--- /dev/null
+module o-ran-usermgmt {
+ yang-version 1.1;
+ namespace "urn:o-ran:user-mgmt:1.0";
+ prefix "o-ran-usermgmt";
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization "O-RAN Alliance";
+
+ contact
+ "www.o-ran.org";
+
+ description
+ "This module defines the user management model for the O-RAN Equipment.
+
+ Copyright 2019 the O-RAN Alliance.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS'
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the above disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the above disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ * Neither the Members of the O-RAN Alliance nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.";
+
+ revision "2019-04-25" {
+ description
+ "version 1.0.1
+
+ 1) change name leaf to type nacm:user-name-type
+ 2) added account-type to qualify when password is required ";
+
+ reference "ORAN-WG4.M.0-v01.00";
+ }
+
+ revision "2019-02-04" {
+ description
+ "version 1.0.0
+
+ 1) imported model from xRAN
+ 2) changed namespace and reference from xran to o-ran";
+
+ reference "ORAN-WG4.M.0-v01.00";
+ }
+
+ typedef password-type {
+ type string {
+ length "8..128";
+ pattern "[a-zA-Z0-9!$%\\^()\\[\\]_\\-~{}.+]*" {
+ error-message "Password content does not meet the requirements";
+ }
+ }
+ description
+ "The password for this entry. This shouldn't be in clear text
+ The Password must contain at least 2 characters from
+ each of the following groups:
+ a) Lower case alphabetic (a-z)
+ b) Upper case alphabetic (A-Z)
+ c) Numeric 0-9
+ d) Special characters Allowed !$%^()[]_-~{}.+
+ Password must not contain Username.";
+ }
+
+ grouping user-list {
+ list user {
+ key "name";
+ description
+ "The list of local users configured on this device.";
+ leaf name {
+ type nacm:user-name-type;
+ description
+ "The user name string identifying this entry.
+
+ NOTE: o-ran-usermgmt:user-profile/user/name is
+ identical to nacm:nacm/groups/group/user-name
+ but the current schema is preserved for backwards
+ compatibility.";
+ }
+ leaf account-type {
+ type enumeration {
+ enum PASSWORD {
+ description "the user-name is for password based authentication";
+ }
+ enum CERTIFICATE {
+ description "the user-name is for certificate based authentciation";
+ }
+ }
+ default "PASSWORD";
+ }
+
+ leaf password {
+ nacm:default-deny-all;
+ type password-type;
+ description
+ "The password for this entry.
+
+ This field is only valid when account-type is NOT set to CERTIFICATE,
+ i.e., when account-type is NOT present or present and set to
+ PASSWORD.";
+ }
+ leaf enabled {
+ type boolean;
+ description
+ "Indicates whether an account is enabled or disabled.";
+ }
+ }
+ }
+
+ container users {
+ must "user/enabled='true'" {
+ error-message "At least one account needs to be enabled.";
+ }
+ //TAKE NOTE - any configuration with zero enabled users is invalid.
+ //This will typically be the case when using a simulated NETCONF Server
+ //and so this constraint should be removed when operating in those scenarios
+
+ //The config data base of the O-RAN equipment should ensure that the user
+ //default account is enabled on factory restart
+
+ description "list of user accounts";
+ uses user-list;
+ }
+
+ rpc chg-password {
+ nacm:default-deny-all;
+ input {
+ leaf currentPassword {
+ type password-type;
+ mandatory true;
+ description
+ "provide the current password";
+ }
+ leaf newPassword {
+ type password-type;
+ mandatory true;
+ description
+ "provide a new password";
+ }
+ leaf newPasswordConfirm {
+ type password-type;
+ mandatory true;
+ description
+ "re-enter the new password ";
+ }
+ }
+ output {
+ leaf status {
+ type enumeration {
+ enum "Successful" {
+ value 1;
+ }
+ enum "Failed" {
+ value 2;
+ }
+ }
+ mandatory true;
+ description
+ "Successful or Failed";
+ }
+ leaf status-message {
+ type string;
+ description
+ "Gives a more detailed reason for success / failure";
+ }
+ }
+ }
+
+}