module ietf-netconf-acm { namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm"; prefix "nacm"; import ietf-yang-types { prefix yang; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: WG List: WG Chair: Mehmet Ersue WG Chair: Bert Wijnen Editor: Andy Bierman Editor: Martin Bjorklund "; description "NETCONF Server Access Control Model. Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and // remove this note // RFC Ed.: remove this note // Note: extracted from draft-ietf-netconf-access-control-02.txt // RFC Ed.: please update the date to the date of publication revision "2011-02-03" { description "Initial version"; reference "RFC XXXX: Network Configuration Protocol Access Control Model"; } /* * Extension statements */ extension secure { description "Used to indicate that the data model node represents a sensitive security system parameter. If present, the NETCONF server will only allow the designated 'superuser' to have write or execute default nacm-rights-type for the node. An explicit access control rule is required for all other users. The 'secure' extension may appear within a data, rpc, or notification node definition. It is ignored otherwise."; } extension very-secure { description "Used to indicate that the data model node controls a very sensitive security system parameter. If present, the NETCONF server will only allow the designated 'superuser' to have read, write, or execute default nacm-rights-type for the node. An explicit access control rule is required for all other users. The 'very-secure' extension may appear within a data, rpc, or notification node definition. It is ignored otherwise."; } /* * Derived types */ typedef nacm-user-name-type { type string { length "1..max"; } description "General Purpose User Name string."; } typedef nacm-matchall-string-type { type string { pattern "\*"; } description "The string containing a single asterisk '*' is used to conceptually represent all possible values for the particular leaf using this data type."; } typedef nacm-rights-type { type union { type nacm-matchall-string-type; type bits { bit create { description "Create access allowed to all specified data. Any protocol operation that creates a new instance of the specified data is a create operation."; } bit read { description "Read access allowed to all specified data. Any protocol operation or notification that returns data to an application is a read operation."; } bit update { description "Update access allowed to all specified data. Any protocol operation that alters an existing data node is an update operation."; } bit delete { description "Delete access allowed to all specified data. Any protocol operation that removes a database node instance is a delete operation."; } bit exec { description "Execution access to the specified RPC operation. Any RPC operation invocation is an exec operation."; } } } description "NETCONF Access Rights. The string '*' indicates that all possible access rights apply to the access rule. Otherwise, only the specific access rights represented by the bit names that are present apply to the access rule."; } typedef nacm-group-name-type { type string { length "1..max"; pattern "[^\*].*"; } description "Name of administrative group that can be assigned to the user, and specified in an access control rule."; } typedef nacm-action-type { type enumeration { enum permit { description "Requested action is permitted."; } enum deny { description "Requested action is denied."; } } description "Action taken by the server when a particular rule matches."; } typedef schema-instance-identifier { type yang:xpath1.0; description "Path expression used to represent a special schema-instance identifier string. A schema-instance-identifier value is an unrestricted YANG instance-identifier expression. All the same rules as an instance-identifier apply except predicates for keys are optional. If a key predicate is missing, then the schema-instance-identifier represents all possible server instances for that key. This XPath expression is evaluated in the following context: o The set of namespace declarations are those in scope on the leaf element where this type is used. o The set of variable bindings contains one variable, 'USER', which contains the name of user of the current session. o The function library is the core function library, but note that due to the syntax restrictions of an instance-identifier, no functions are allowed. o The context node is the root node in the data tree."; } container nacm { nacm:very-secure; description "Parameters for NETCONF Access Control Model."; leaf enable-nacm { type boolean; default true; description "Enable or disable all NETCONF access control enforcement. If 'true', then enforcement is enabled. If 'false', then enforcement is disabled."; } leaf read-default { type nacm-action-type; default "permit"; description "Controls whether read access is granted if no appropriate rule is found for a particular read request."; } leaf write-default { type nacm-action-type; default "deny"; description "Controls whether create, update, or delete access is granted if no appropriate rule is found for a particular write request."; } leaf exec-default { type nacm-action-type; default "permit"; description "Controls whether exec access is granted if no appropriate rule is found for a particular RPC operation request."; } leaf denied-rpcs { type yang:zero-based-counter32; config false; mandatory true; description "Number of times an RPC operation request was denied since the server last restarted."; } leaf denied-data-writes { type yang:zero-based-counter32; config false; mandatory true; description "Number of times a request to alter a data node was denied, since the server last restarted."; } container groups { description "NETCONF Access Control Groups."; list group { key name; description "One NACM Group Entry."; leaf name { type nacm-group-name-type; description "Group name associated with this entry."; } leaf-list user-name { type nacm-user-name-type; description "Each entry identifies the user name of a member of the group associated with this entry."; } } } container rules { description "NETCONF Access Control Rules."; grouping common-rule-parms { description "Common rule parameters."; leaf rule-name { type string { length "1..256"; } description "Arbitrary name assigned to the access control rule."; } leaf allowed-rights { type nacm-rights-type; description "List of access rights granted to specified administrative groups for the content specified by the associated path."; } leaf-list allowed-group { type union { type nacm-matchall-string-type; type nacm-group-name-type; } min-elements 1; description "List of administrative groups which will be assigned the associated access rights for the content specified by the associated path. The string '*' indicates that all configured administrative groups apply to the entry."; } leaf nacm-action { type nacm-action-type; mandatory true; description "The access control action associated with the rule. If a rule is determined to match a particular request, then this object is used to determine whether to permit or deny the request."; } leaf comment { type string { length "1..4095"; } description "A textual description of the access rule."; } } list module-rule { key "module-name rule-name"; ordered-by user; description "One Module Access Rule. Rules are processed in user-defined order. A module rule is considered a match if the XML namespace for the specified module name matches the XML namespace used within a NETCONF PDU, and the administrative group associated with the requesting session is specified in the 'allowed-group' leaf-list, and the requested operation is included in the 'allowed-rights' leaf."; leaf module-name { type string; description "Name of the module associated with this rule."; } uses common-rule-parms { refine allowed-rights { mandatory true; } } } list rpc-rule { key "module-name rpc-name rule-name"; ordered-by user; description "One RPC Operation Access Rule. Rules are processed in user-defined order. An RPC rule is considered a match if the module name of the requested RPC operation matches 'module-name', the requested RPC operation matches 'rpc-name', and an administrative group associated with the session user is listed in the 'allowed-group' leaf-list. The 'allowed-rights' leaf is ignored by the server if it is present. Only the 'exec' bit can possibly cause a match for an RPC rule."; leaf module-name { type string; description "Name of the module defining this RPC operation."; } leaf rpc-name { type string; description "Name of the RPC operation."; } uses common-rule-parms; } list data-rule { key "rule-name"; ordered-by user; description "One Data Access Control Rule. Rules are processed in user-defined order. A data rule is considered to match when the path expression identifies the same node that is being accessed in the NETCONF database, and the administrative group associated with the session is identified in the 'allowed-group' leaf-list, and the requested operation is included in the 'allowed-rights' leaf."; leaf path { type schema-instance-identifier; mandatory true; description "Schema Instance Identifier associated with the data node controlled by this rule. Configuration data or state data instance identifiers start with a top-level data node. A complete instance identifier is required for this type of path value. The special value '/' refers to all possible database contents."; } uses common-rule-parms { refine allowed-rights { mandatory true; } } } list notification-rule { key "module-name notification-name rule-name"; ordered-by user; description "One Notification Access Rule. A notification is considered a match if the module name of the requested event type matches 'module-name', the requested event type matches the 'notification-name', and the administrative group associated with the requesting session is listed in the 'allowed-group' leaf-list. If the 'allowed-rights' leaf is present, it is ignored by the server. Only the 'read' bit can possibly cause a match for a notification rule."; leaf module-name { type string; description "Name of the module defining this notification event type."; } leaf notification-name { type string; description "Name of the notification event."; } uses common-rule-parms; } } } }