--- /dev/null
+module ietf-system {
+ namespace "urn:ietf:params:xml:ns:yang:ietf-system";
+ prefix "sys";
+
+ import ietf-yang-types {
+ prefix yang;
+ }
+
+ import ietf-inet-types {
+ prefix inet;
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ }
+
+ import iana-crypt-hash {
+ prefix ianach;
+ }
+
+ organization
+ "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
+
+ contact
+ "WG Web: <http://tools.ietf.org/wg/netmod/>
+ WG List: <mailto:netmod@ietf.org>
+
+ WG Chair: Thomas Nadeau
+ <mailto:tnadeau@lucidvision.com>
+
+ WG Chair: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>
+
+ Editor: Andy Bierman
+ <mailto:andy@yumaworks.com>
+
+ Editor: Martin Bjorklund
+ <mailto:mbj@tail-f.com>";
+
+ description
+ "This module contains a collection of YANG definitions for the
+ configuration and identification of some common system
+ properties within a device containing a NETCONF server. This
+ includes data node definitions for system identification,
+ time-of-day management, user management, DNS resolver
+ configuration, and some protocol operations for system
+ management.
+
+ Copyright (c) 2014 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC 7317; see
+ the RFC itself for full legal notices.";
+
+ revision 2014-08-06 {
+ description
+ "Initial revision.";
+ reference
+ "RFC 7317: A YANG Data Model for System Management";
+ }
+
+ /*
+ * Typedefs
+ */
+
+ typedef timezone-name {
+ type string;
+ description
+ "A time zone name as used by the Time Zone Database,
+ sometimes referred to as the 'Olson Database'.
+
+ The exact set of valid values is an implementation-specific
+ matter. Client discovery of the exact set of time zone names
+ for a particular server is out of scope.";
+ reference
+ "RFC 6557: Procedures for Maintaining the Time Zone Database";
+ }
+
+ /*
+ * Features
+ */
+
+ feature radius {
+ description
+ "Indicates that the device can be configured as a RADIUS
+ client.";
+ reference
+ "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
+ }
+
+ feature authentication {
+ description
+ "Indicates that the device supports configuration of
+ user authentication.";
+ }
+
+ feature local-users {
+ if-feature authentication;
+ description
+ "Indicates that the device supports configuration of
+ local user authentication.";
+ }
+
+ feature radius-authentication {
+ if-feature radius;
+ if-feature authentication;
+ description
+ "Indicates that the device supports configuration of user
+ authentication over RADIUS.";
+ reference
+ "RFC 2865: Remote Authentication Dial In User Service (RADIUS)
+ RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
+ Authorization for Network Access Server (NAS)
+ Management";
+ }
+
+ feature ntp {
+ description
+ "Indicates that the device can be configured to use one or
+ more NTP servers to set the system date and time.";
+ }
+
+ feature ntp-udp-port {
+ if-feature ntp;
+ description
+ "Indicates that the device supports the configuration of
+ the UDP port for NTP servers.
+
+ This is a 'feature', since many implementations do not support
+ any port other than the default port.";
+ }
+
+ feature timezone-name {
+ description
+ "Indicates that the local time zone on the device
+ can be configured to use the TZ database
+ to set the time zone and manage daylight saving time.";
+ reference
+ "RFC 6557: Procedures for Maintaining the Time Zone Database";
+ }
+
+ feature dns-udp-tcp-port {
+ description
+ "Indicates that the device supports the configuration of
+ the UDP and TCP port for DNS servers.
+
+ This is a 'feature', since many implementations do not support
+ any port other than the default port.";
+ }
+
+
+ /*
+ * Identities
+ */
+
+ identity authentication-method {
+ description
+ "Base identity for user authentication methods.";
+ }
+
+ identity radius {
+ base authentication-method;
+ description
+ "Indicates user authentication using RADIUS.";
+ reference
+ "RFC 2865: Remote Authentication Dial In User Service (RADIUS)
+ RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
+ Authorization for Network Access Server (NAS)
+ Management";
+ }
+
+ identity local-users {
+ base authentication-method;
+ description
+ "Indicates password-based authentication of locally
+ configured users.";
+ }
+
+ identity radius-authentication-type {
+ description
+ "Base identity for RADIUS authentication types.";
+ }
+
+ identity radius-pap {
+ base radius-authentication-type;
+ description
+ "The device requests Password Authentication Protocol (PAP)
+ authentication from the RADIUS server.";
+ reference
+ "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
+ }
+
+ identity radius-chap {
+ base radius-authentication-type;
+ description
+ "The device requests Challenge Handshake Authentication
+ Protocol (CHAP) authentication from the RADIUS server.";
+ reference
+ "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
+ }
+
+ /*
+ * Configuration data nodes
+ */
+
+ container system {
+ description
+ "System group configuration.";
+
+ leaf contact {
+ type string;
+ description
+ "The administrator contact information for the system.
+
+ A server implementation MAY map this leaf to the sysContact
+ MIB object. Such an implementation needs to use some
+ mechanism to handle the differences in size and characters
+ allowed between this leaf and sysContact. The definition of
+ such a mechanism is outside the scope of this document.";
+ reference
+ "RFC 3418: Management Information Base (MIB) for the
+ Simple Network Management Protocol (SNMP)
+ SNMPv2-MIB.sysContact";
+ }
+ leaf hostname {
+ type inet:domain-name;
+ description
+ "The name of the host. This name can be a single domain
+ label or the fully qualified domain name of the host.";
+ }
+ leaf location {
+ type string;
+ description
+ "The system location.
+
+ A server implementation MAY map this leaf to the sysLocation
+ MIB object. Such an implementation needs to use some
+ mechanism to handle the differences in size and characters
+ allowed between this leaf and sysLocation. The definition
+ of such a mechanism is outside the scope of this document.";
+ reference
+ "RFC 3418: Management Information Base (MIB) for the
+ Simple Network Management Protocol (SNMP)
+ SNMPv2-MIB.sysLocation";
+ }
+
+ container clock {
+ description
+ "Configuration of the system date and time properties.";
+
+ choice timezone {
+ description
+ "The system time zone information.";
+
+ case timezone-name {
+ if-feature timezone-name;
+ leaf timezone-name {
+ type timezone-name;
+ description
+ "The TZ database name to use for the system, such
+ as 'Europe/Stockholm'.";
+ }
+ }
+ case timezone-utc-offset {
+ leaf timezone-utc-offset {
+ type int16 {
+ range "-1500 .. 1500";
+ }
+ units "minutes";
+ description
+ "The number of minutes to add to UTC time to
+ identify the time zone for this system. For example,
+ 'UTC - 8:00 hours' would be represented as '-480'.
+ Note that automatic daylight saving time adjustment
+ is not provided if this object is used.";
+ }
+ }
+ }
+ }
+
+ container ntp {
+ if-feature ntp;
+ presence
+ "Enables the NTP client unless the 'enabled' leaf
+ (which defaults to 'true') is set to 'false'";
+ description
+ "Configuration of the NTP client.";
+
+ leaf enabled {
+ type boolean;
+ default true;
+ description
+ "Indicates that the system should attempt to
+ synchronize the system clock with an NTP server
+ from the 'ntp/server' list.";
+ }
+ list server {
+ key name;
+ description
+ "List of NTP servers to use for system clock
+ synchronization. If '/system/ntp/enabled'
+ is 'true', then the system will attempt to
+ contact and utilize the specified NTP servers.";
+
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the NTP server.";
+ }
+ choice transport {
+ mandatory true;
+ description
+ "The transport-protocol-specific parameters for this
+ server.";
+
+ case udp {
+ container udp {
+ description
+ "Contains UDP-specific configuration parameters
+ for NTP.";
+ leaf address {
+ type inet:host;
+ mandatory true;
+ description
+ "The address of the NTP server.";
+ }
+ leaf port {
+ if-feature ntp-udp-port;
+ type inet:port-number;
+ default 123;
+ description
+ "The port number of the NTP server.";
+ }
+ }
+ }
+ }
+ leaf association-type {
+ type enumeration {
+ enum server {
+ description
+ "Use client association mode. This device
+ will not provide synchronization to the
+ configured NTP server.";
+ }
+ enum peer {
+ description
+ "Use symmetric active association mode.
+ This device may provide synchronization
+ to the configured NTP server.";
+ }
+ enum pool {
+ description
+ "Use client association mode with one or
+ more of the NTP servers found by DNS
+ resolution of the domain name given by
+ the 'address' leaf. This device will not
+ provide synchronization to the servers.";
+ }
+ }
+ default server;
+ description
+ "The desired association type for this NTP server.";
+ }
+ leaf iburst {
+ type boolean;
+ default false;
+ description
+ "Indicates whether this server should enable burst
+ synchronization or not.";
+ }
+ leaf prefer {
+ type boolean;
+ default false;
+ description
+ "Indicates whether this server should be preferred
+ or not.";
+ }
+ }
+ }
+
+ container dns-resolver {
+ description
+ "Configuration of the DNS resolver.";
+
+ leaf-list search {
+ type inet:domain-name;
+ ordered-by user;
+ description
+ "An ordered list of domains to search when resolving
+ a host name.";
+ }
+ list server {
+ key name;
+ ordered-by user;
+ description
+ "List of the DNS servers that the resolver should query.
+
+ When the resolver is invoked by a calling application, it
+ sends the query to the first name server in this list. If
+ no response has been received within 'timeout' seconds,
+ the resolver continues with the next server in the list.
+ If no response is received from any server, the resolver
+ continues with the first server again. When the resolver
+ has traversed the list 'attempts' times without receiving
+ any response, it gives up and returns an error to the
+ calling application.
+
+ Implementations MAY limit the number of entries in this
+ list.";
+
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the DNS server.";
+ }
+ choice transport {
+ mandatory true;
+ description
+ "The transport-protocol-specific parameters for this
+ server.";
+
+ case udp-and-tcp {
+ container udp-and-tcp {
+ description
+ "Contains UDP- and TCP-specific configuration
+ parameters for DNS.";
+ reference
+ "RFC 1035: Domain Names - Implementation and
+ Specification
+ RFC 5966: DNS Transport over TCP - Implementation
+ Requirements";
+
+ leaf address {
+ type inet:ip-address;
+ mandatory true;
+ description
+ "The address of the DNS server.";
+ }
+ leaf port {
+ if-feature dns-udp-tcp-port;
+ type inet:port-number;
+ default 53;
+ description
+ "The UDP and TCP port number of the DNS server.";
+ }
+ }
+ }
+ }
+ }
+ container options {
+ description
+ "Resolver options. The set of available options has been
+ limited to those that are generally available across
+ different resolver implementations and generally useful.";
+ leaf timeout {
+ type uint8 {
+ range "1..max";
+ }
+ units "seconds";
+ default "5";
+ description
+ "The amount of time the resolver will wait for a
+ response from each remote name server before
+ retrying the query via a different name server.";
+ }
+ leaf attempts {
+ type uint8 {
+ range "1..max";
+ }
+ default "2";
+ description
+ "The number of times the resolver will send a query to
+ all of its name servers before giving up and returning
+ an error to the calling application.";
+ }
+ }
+ }
+
+ container radius {
+ if-feature radius;
+
+ description
+ "Configuration of the RADIUS client.";
+
+ list server {
+ key name;
+ ordered-by user;
+ description
+ "List of RADIUS servers used by the device.
+
+ When the RADIUS client is invoked by a calling
+ application, it sends the query to the first server in
+ this list. If no response has been received within
+ 'timeout' seconds, the client continues with the next
+ server in the list. If no response is received from any
+ server, the client continues with the first server again.
+ When the client has traversed the list 'attempts' times
+ without receiving any response, it gives up and returns an
+ error to the calling application.";
+
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the RADIUS server.";
+ }
+ choice transport {
+ mandatory true;
+ description
+ "The transport-protocol-specific parameters for this
+ server.";
+
+ case udp {
+ container udp {
+ description
+ "Contains UDP-specific configuration parameters
+ for RADIUS.";
+ leaf address {
+ type inet:host;
+ mandatory true;
+ description
+ "The address of the RADIUS server.";
+ }
+
+ leaf authentication-port {
+ type inet:port-number;
+ default "1812";
+ description
+ "The port number of the RADIUS server.";
+ }
+ leaf shared-secret {
+ type string;
+ mandatory true;
+ nacm:default-deny-all;
+ description
+ "The shared secret, which is known to both the
+ RADIUS client and server.";
+ reference
+ "RFC 2865: Remote Authentication Dial In User
+ Service (RADIUS)";
+ }
+ }
+ }
+ }
+ leaf authentication-type {
+ type identityref {
+ base radius-authentication-type;
+ }
+ default radius-pap;
+ description
+ "The authentication type requested from the RADIUS
+ server.";
+ }
+ }
+ container options {
+ description
+ "RADIUS client options.";
+
+ leaf timeout {
+ type uint8 {
+ range "1..max";
+ }
+ units "seconds";
+ default "5";
+ description
+ "The number of seconds the device will wait for a
+ response from each RADIUS server before trying with a
+ different server.";
+ }
+
+ leaf attempts {
+ type uint8 {
+ range "1..max";
+ }
+ default "2";
+ description
+ "The number of times the device will send a query to
+ all of its RADIUS servers before giving up.";
+ }
+ }
+ }
+
+ container authentication {
+ nacm:default-deny-write;
+ if-feature authentication;
+
+ description
+ "The authentication configuration subtree.";
+
+ leaf-list user-authentication-order {
+ type identityref {
+ base authentication-method;
+ }
+ must '(. != "sys:radius" or ../../radius/server)' {
+ error-message
+ "When 'radius' is used, a RADIUS server"
+ + " must be configured.";
+ description
+ "When 'radius' is used as an authentication method,
+ a RADIUS server must be configured.";
+ }
+ ordered-by user;
+
+ description
+ "When the device authenticates a user with a password,
+ it tries the authentication methods in this leaf-list in
+ order. If authentication with one method fails, the next
+ method is used. If no method succeeds, the user is
+ denied access.
+
+ An empty user-authentication-order leaf-list still allows
+ authentication of users using mechanisms that do not
+ involve a password.
+
+ If the 'radius-authentication' feature is advertised by
+ the NETCONF server, the 'radius' identity can be added to
+ this list.
+
+ If the 'local-users' feature is advertised by the
+ NETCONF server, the 'local-users' identity can be
+ added to this list.";
+ }
+
+ list user {
+ if-feature local-users;
+ key name;
+ description
+ "The list of local users configured on this device.";
+
+ leaf name {
+ type string;
+ description
+ "The user name string identifying this entry.";
+ }
+ leaf password {
+ type ianach:crypt-hash;
+ description
+ "The password for this entry.";
+ }
+ list authorized-key {
+ key name;
+ description
+ "A list of public SSH keys for this user. These keys
+ are allowed for SSH authentication, as described in
+ RFC 4253.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the SSH key.";
+ }
+
+ leaf algorithm {
+ type string;
+ mandatory true;
+ description
+ "The public key algorithm name for this SSH key.
+
+ Valid values are the values in the IANA 'Secure Shell
+ (SSH) Protocol Parameters' registry, Public Key
+ Algorithm Names.";
+ reference
+ "IANA 'Secure Shell (SSH) Protocol Parameters'
+ registry, Public Key Algorithm Names";
+ }
+ leaf key-data {
+ type binary;
+ mandatory true;
+ description
+ "The binary public key data for this SSH key, as
+ specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ }
+ }
+ }
+ }
+ }
+
+ /*
+ * Operational state data nodes
+ */
+
+ container system-state {
+ config false;
+ description
+ "System group operational state.";
+
+ container platform {
+ description
+ "Contains vendor-specific information for
+ identifying the system platform and operating system.";
+ reference
+ "IEEE Std 1003.1-2008 - sys/utsname.h";
+
+ leaf os-name {
+ type string;
+ description
+ "The name of the operating system in use -
+ for example, 'Linux'.";
+ reference
+ "IEEE Std 1003.1-2008 - utsname.sysname";
+ }
+ leaf os-release {
+ type string;
+ description
+ "The current release level of the operating
+ system in use. This string MAY indicate
+ the OS source code revision.";
+ reference
+ "IEEE Std 1003.1-2008 - utsname.release";
+ }
+ leaf os-version {
+ type string;
+ description
+ "The current version level of the operating
+ system in use. This string MAY indicate
+ the specific OS build date and target variant
+ information.";
+ reference
+ "IEEE Std 1003.1-2008 - utsname.version";
+ }
+ leaf machine {
+ type string;
+ description
+ "A vendor-specific identifier string representing
+ the hardware in use.";
+ reference
+ "IEEE Std 1003.1-2008 - utsname.machine";
+ }
+ }
+
+ container clock {
+ description
+ "Monitoring of the system date and time properties.";
+
+ leaf current-datetime {
+ type yang:date-and-time;
+ description
+ "The current system date and time.";
+ }
+
+
+ leaf boot-datetime {
+ type yang:date-and-time;
+ description
+ "The system date and time when the system last restarted.";
+ }
+ }
+ }
+
+ rpc set-current-datetime {
+ nacm:default-deny-all;
+ description
+ "Set the /system-state/clock/current-datetime leaf
+ to the specified value.
+
+ If the system is using NTP (i.e., /system/ntp/enabled
+ is set to 'true'), then this operation will fail with
+ error-tag 'operation-failed' and error-app-tag value of
+ 'ntp-active'.";
+ input {
+ leaf current-datetime {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "The current system date and time.";
+ }
+ }
+ }
+
+ rpc system-restart {
+ nacm:default-deny-all;
+ description
+ "Request that the entire system be restarted immediately.
+ A server SHOULD send an rpc reply to the client before
+ restarting the system.";
+ }
+
+ rpc system-shutdown {
+ nacm:default-deny-all;
+ description
+ "Request that the entire system be shut down immediately.
+ A server SHOULD send an rpc reply to the client before
+ shutting down the system.";
+ }
+
+}
Code Review / sim / o1-interface.git / blobdiff