--- /dev/null
+module o-ran-usermgmt {
+ yang-version 1.1;
+ namespace "urn:o-ran:user-mgmt:1.0";
+ prefix "o-ran-usermgmt";
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import o-ran-wg4-features {
+ prefix "feat";
+ }
+
+ organization "O-RAN Alliance";
+
+ contact
+ "www.o-ran.org";
+
+ description
+ "This module defines the user management model for the O-RAN Equipment.
+
+ Copyright 2019 the O-RAN Alliance.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS'
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the above disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the above disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ * Neither the Members of the O-RAN Alliance nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.";
+
+ revision "2022-08-15" {
+ description
+ "version 10.0.0
+
+ 1) introduced SHARED-ORU-MULTI-OPERATOR feature.";
+
+ reference "ORAN-WG4.M.0-v10.00";
+ }
+
+
+ revision "2021-12-01" {
+ description
+ "version 1.3.0
+
+ 1) typographical corrections in descriptions";
+
+ reference "ORAN-WG4.M.0-v01.00";
+ }
+
+ revision "2020-12-10" {
+ description
+ "version 1.2.0
+
+ 1) updated description for enabled leaf";
+
+ reference "ORAN-WG4.M.0-v01.00";
+ }
+
+ revision "2019-07-03" {
+ description
+ "version 1.1.0
+
+ 1) change name leaf to type nacm:user-name-type
+ 2) added account-type to qualify when password is required ";
+
+ reference "ORAN-WG4.M.0-v01.00";
+ }
+
+ revision "2019-02-04" {
+ description
+ "version 1.0.0
+
+ 1) imported model from xRAN
+ 2) changed namespace and reference from xran to o-ran";
+
+ reference "ORAN-WG4.M.0-v01.00";
+ }
+
+ typedef password-type {
+ type string {
+ length "8..128";
+ pattern "[a-zA-Z0-9!$%\\^()\\[\\]_\\-~{}.+]*" {
+ error-message "Password content does not meet the requirements";
+ }
+ }
+ description
+ "The password for this entry. This shouldn't be in clear text
+ The Password must contain at least 2 characters from
+ each of the following groups:
+ a) Lower case alphabetic (a-z)
+ b) Upper case alphabetic (A-Z)
+ c) Numeric 0-9
+ d) Special characters Allowed !$%^()[]_-~{}.+
+ Password must not contain Username.";
+ }
+
+ grouping user-list {
+ description "a user list grouping";
+ list user {
+ key "name";
+ description
+ "The list of local users configured on this device.";
+ leaf name {
+ type nacm:user-name-type;
+ description
+ "The user name string identifying this entry.
+
+ NOTE: o-ran-usermgmt:user-profile/user/name is
+ identical to nacm:nacm/groups/group/user-name
+ but the current schema is preserved for backwards
+ compatibility.";
+ }
+ leaf account-type {
+ type enumeration {
+ enum PASSWORD {
+ description "the user-name is for password based authentication";
+ }
+ enum CERTIFICATE {
+ description "the user-name is for certificate based authentication";
+ }
+ }
+ default "PASSWORD";
+ description "the account type";
+ }
+
+ leaf password {
+ nacm:default-deny-all;
+ type password-type;
+ description
+ "The password for this entry.
+
+ This field is only valid when account-type is NOT set to CERTIFICATE,
+ i.e., when account-type is NOT present or present and set to
+ PASSWORD.";
+ }
+ leaf enabled {
+ type boolean;
+ description
+ "Indicates whether an account is enabled or disabled.
+
+ A NETCONF Server shall reject a configuration that attempts to
+ enable a Password account for an account where the password leaf
+ is not configured.
+
+ This validation statement is included in the YANG description and
+ not in a MUST statement to preserve backwards compatibility.";
+ }
+ leaf-list sro-id {
+ if-feature feat:SHARED-ORU-MULTI-OPERATOR;
+ type string;
+ description
+ "An optional list if Shared Resource Operator identities associated with the
+ user-account. Used to realize enhanced access privileges in a shared O-RU.
+ When an sro-id is configured in the O-RU, the O-RU shall
+ implement additional sro-id based NETCONF access control
+ as specified in O-RAN.WG4.MP.0-v10.00.
+ The O-RU does not further interpret the specific value of sro-id.";
+ }
+ }
+ }
+
+ container users {
+ must "user/enabled='true'" {
+ error-message "At least one account needs to be enabled.";
+ }
+ //TAKE NOTE - any configuration with zero enabled users is invalid.
+ //This will typically be the case when using a simulated NETCONF Server
+ //and so this constraint should be removed when operating in those scenarios
+
+ //The config data base of the O-RAN equipment should ensure that the user
+ //default account is enabled on factory restart
+
+ description "list of user accounts";
+ uses user-list;
+ }
+
+ rpc chg-password {
+ description "the RPC used to change a password";
+ nacm:default-deny-all;
+ input {
+ leaf currentPassword {
+ type password-type;
+ mandatory true;
+ description
+ "provide the current password";
+ }
+ leaf newPassword {
+ type password-type;
+ mandatory true;
+ description
+ "provide a new password";
+ }
+ leaf newPasswordConfirm {
+ type password-type;
+ mandatory true;
+ description
+ "re-enter the new password ";
+ }
+ }
+ output {
+ leaf status {
+ type enumeration {
+ enum "Successful" {
+ value 1;
+ description "change password operation is successful";
+ }
+ enum "Failed" {
+ value 2;
+ description "change password operation failed";
+ }
+ }
+ mandatory true;
+ description
+ "Successful or Failed";
+ }
+ leaf status-message {
+ type string;
+ description
+ "Gives a more detailed reason for success / failure";
+ }
+ }
+ }
+
+}