blob: 93ac229fe13dc9b8bd999f8e165ebd4d4c1aaf7f [file] [log] [blame]
Gaurav Agrawal28920d82017-10-06 17:39:42 +05301module ietf-netconf-acm {
2
3 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
4
5 prefix "nacm";
6
7 import ietf-yang-types {
8 prefix yang;
9 }
10
11 organization
12 "IETF NETCONF (Network Configuration) Working Group";
13
14 contact
15 "WG Web: <http://tools.ietf.org/wg/netconf/>
16 WG List: <mailto:netconf@ietf.org>
17
18 WG Chair: Mehmet Ersue
19 <mailto:mehmet.ersue@nsn.com>
20
21 WG Chair: Bert Wijnen
22 <mailto:bertietf@bwijnen.net>
23
24 Editor: Andy Bierman
25 <mailto:andy@yumaworks.com>
26
27 Editor: Martin Bjorklund
28 <mailto:mbj@tail-f.com>";
29
30 description
31 "NETCONF Access Control Model.
32
33 Copyright (c) 2012 IETF Trust and the persons identified as
34 authors of the code. All rights reserved.
35
36 Redistribution and use in source and binary forms, with or
37 without modification, is permitted pursuant to, and subject
38 to the license terms contained in, the Simplified BSD
39 License set forth in Section 4.c of the IETF Trust's
40 Legal Provisions Relating to IETF Documents
41 (http://trustee.ietf.org/license-info).
42
43 This version of this YANG module is part of RFC 6536; see
44 the RFC itself for full legal notices.";
45
46 revision "2012-02-22" {
47 description
48 "Initial version";
49 reference
50 "RFC 6536: Network Configuration Protocol (NETCONF)
51 Access Control Model";
52 }
53
54 /*
55 * Extension statements
56 */
57
58 extension default-deny-write {
59 description
60 "Used to indicate that the data model node
61 represents a sensitive security system parameter.
62
63 If present, and the NACM module is enabled (i.e.,
64 /nacm/enable-nacm object equals 'true'), the NETCONF server
65 will only allow the designated 'recovery session' to have
66 write access to the node. An explicit access control rule is
67 required for all other users.
68
69 The 'default-deny-write' extension MAY appear within a data
70 definition statement. It is ignored otherwise.";
71 }
72
73 extension default-deny-all {
74 description
75 "Used to indicate that the data model node
76 controls a very sensitive security system parameter.
77
78 If present, and the NACM module is enabled (i.e.,
79 /nacm/enable-nacm object equals 'true'), the NETCONF server
80 will only allow the designated 'recovery session' to have
81 read, write, or execute access to the node. An explicit
82 access control rule is required for all other users.
83
84 The 'default-deny-all' extension MAY appear within a data
85 definition statement, 'rpc' statement, or 'notification'
86 statement. It is ignored otherwise.";
87 }
88
89 /*
90 * Derived types
91 */
92
93 typedef user-name-type {
94 type string {
95 length "1..max";
96 }
97 description
98 "General Purpose Username string.";
99 }
100
101 typedef matchall-string-type {
102 type string {
103 pattern "\*";
104 }
105 description
106 "The string containing a single asterisk '*' is used
107 to conceptually represent all possible values
108 for the particular leaf using this data type.";
109 }
110
111 typedef access-operations-type {
112 type bits {
113 bit create {
114 description
115 "Any protocol operation that creates a
116 new data node.";
117 }
118 bit read {
119 description
120 "Any protocol operation or notification that
121 returns the value of a data node.";
122 }
123 bit update {
124 description
125 "Any protocol operation that alters an existing
126 data node.";
127 }
128 bit delete {
129 description
130 "Any protocol operation that removes a data node.";
131 }
132 bit exec {
133 description
134 "Execution access to the specified protocol operation.";
135 }
136 }
137 description
138 "NETCONF Access Operation.";
139 }
140
141 typedef group-name-type {
142 type string {
143 length "1..max";
144 pattern "[^\*].*";
145 }
146 description
147 "Name of administrative group to which
148 users can be assigned.";
149 }
150
151 typedef action-type {
152 type enumeration {
153 enum permit {
154 description
155 "Requested action is permitted.";
156 }
157 enum deny {
158 description
159 "Requested action is denied.";
160 }
161 }
162 description
163 "Action taken by the server when a particular
164 rule matches.";
165 }
166
167 typedef node-instance-identifier {
168 type yang:xpath1.0;
169 description
170 "Path expression used to represent a special
171 data node instance identifier string.
172
173 A node-instance-identifier value is an
174 unrestricted YANG instance-identifier expression.
175 All the same rules as an instance-identifier apply
176 except predicates for keys are optional. If a key
177 predicate is missing, then the node-instance-identifier
178 represents all possible server instances for that key.
179
180 This XPath expression is evaluated in the following context:
181
182 o The set of namespace declarations are those in scope on
183 the leaf element where this type is used.
184
185 o The set of variable bindings contains one variable,
186 'USER', which contains the name of the user of the current
187 session.
188
189 o The function library is the core function library, but
190 note that due to the syntax restrictions of an
191 instance-identifier, no functions are allowed.
192
193 o The context node is the root node in the data tree.";
194 }
195
196 /*
197 * Data definition statements
198 */
199
200 container nacm {
201 nacm:default-deny-all;
202
203 description
204 "Parameters for NETCONF Access Control Model.";
205
206 leaf enable-nacm {
207 type boolean;
208 default true;
209 description
210 "Enables or disables all NETCONF access control
211 enforcement. If 'true', then enforcement
212 is enabled. If 'false', then enforcement
213 is disabled.";
214 }
215
216 leaf read-default {
217 type action-type;
218 default "permit";
219 description
220 "Controls whether read access is granted if
221 no appropriate rule is found for a
222 particular read request.";
223 }
224
225 leaf write-default {
226 type action-type;
227 default "deny";
228 description
229 "Controls whether create, update, or delete access
230 is granted if no appropriate rule is found for a
231 particular write request.";
232 }
233
234 leaf exec-default {
235 type action-type;
236 default "permit";
237 description
238 "Controls whether exec access is granted if no appropriate
239 rule is found for a particular protocol operation request.";
240 }
241
242 leaf enable-external-groups {
243 type boolean;
244 default true;
245 description
246 "Controls whether the server uses the groups reported by the
247 NETCONF transport layer when it assigns the user to a set of
248 NACM groups. If this leaf has the value 'false', any group
249 names reported by the transport layer are ignored by the
250 server.";
251 }
252
253 leaf denied-operations {
254 type yang:zero-based-counter32;
255 config false;
256 mandatory true;
257 description
258 "Number of times since the server last restarted that a
259 protocol operation request was denied.";
260 }
261
262 leaf denied-data-writes {
263 type yang:zero-based-counter32;
264 config false;
265 mandatory true;
266 description
267 "Number of times since the server last restarted that a
268 protocol operation request to alter
269 a configuration datastore was denied.";
270 }
271
272 leaf denied-notifications {
273 type yang:zero-based-counter32;
274 config false;
275 mandatory true;
276 description
277 "Number of times since the server last restarted that
278 a notification was dropped for a subscription because
279 access to the event type was denied.";
280 }
281
282 container groups {
283 description
284 "NETCONF Access Control Groups.";
285
286 list group {
287 key name;
288
289 description
290 "One NACM Group Entry. This list will only contain
291 configured entries, not any entries learned from
292 any transport protocols.";
293
294 leaf name {
295 type group-name-type;
296 description
297 "Group name associated with this entry.";
298 }
299
300 leaf-list user-name {
301 type user-name-type;
302 description
303 "Each entry identifies the username of
304 a member of the group associated with
305 this entry.";
306 }
307 }
308 }
309
310 list rule-list {
311 key "name";
312 ordered-by user;
313 description
314 "An ordered collection of access control rules.";
315
316 leaf name {
317 type string {
318 length "1..max";
319 }
320 description
321 "Arbitrary name assigned to the rule-list.";
322 }
323 leaf-list group {
324 type union {
325 type matchall-string-type;
326 type group-name-type;
327 }
328 description
329 "List of administrative groups that will be
330 assigned the associated access rights
331 defined by the 'rule' list.
332
333 The string '*' indicates that all groups apply to the
334 entry.";
335 }
336
337 list rule {
338 key "name";
339 ordered-by user;
340 description
341 "One access control rule.
342
343 Rules are processed in user-defined order until a match is
344 found. A rule matches if 'module-name', 'rule-type', and
345 'access-operations' match the request. If a rule
346 matches, the 'action' leaf determines if access is granted
347 or not.";
348
349 leaf name {
350 type string {
351 length "1..max";
352 }
353 description
354 "Arbitrary name assigned to the rule.";
355 }
356
357 leaf module-name {
358 type union {
359 type matchall-string-type;
360 type string;
361 }
362 default "*";
363 description
364 "Name of the module associated with this rule.
365
366 This leaf matches if it has the value '*' or if the
367 object being accessed is defined in the module with the
368 specified module name.";
369 }
370 choice rule-type {
371 description
372 "This choice matches if all leafs present in the rule
373 match the request. If no leafs are present, the
374 choice matches all requests.";
375 case protocol-operation {
376 leaf rpc-name {
377 type union {
378 type matchall-string-type;
379 type string;
380 }
381 description
382 "This leaf matches if it has the value '*' or if
383 its value equals the requested protocol operation
384 name.";
385 }
386 }
387 case notification {
388 leaf notification-name {
389 type union {
390 type matchall-string-type;
391 type string;
392 }
393 description
394 "This leaf matches if it has the value '*' or if its
395 value equals the requested notification name.";
396 }
397 }
398 case data-node {
399 leaf path {
400 type node-instance-identifier;
401 mandatory true;
402 description
403 "Data Node Instance Identifier associated with the
404 data node controlled by this rule.
405
406 Configuration data or state data instance
407 identifiers start with a top-level data node. A
408 complete instance identifier is required for this
409 type of path value.
410
411 The special value '/' refers to all possible
412 datastore contents.";
413 }
414 }
415 }
416
417 leaf access-operations {
418 type union {
419 type matchall-string-type;
420 type access-operations-type;
421 }
422 default "*";
423 description
424 "Access operations associated with this rule.
425
426 This leaf matches if it has the value '*' or if the
427 bit corresponding to the requested operation is set.";
428 }
429
430 leaf action {
431 type action-type;
432 mandatory true;
433 description
434 "The access control action associated with the
435 rule. If a rule is determined to match a
436 particular request, then this object is used
437 to determine whether to permit or deny the
438 request.";
439 }
440
441 leaf comment {
442 type string;
443 description
444 "A textual description of the access rule.";
445 }
446 }
447 }
448 }
449}