--- /dev/null
+module ietf-netconf-acm {\r
+\r
+ namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";\r
+\r
+ prefix nacm;\r
+\r
+ import ietf-yang-types {\r
+ prefix yang;\r
+ }\r
+\r
+ organization\r
+ "IETF NETCONF (Network Configuration) Working Group";\r
+\r
+ contact\r
+ "WG Web: <https://datatracker.ietf.org/wg/netconf/>\r
+ WG List: <mailto:netconf@ietf.org>\r
+ Author: Andy Bierman\r
+ <mailto:andy@yumaworks.com>\r
+ Author: Martin Bjorklund\r
+ <mailto:mbj@tail-f.com>";\r
+\r
+ description\r
+ "Network Configuration Access Control Model.\r
+ Copyright (c) 2012 - 2018 IETF Trust and the persons\r
+ identified as authors of the code. All rights reserved.\r
+ Redistribution and use in source and binary forms, with or\r
+ without modification, is permitted pursuant to, and subject\r
+ to the license terms contained in, the Simplified BSD\r
+ License set forth in Section 4.c of the IETF Trust's\r
+ Legal Provisions Relating to IETF Documents\r
+ (https://trustee.ietf.org/license-info).\r
+ This version of this YANG module is part of RFC 8341; see\r
+ the RFC itself for full legal notices.";\r
+\r
+ revision "2018-02-14" {\r
+ description\r
+ "Added support for YANG 1.1 actions and notifications tied to\r
+ data nodes. Clarified how NACM extensions can be used by\r
+ other data models.";\r
+ reference\r
+ "RFC 8341: Network Configuration Access Control Model";\r
+ }\r
+\r
+ revision "2012-02-22" {\r
+ description\r
+ "Initial version.";\r
+ reference\r
+ "RFC 6536: Network Configuration Protocol (NETCONF)\r
+ Access Control Model";\r
+ }\r
+\r
+ /*\r
+ * Extension statements\r
+ */\r
+\r
+ extension default-deny-write {\r
+ description\r
+ "Used to indicate that the data model node\r
+ represents a sensitive security system parameter.\r
+ If present, the NETCONF server will only allow the designated\r
+ 'recovery session' to have write access to the node. An\r
+ explicit access control rule is required for all other users.\r
+ If the NACM module is used, then it must be enabled (i.e.,\r
+ /nacm/enable-nacm object equals 'true'), or this extension\r
+ is ignored.\r
+ The 'default-deny-write' extension MAY appear within a data\r
+ definition statement. It is ignored otherwise.";\r
+ }\r
+\r
+ extension default-deny-all {\r
+ description\r
+ "Used to indicate that the data model node\r
+ controls a very sensitive security system parameter.\r
+ If present, the NETCONF server will only allow the designated\r
+ 'recovery session' to have read, write, or execute access to\r
+ the node. An explicit access control rule is required for all\r
+ other users.\r
+ If the NACM module is used, then it must be enabled (i.e.,\r
+ /nacm/enable-nacm object equals 'true'), or this extension\r
+ is ignored.\r
+ The 'default-deny-all' extension MAY appear within a data\r
+ definition statement, 'rpc' statement, or 'notification'\r
+ statement. It is ignored otherwise.";\r
+ }\r
+\r
+ /*\r
+ * Derived types\r
+ */\r
+\r
+ typedef user-name-type {\r
+ type string {\r
+ length "1..max";\r
+ }\r
+ description\r
+ "General-purpose username string.";\r
+ }\r
+\r
+ typedef matchall-string-type {\r
+ type string {\r
+ pattern '\*';\r
+ }\r
+ description\r
+ "The string containing a single asterisk '*' is used\r
+ to conceptually represent all possible values\r
+ for the particular leaf using this data type.";\r
+ }\r
+\r
+ typedef access-operations-type {\r
+ type bits {\r
+ bit create {\r
+ description\r
+ "Any protocol operation that creates a\r
+ new data node.";\r
+ }\r
+ bit read {\r
+ description\r
+ "Any protocol operation or notification that\r
+ returns the value of a data node.";\r
+ }\r
+ bit update {\r
+ description\r
+ "Any protocol operation that alters an existing\r
+ data node.";\r
+ }\r
+ bit delete {\r
+ description\r
+ "Any protocol operation that removes a data node.";\r
+ }\r
+ bit exec {\r
+ description\r
+ "Execution access to the specified protocol operation.";\r
+ }\r
+ }\r
+ description\r
+ "Access operation.";\r
+ }\r
+\r
+ typedef group-name-type {\r
+ type string {\r
+ length "1..max";\r
+ pattern '[^\*].*';\r
+ }\r
+ description\r
+ "Name of administrative group to which\r
+ users can be assigned.";\r
+ }\r
+\r
+ typedef action-type {\r
+ type enumeration {\r
+ enum permit {\r
+ description\r
+ "Requested action is permitted.";\r
+ }\r
+ enum deny {\r
+ description\r
+ "Requested action is denied.";\r
+ }\r
+ }\r
+ description\r
+ "Action taken by the server when a particular\r
+ rule matches.";\r
+ }\r
+\r
+ typedef node-instance-identifier {\r
+ type yang:xpath1.0;\r
+ description\r
+ "Path expression used to represent a special\r
+ data node, action, or notification instance-identifier\r
+ string.\r
+ A node-instance-identifier value is an\r
+ unrestricted YANG instance-identifier expression.\r
+ All the same rules as an instance-identifier apply,\r
+ except that predicates for keys are optional. If a key\r
+ predicate is missing, then the node-instance-identifier\r
+ represents all possible server instances for that key.\r
+ This XML Path Language (XPath) expression is evaluated in the\r
+ following context:\r
+ o The set of namespace declarations are those in scope on\r
+ the leaf element where this type is used.\r
+ o The set of variable bindings contains one variable,\r
+ 'USER', which contains the name of the user of the\r
+ current session.\r
+ o The function library is the core function library, but\r
+ note that due to the syntax restrictions of an\r
+ instance-identifier, no functions are allowed.\r
+ o The context node is the root node in the data tree.\r
+ The accessible tree includes actions and notifications tied\r
+ to data nodes.";\r
+ }\r
+\r
+ /*\r
+ * Data definition statements\r
+ */\r
+\r
+ container nacm {\r
+ nacm:default-deny-all;\r
+\r
+ description\r
+ "Parameters for NETCONF access control model.";\r
+\r
+ leaf enable-nacm {\r
+ type boolean;\r
+ default "true";\r
+ description\r
+ "Enables or disables all NETCONF access control\r
+ enforcement. If 'true', then enforcement\r
+ is enabled. If 'false', then enforcement\r
+ is disabled.";\r
+ }\r
+\r
+ leaf read-default {\r
+ type action-type;\r
+ default "permit";\r
+ description\r
+ "Controls whether read access is granted if\r
+ no appropriate rule is found for a\r
+ particular read request.";\r
+ }\r
+\r
+ leaf write-default {\r
+ type action-type;\r
+ default "deny";\r
+ description\r
+ "Controls whether create, update, or delete access\r
+ is granted if no appropriate rule is found for a\r
+ particular write request.";\r
+ }\r
+\r
+ leaf exec-default {\r
+ type action-type;\r
+ default "permit";\r
+ description\r
+ "Controls whether exec access is granted if no appropriate\r
+ rule is found for a particular protocol operation request.";\r
+ }\r
+\r
+ leaf enable-external-groups {\r
+ type boolean;\r
+ default "true";\r
+ description\r
+ "Controls whether the server uses the groups reported by the\r
+ NETCONF transport layer when it assigns the user to a set of\r
+ NACM groups. If this leaf has the value 'false', any group\r
+ names reported by the transport layer are ignored by the\r
+ server.";\r
+ }\r
+\r
+ leaf denied-operations {\r
+ type yang:zero-based-counter32;\r
+ config false;\r
+ mandatory true;\r
+ description\r
+ "Number of times since the server last restarted that a\r
+ protocol operation request was denied.";\r
+ }\r
+\r
+ leaf denied-data-writes {\r
+ type yang:zero-based-counter32;\r
+ config false;\r
+ mandatory true;\r
+ description\r
+ "Number of times since the server last restarted that a\r
+ protocol operation request to alter\r
+ a configuration datastore was denied.";\r
+ }\r
+\r
+ leaf denied-notifications {\r
+ type yang:zero-based-counter32;\r
+ config false;\r
+ mandatory true;\r
+ description\r
+ "Number of times since the server last restarted that\r
+ a notification was dropped for a subscription because\r
+ access to the event type was denied.";\r
+ }\r
+\r
+ container groups {\r
+ description\r
+ "NETCONF access control groups.";\r
+\r
+ list group {\r
+ key name;\r
+\r
+ description\r
+ "One NACM group entry. This list will only contain\r
+ configured entries, not any entries learned from\r
+ any transport protocols.";\r
+\r
+ leaf name {\r
+ type group-name-type;\r
+ description\r
+ "Group name associated with this entry.";\r
+ }\r
+\r
+ leaf-list user-name {\r
+ type user-name-type;\r
+ description\r
+ "Each entry identifies the username of\r
+ a member of the group associated with\r
+ this entry.";\r
+ }\r
+ }\r
+ }\r
+\r
+ list rule-list {\r
+ key name;\r
+ ordered-by user;\r
+ description\r
+ "An ordered collection of access control rules.";\r
+\r
+ leaf name {\r
+ type string {\r
+ length "1..max";\r
+ }\r
+ description\r
+ "Arbitrary name assigned to the rule-list.";\r
+ }\r
+ leaf-list group {\r
+ type union {\r
+ type matchall-string-type;\r
+ type group-name-type;\r
+ }\r
+ description\r
+ "List of administrative groups that will be\r
+ assigned the associated access rights\r
+ defined by the 'rule' list.\r
+ The string '*' indicates that all groups apply to the\r
+ entry.";\r
+ }\r
+\r
+ list rule {\r
+ key name;\r
+ ordered-by user;\r
+ description\r
+ "One access control rule.\r
+ Rules are processed in user-defined order until a match is\r
+ found. A rule matches if 'module-name', 'rule-type', and\r
+ 'access-operations' match the request. If a rule\r
+ matches, the 'action' leaf determines whether or not\r
+ access is granted.";\r
+\r
+ leaf name {\r
+ type string {\r
+ length "1..max";\r
+ }\r
+ description\r
+ "Arbitrary name assigned to the rule.";\r
+ }\r
+\r
+ leaf module-name {\r
+ type union {\r
+ type matchall-string-type;\r
+ type string;\r
+ }\r
+ default "*";\r
+ description\r
+ "Name of the module associated with this rule.\r
+ This leaf matches if it has the value '*' or if the\r
+ object being accessed is defined in the module with the\r
+ specified module name.";\r
+ }\r
+ choice rule-type {\r
+ description\r
+ "This choice matches if all leafs present in the rule\r
+ match the request. If no leafs are present, the\r
+ choice matches all requests.";\r
+ case protocol-operation {\r
+ leaf rpc-name {\r
+ type union {\r
+ type matchall-string-type;\r
+ type string;\r
+ }\r
+ description\r
+ "This leaf matches if it has the value '*' or if\r
+ its value equals the requested protocol operation\r
+ name.";\r
+ }\r
+ }\r
+ case notification {\r
+ leaf notification-name {\r
+ type union {\r
+ type matchall-string-type;\r
+ type string;\r
+ }\r
+ description\r
+ "This leaf matches if it has the value '*' or if its\r
+ value equals the requested notification name.";\r
+ }\r
+ }\r
+\r
+ case data-node {\r
+ leaf path {\r
+ type node-instance-identifier;\r
+ mandatory true;\r
+ description\r
+ "Data node instance-identifier associated with the\r
+ data node, action, or notification controlled by\r
+ this rule.\r
+ Configuration data or state data\r
+ instance-identifiers start with a top-level\r
+ data node. A complete instance-identifier is\r
+ required for this type of path value.\r
+ The special value '/' refers to all possible\r
+ datastore contents.";\r
+ }\r
+ }\r
+ }\r
+\r
+ leaf access-operations {\r
+ type union {\r
+ type matchall-string-type;\r
+ type access-operations-type;\r
+ }\r
+ default "*";\r
+ description\r
+ "Access operations associated with this rule.\r
+ This leaf matches if it has the value '*' or if the\r
+ bit corresponding to the requested operation is set.";\r
+ }\r
+\r
+ leaf action {\r
+ type action-type;\r
+ mandatory true;\r
+ description\r
+ "The access control action associated with the\r
+ rule. If a rule has been determined to match a\r
+ particular request, then this object is used\r
+ to determine whether to permit or deny the\r
+ request.";\r
+ }\r
+\r
+ leaf comment {\r
+ type string;\r
+ description\r
+ "A textual description of the access rule.";\r
+ }\r
+ }\r
+ }\r
+ }\r
+}\r