2 namespace "urn:ietf:params:xml:ns:yang:ietf-system";
5 import ietf-yang-types {
9 import ietf-inet-types {
13 import ietf-netconf-acm {
17 import iana-crypt-hash {
22 "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
25 "WG Web: <http://tools.ietf.org/wg/netmod/>
26 WG List: <mailto:netmod@ietf.org>
28 WG Chair: Thomas Nadeau
29 <mailto:tnadeau@lucidvision.com>
31 WG Chair: Juergen Schoenwaelder
32 <mailto:j.schoenwaelder@jacobs-university.de>
35 <mailto:andy@yumaworks.com>
37 Editor: Martin Bjorklund
38 <mailto:mbj@tail-f.com>";
41 "This module contains a collection of YANG definitions for the
42 configuration and identification of some common system
43 properties within a device containing a NETCONF server. This
44 includes data node definitions for system identification,
45 time-of-day management, user management, DNS resolver
46 configuration, and some protocol operations for system
49 Copyright (c) 2014 IETF Trust and the persons identified as
50 authors of the code. All rights reserved.
52 Redistribution and use in source and binary forms, with or
53 without modification, is permitted pursuant to, and subject
54 to the license terms contained in, the Simplified BSD License
55 set forth in Section 4.c of the IETF Trust's Legal Provisions
56 Relating to IETF Documents
57 (http://trustee.ietf.org/license-info).
59 This version of this YANG module is part of RFC 7317; see
60 the RFC itself for full legal notices.";
66 "RFC 7317: A YANG Data Model for System Management";
73 typedef timezone-name {
76 "A time zone name as used by the Time Zone Database,
77 sometimes referred to as the 'Olson Database'.
79 The exact set of valid values is an implementation-specific
80 matter. Client discovery of the exact set of time zone names
81 for a particular server is out of scope.";
83 "RFC 6557: Procedures for Maintaining the Time Zone Database";
92 "Indicates that the device can be configured as a RADIUS
95 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
98 feature authentication {
100 "Indicates that the device supports configuration of
101 user authentication.";
104 feature local-users {
105 if-feature authentication;
107 "Indicates that the device supports configuration of
108 local user authentication.";
111 feature radius-authentication {
113 if-feature authentication;
115 "Indicates that the device supports configuration of user
116 authentication over RADIUS.";
118 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)
119 RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
120 Authorization for Network Access Server (NAS)
126 "Indicates that the device can be configured to use one or
127 more NTP servers to set the system date and time.";
130 feature ntp-udp-port {
133 "Indicates that the device supports the configuration of
134 the UDP port for NTP servers.
136 This is a 'feature', since many implementations do not support
137 any port other than the default port.";
140 feature timezone-name {
142 "Indicates that the local time zone on the device
143 can be configured to use the TZ database
144 to set the time zone and manage daylight saving time.";
146 "RFC 6557: Procedures for Maintaining the Time Zone Database";
149 feature dns-udp-tcp-port {
151 "Indicates that the device supports the configuration of
152 the UDP and TCP port for DNS servers.
154 This is a 'feature', since many implementations do not support
155 any port other than the default port.";
162 identity authentication-method {
164 "Base identity for user authentication methods.";
168 base authentication-method;
170 "Indicates user authentication using RADIUS.";
172 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)
173 RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
174 Authorization for Network Access Server (NAS)
178 identity local-users {
179 base authentication-method;
181 "Indicates password-based authentication of locally
185 identity radius-authentication-type {
187 "Base identity for RADIUS authentication types.";
190 identity radius-pap {
191 base radius-authentication-type;
193 "The device requests Password Authentication Protocol (PAP)
194 authentication from the RADIUS server.";
196 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
199 identity radius-chap {
200 base radius-authentication-type;
202 "The device requests Challenge Handshake Authentication
203 Protocol (CHAP) authentication from the RADIUS server.";
205 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
209 * Configuration data nodes
214 "System group configuration.";
219 "The administrator contact information for the system.
221 A server implementation MAY map this leaf to the sysContact
222 MIB object. Such an implementation needs to use some
223 mechanism to handle the differences in size and characters
224 allowed between this leaf and sysContact. The definition of
225 such a mechanism is outside the scope of this document.";
227 "RFC 3418: Management Information Base (MIB) for the
228 Simple Network Management Protocol (SNMP)
229 SNMPv2-MIB.sysContact";
232 type inet:domain-name;
234 "The name of the host. This name can be a single domain
235 label or the fully qualified domain name of the host.";
240 "The system location.
242 A server implementation MAY map this leaf to the sysLocation
243 MIB object. Such an implementation needs to use some
244 mechanism to handle the differences in size and characters
245 allowed between this leaf and sysLocation. The definition
246 of such a mechanism is outside the scope of this document.";
248 "RFC 3418: Management Information Base (MIB) for the
249 Simple Network Management Protocol (SNMP)
250 SNMPv2-MIB.sysLocation";
255 "Configuration of the system date and time properties.";
259 "The system time zone information.";
262 if-feature timezone-name;
266 "The TZ database name to use for the system, such
267 as 'Europe/Stockholm'.";
270 case timezone-utc-offset {
271 leaf timezone-utc-offset {
273 range "-1500 .. 1500";
277 "The number of minutes to add to UTC time to
278 identify the time zone for this system. For example,
279 'UTC - 8:00 hours' would be represented as '-480'.
280 Note that automatic daylight saving time adjustment
281 is not provided if this object is used.";
290 "Enables the NTP client unless the 'enabled' leaf
291 (which defaults to 'true') is set to 'false'";
293 "Configuration of the NTP client.";
299 "Indicates that the system should attempt to
300 synchronize the system clock with an NTP server
301 from the 'ntp/server' list.";
306 "List of NTP servers to use for system clock
307 synchronization. If '/system/ntp/enabled'
308 is 'true', then the system will attempt to
309 contact and utilize the specified NTP servers.";
314 "An arbitrary name for the NTP server.";
319 "The transport-protocol-specific parameters for this
325 "Contains UDP-specific configuration parameters
331 "The address of the NTP server.";
334 if-feature ntp-udp-port;
335 type inet:port-number;
338 "The port number of the NTP server.";
343 leaf association-type {
347 "Use client association mode. This device
348 will not provide synchronization to the
349 configured NTP server.";
353 "Use symmetric active association mode.
354 This device may provide synchronization
355 to the configured NTP server.";
359 "Use client association mode with one or
360 more of the NTP servers found by DNS
361 resolution of the domain name given by
362 the 'address' leaf. This device will not
363 provide synchronization to the servers.";
368 "The desired association type for this NTP server.";
374 "Indicates whether this server should enable burst
375 synchronization or not.";
381 "Indicates whether this server should be preferred
387 container dns-resolver {
389 "Configuration of the DNS resolver.";
392 type inet:domain-name;
395 "An ordered list of domains to search when resolving
402 "List of the DNS servers that the resolver should query.
404 When the resolver is invoked by a calling application, it
405 sends the query to the first name server in this list. If
406 no response has been received within 'timeout' seconds,
407 the resolver continues with the next server in the list.
408 If no response is received from any server, the resolver
409 continues with the first server again. When the resolver
410 has traversed the list 'attempts' times without receiving
411 any response, it gives up and returns an error to the
414 Implementations MAY limit the number of entries in this
420 "An arbitrary name for the DNS server.";
425 "The transport-protocol-specific parameters for this
429 container udp-and-tcp {
431 "Contains UDP- and TCP-specific configuration
432 parameters for DNS.";
434 "RFC 1035: Domain Names - Implementation and
436 RFC 5966: DNS Transport over TCP - Implementation
440 type inet:ip-address;
443 "The address of the DNS server.";
446 if-feature dns-udp-tcp-port;
447 type inet:port-number;
450 "The UDP and TCP port number of the DNS server.";
458 "Resolver options. The set of available options has been
459 limited to those that are generally available across
460 different resolver implementations and generally useful.";
468 "The amount of time the resolver will wait for a
469 response from each remote name server before
470 retrying the query via a different name server.";
478 "The number of times the resolver will send a query to
479 all of its name servers before giving up and returning
480 an error to the calling application.";
489 "Configuration of the RADIUS client.";
495 "List of RADIUS servers used by the device.
497 When the RADIUS client is invoked by a calling
498 application, it sends the query to the first server in
499 this list. If no response has been received within
500 'timeout' seconds, the client continues with the next
501 server in the list. If no response is received from any
502 server, the client continues with the first server again.
503 When the client has traversed the list 'attempts' times
504 without receiving any response, it gives up and returns an
505 error to the calling application.";
510 "An arbitrary name for the RADIUS server.";
515 "The transport-protocol-specific parameters for this
521 "Contains UDP-specific configuration parameters
527 "The address of the RADIUS server.";
530 leaf authentication-port {
531 type inet:port-number;
534 "The port number of the RADIUS server.";
539 nacm:default-deny-all;
541 "The shared secret, which is known to both the
542 RADIUS client and server.";
544 "RFC 2865: Remote Authentication Dial In User
550 leaf authentication-type {
552 base radius-authentication-type;
556 "The authentication type requested from the RADIUS
562 "RADIUS client options.";
571 "The number of seconds the device will wait for a
572 response from each RADIUS server before trying with a
582 "The number of times the device will send a query to
583 all of its RADIUS servers before giving up.";
588 container authentication {
589 nacm:default-deny-write;
590 if-feature authentication;
593 "The authentication configuration subtree.";
595 leaf-list user-authentication-order {
597 base authentication-method;
599 must '(. != "sys:radius" or ../../radius/server)' {
601 "When 'radius' is used, a RADIUS server"
602 + " must be configured.";
604 "When 'radius' is used as an authentication method,
605 a RADIUS server must be configured.";
610 "When the device authenticates a user with a password,
611 it tries the authentication methods in this leaf-list in
612 order. If authentication with one method fails, the next
613 method is used. If no method succeeds, the user is
616 An empty user-authentication-order leaf-list still allows
617 authentication of users using mechanisms that do not
620 If the 'radius-authentication' feature is advertised by
621 the NETCONF server, the 'radius' identity can be added to
624 If the 'local-users' feature is advertised by the
625 NETCONF server, the 'local-users' identity can be
626 added to this list.";
630 if-feature local-users;
633 "The list of local users configured on this device.";
638 "The user name string identifying this entry.";
641 type ianach:crypt-hash;
643 "The password for this entry.";
645 list authorized-key {
648 "A list of public SSH keys for this user. These keys
649 are allowed for SSH authentication, as described in
652 "RFC 4253: The Secure Shell (SSH) Transport Layer
658 "An arbitrary name for the SSH key.";
665 "The public key algorithm name for this SSH key.
667 Valid values are the values in the IANA 'Secure Shell
668 (SSH) Protocol Parameters' registry, Public Key
671 "IANA 'Secure Shell (SSH) Protocol Parameters'
672 registry, Public Key Algorithm Names";
678 "The binary public key data for this SSH key, as
679 specified by RFC 4253, Section 6.6, i.e.:
681 string certificate or public key format
683 byte[n] key/certificate data.";
685 "RFC 4253: The Secure Shell (SSH) Transport Layer
694 * Operational state data nodes
697 container system-state {
700 "System group operational state.";
704 "Contains vendor-specific information for
705 identifying the system platform and operating system.";
707 "IEEE Std 1003.1-2008 - sys/utsname.h";
712 "The name of the operating system in use -
713 for example, 'Linux'.";
715 "IEEE Std 1003.1-2008 - utsname.sysname";
720 "The current release level of the operating
721 system in use. This string MAY indicate
722 the OS source code revision.";
724 "IEEE Std 1003.1-2008 - utsname.release";
729 "The current version level of the operating
730 system in use. This string MAY indicate
731 the specific OS build date and target variant
734 "IEEE Std 1003.1-2008 - utsname.version";
739 "A vendor-specific identifier string representing
740 the hardware in use.";
742 "IEEE Std 1003.1-2008 - utsname.machine";
748 "Monitoring of the system date and time properties.";
750 leaf current-datetime {
751 type yang:date-and-time;
753 "The current system date and time.";
757 type yang:date-and-time;
759 "The system date and time when the system last restarted.";
764 rpc set-current-datetime {
765 nacm:default-deny-all;
767 "Set the /system-state/clock/current-datetime leaf
768 to the specified value.
770 If the system is using NTP (i.e., /system/ntp/enabled
771 is set to 'true'), then this operation will fail with
772 error-tag 'operation-failed' and error-app-tag value of
775 leaf current-datetime {
776 type yang:date-and-time;
779 "The current system date and time.";
785 nacm:default-deny-all;
787 "Request that the entire system be restarted immediately.
788 A server SHOULD send an rpc reply to the client before
789 restarting the system.";
792 rpc system-shutdown {
793 nacm:default-deny-all;
795 "Request that the entire system be shut down immediately.
796 A server SHOULD send an rpc reply to the client before
797 shutting down the system.";