type string {
352 length "1..max";
353 }
354 description
355 "Arbitrary name assigned to the rule.";
356 }
357
358 leaf module-name {
359 type union {
360 type matchall-string-type;
361 type string;
362 }
363 default "*";
364 description
365 "Name of the module associated with this rule.
366
367 This leaf matches if it has the value '*' or if the
368 object being accessed is defined in the module with the
369 specified module name.";
370 }
371 choice rule-type {
372 description
373 "This choice matches if all leafs present in the rule
374 match the request. If no leafs are present, the
375 choice matches all requests.";
376 case protocol-operation {
377 leaf rpc-name {
378 type union {
379 type matchall-string-type;
380 type string;
381 }
382 description
383 "This leaf matches if it has the value '*' or if
384 its value equals the requested protocol operation
385 name.";
386 }
387 }
388 case notification {
389 leaf notification-name {
390 type union {
391 type matchall-string-type;
392 type string;
393 }
394 description
395 "This leaf matches if it has the value '*' or if its
396 value equals the requested notification name.";
397 }
398 }
399 case data-node {
400 leaf path {
401 type node-instance-identifier;
402 mandatory true;
403 description
404 "Data Node Instance Identifier associated with the
405 data node controlled by this rule.
406
407 Configuration data or state data instance
408 identifiers start with a top-level data node. A
409 complete instance identifier is required for this
410 type of path value.
411
412 The special value '/' refers to all possible
413 datastore contents.";
414 }
415 }
416 }
417
418 leaf access-operations {
419 type union {
420 type matchall-string-type;
421 type access-operations-type;
422 }
423 default "*";
424 description
425 "Access operations associated with this rule.
426
427 This leaf matches if it has the value '*' or if the
428 bit corresponding to the requested operation is set.";
429 }
430
431 leaf action {
432 type action-type;
433 mandatory true;
434 description
435 "The access control action associated with the
436 rule. If a rule is determined to match a
437 particular request, then this object is used
438 to determine whether to permit or deny the
439 request.";
440 }
441
442 leaf comment {
443 type string;
444 description
445 "A textual description of the access rule.";
446 }
447 }
448 }
449 }
450}