+++ /dev/null
-module ietf-netconf-acm {\r
-\r
- namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";\r
-\r
- prefix nacm;\r
-\r
- import ietf-yang-types {\r
- prefix yang;\r
- }\r
-\r
- organization\r
- "IETF NETCONF (Network Configuration) Working Group";\r
-\r
- contact\r
- "WG Web: <https://datatracker.ietf.org/wg/netconf/>\r
- WG List: <mailto:netconf@ietf.org>\r
- Author: Andy Bierman\r
- <mailto:andy@yumaworks.com>\r
- Author: Martin Bjorklund\r
- <mailto:mbj@tail-f.com>";\r
-\r
- description\r
- "Network Configuration Access Control Model.\r
- Copyright (c) 2012 - 2018 IETF Trust and the persons\r
- identified as authors of the code. All rights reserved.\r
- Redistribution and use in source and binary forms, with or\r
- without modification, is permitted pursuant to, and subject\r
- to the license terms contained in, the Simplified BSD\r
- License set forth in Section 4.c of the IETF Trust's\r
- Legal Provisions Relating to IETF Documents\r
- (https://trustee.ietf.org/license-info).\r
- This version of this YANG module is part of RFC 8341; see\r
- the RFC itself for full legal notices.";\r
-\r
- revision "2018-02-14" {\r
- description\r
- "Added support for YANG 1.1 actions and notifications tied to\r
- data nodes. Clarified how NACM extensions can be used by\r
- other data models.";\r
- reference\r
- "RFC 8341: Network Configuration Access Control Model";\r
- }\r
-\r
- revision "2012-02-22" {\r
- description\r
- "Initial version.";\r
- reference\r
- "RFC 6536: Network Configuration Protocol (NETCONF)\r
- Access Control Model";\r
- }\r
-\r
- /*\r
- * Extension statements\r
- */\r
-\r
- extension default-deny-write {\r
- description\r
- "Used to indicate that the data model node\r
- represents a sensitive security system parameter.\r
- If present, the NETCONF server will only allow the designated\r
- 'recovery session' to have write access to the node. An\r
- explicit access control rule is required for all other users.\r
- If the NACM module is used, then it must be enabled (i.e.,\r
- /nacm/enable-nacm object equals 'true'), or this extension\r
- is ignored.\r
- The 'default-deny-write' extension MAY appear within a data\r
- definition statement. It is ignored otherwise.";\r
- }\r
-\r
- extension default-deny-all {\r
- description\r
- "Used to indicate that the data model node\r
- controls a very sensitive security system parameter.\r
- If present, the NETCONF server will only allow the designated\r
- 'recovery session' to have read, write, or execute access to\r
- the node. An explicit access control rule is required for all\r
- other users.\r
- If the NACM module is used, then it must be enabled (i.e.,\r
- /nacm/enable-nacm object equals 'true'), or this extension\r
- is ignored.\r
- The 'default-deny-all' extension MAY appear within a data\r
- definition statement, 'rpc' statement, or 'notification'\r
- statement. It is ignored otherwise.";\r
- }\r
-\r
- /*\r
- * Derived types\r
- */\r
-\r
- typedef user-name-type {\r
- type string {\r
- length "1..max";\r
- }\r
- description\r
- "General-purpose username string.";\r
- }\r
-\r
- typedef matchall-string-type {\r
- type string {\r
- pattern '\*';\r
- }\r
- description\r
- "The string containing a single asterisk '*' is used\r
- to conceptually represent all possible values\r
- for the particular leaf using this data type.";\r
- }\r
-\r
- typedef access-operations-type {\r
- type bits {\r
- bit create {\r
- description\r
- "Any protocol operation that creates a\r
- new data node.";\r
- }\r
- bit read {\r
- description\r
- "Any protocol operation or notification that\r
- returns the value of a data node.";\r
- }\r
- bit update {\r
- description\r
- "Any protocol operation that alters an existing\r
- data node.";\r
- }\r
- bit delete {\r
- description\r
- "Any protocol operation that removes a data node.";\r
- }\r
- bit exec {\r
- description\r
- "Execution access to the specified protocol operation.";\r
- }\r
- }\r
- description\r
- "Access operation.";\r
- }\r
-\r
- typedef group-name-type {\r
- type string {\r
- length "1..max";\r
- pattern '[^\*].*';\r
- }\r
- description\r
- "Name of administrative group to which\r
- users can be assigned.";\r
- }\r
-\r
- typedef action-type {\r
- type enumeration {\r
- enum permit {\r
- description\r
- "Requested action is permitted.";\r
- }\r
- enum deny {\r
- description\r
- "Requested action is denied.";\r
- }\r
- }\r
- description\r
- "Action taken by the server when a particular\r
- rule matches.";\r
- }\r
-\r
- typedef node-instance-identifier {\r
- type yang:xpath1.0;\r
- description\r
- "Path expression used to represent a special\r
- data node, action, or notification instance-identifier\r
- string.\r
- A node-instance-identifier value is an\r
- unrestricted YANG instance-identifier expression.\r
- All the same rules as an instance-identifier apply,\r
- except that predicates for keys are optional. If a key\r
- predicate is missing, then the node-instance-identifier\r
- represents all possible server instances for that key.\r
- This XML Path Language (XPath) expression is evaluated in the\r
- following context:\r
- o The set of namespace declarations are those in scope on\r
- the leaf element where this type is used.\r
- o The set of variable bindings contains one variable,\r
- 'USER', which contains the name of the user of the\r
- current session.\r
- o The function library is the core function library, but\r
- note that due to the syntax restrictions of an\r
- instance-identifier, no functions are allowed.\r
- o The context node is the root node in the data tree.\r
- The accessible tree includes actions and notifications tied\r
- to data nodes.";\r
- }\r
-\r
- /*\r
- * Data definition statements\r
- */\r
-\r
- container nacm {\r
- nacm:default-deny-all;\r
-\r
- description\r
- "Parameters for NETCONF access control model.";\r
-\r
- leaf enable-nacm {\r
- type boolean;\r
- default "true";\r
- description\r
- "Enables or disables all NETCONF access control\r
- enforcement. If 'true', then enforcement\r
- is enabled. If 'false', then enforcement\r
- is disabled.";\r
- }\r
-\r
- leaf read-default {\r
- type action-type;\r
- default "permit";\r
- description\r
- "Controls whether read access is granted if\r
- no appropriate rule is found for a\r
- particular read request.";\r
- }\r
-\r
- leaf write-default {\r
- type action-type;\r
- default "deny";\r
- description\r
- "Controls whether create, update, or delete access\r
- is granted if no appropriate rule is found for a\r
- particular write request.";\r
- }\r
-\r
- leaf exec-default {\r
- type action-type;\r
- default "permit";\r
- description\r
- "Controls whether exec access is granted if no appropriate\r
- rule is found for a particular protocol operation request.";\r
- }\r
-\r
- leaf enable-external-groups {\r
- type boolean;\r
- default "true";\r
- description\r
- "Controls whether the server uses the groups reported by the\r
- NETCONF transport layer when it assigns the user to a set of\r
- NACM groups. If this leaf has the value 'false', any group\r
- names reported by the transport layer are ignored by the\r
- server.";\r
- }\r
-\r
- leaf denied-operations {\r
- type yang:zero-based-counter32;\r
- config false;\r
- mandatory true;\r
- description\r
- "Number of times since the server last restarted that a\r
- protocol operation request was denied.";\r
- }\r
-\r
- leaf denied-data-writes {\r
- type yang:zero-based-counter32;\r
- config false;\r
- mandatory true;\r
- description\r
- "Number of times since the server last restarted that a\r
- protocol operation request to alter\r
- a configuration datastore was denied.";\r
- }\r
-\r
- leaf denied-notifications {\r
- type yang:zero-based-counter32;\r
- config false;\r
- mandatory true;\r
- description\r
- "Number of times since the server last restarted that\r
- a notification was dropped for a subscription because\r
- access to the event type was denied.";\r
- }\r
-\r
- container groups {\r
- description\r
- "NETCONF access control groups.";\r
-\r
- list group {\r
- key name;\r
-\r
- description\r
- "One NACM group entry. This list will only contain\r
- configured entries, not any entries learned from\r
- any transport protocols.";\r
-\r
- leaf name {\r
- type group-name-type;\r
- description\r
- "Group name associated with this entry.";\r
- }\r
-\r
- leaf-list user-name {\r
- type user-name-type;\r
- description\r
- "Each entry identifies the username of\r
- a member of the group associated with\r
- this entry.";\r
- }\r
- }\r
- }\r
-\r
- list rule-list {\r
- key name;\r
- ordered-by user;\r
- description\r
- "An ordered collection of access control rules.";\r
-\r
- leaf name {\r
- type string {\r
- length "1..max";\r
- }\r
- description\r
- "Arbitrary name assigned to the rule-list.";\r
- }\r
- leaf-list group {\r
- type union {\r
- type matchall-string-type;\r
- type group-name-type;\r
- }\r
- description\r
- "List of administrative groups that will be\r
- assigned the associated access rights\r
- defined by the 'rule' list.\r
- The string '*' indicates that all groups apply to the\r
- entry.";\r
- }\r
-\r
- list rule {\r
- key name;\r
- ordered-by user;\r
- description\r
- "One access control rule.\r
- Rules are processed in user-defined order until a match is\r
- found. A rule matches if 'module-name', 'rule-type', and\r
- 'access-operations' match the request. If a rule\r
- matches, the 'action' leaf determines whether or not\r
- access is granted.";\r
-\r
- leaf name {\r
- type string {\r
- length "1..max";\r
- }\r
- description\r
- "Arbitrary name assigned to the rule.";\r
- }\r
-\r
- leaf module-name {\r
- type union {\r
- type matchall-string-type;\r
- type string;\r
- }\r
- default "*";\r
- description\r
- "Name of the module associated with this rule.\r
- This leaf matches if it has the value '*' or if the\r
- object being accessed is defined in the module with the\r
- specified module name.";\r
- }\r
- choice rule-type {\r
- description\r
- "This choice matches if all leafs present in the rule\r
- match the request. If no leafs are present, the\r
- choice matches all requests.";\r
- case protocol-operation {\r
- leaf rpc-name {\r
- type union {\r
- type matchall-string-type;\r
- type string;\r
- }\r
- description\r
- "This leaf matches if it has the value '*' or if\r
- its value equals the requested protocol operation\r
- name.";\r
- }\r
- }\r
- case notification {\r
- leaf notification-name {\r
- type union {\r
- type matchall-string-type;\r
- type string;\r
- }\r
- description\r
- "This leaf matches if it has the value '*' or if its\r
- value equals the requested notification name.";\r
- }\r
- }\r
-\r
- case data-node {\r
- leaf path {\r
- type node-instance-identifier;\r
- mandatory true;\r
- description\r
- "Data node instance-identifier associated with the\r
- data node, action, or notification controlled by\r
- this rule.\r
- Configuration data or state data\r
- instance-identifiers start with a top-level\r
- data node. A complete instance-identifier is\r
- required for this type of path value.\r
- The special value '/' refers to all possible\r
- datastore contents.";\r
- }\r
- }\r
- }\r
-\r
- leaf access-operations {\r
- type union {\r
- type matchall-string-type;\r
- type access-operations-type;\r
- }\r
- default "*";\r
- description\r
- "Access operations associated with this rule.\r
- This leaf matches if it has the value '*' or if the\r
- bit corresponding to the requested operation is set.";\r
- }\r
-\r
- leaf action {\r
- type action-type;\r
- mandatory true;\r
- description\r
- "The access control action associated with the\r
- rule. If a rule has been determined to match a\r
- particular request, then this object is used\r
- to determine whether to permit or deny the\r
- request.";\r
- }\r
-\r
- leaf comment {\r
- type string;\r
- description\r
- "A textual description of the access rule.";\r
- }\r
- }\r
- }\r
- }\r
-}\r