netconfcentral logo

ietf-netconf-acm

HTML

ietf-netconf-acm@2017-12-11



  module ietf-netconf-acm {

    yang-version 1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";

    prefix nacm;

    import ietf-yang-types {
      prefix yang;
    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
     WG List:  <mailto:netconf@ietf.org>

     Author:   Andy Bierman
               <mailto:andy@yumaworks.com>

     Author:   Martin Bjorklund
               <mailto:mbj@tail-f.com>";

    description
      "Network Configuration Access Control Model.

     Copyright (c) 2012, 2017 IETF Trust and the persons
     identified as authors of the code. All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the Simplified BSD
     License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (http://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX; see
     the RFC itself for full legal notices.";

    revision "2017-12-11" {
      description
        "Added support for YANG 1.1 actions and notifications tied to
       data nodes. Clarify how NACM extensions can be used by other
       data models.";
      reference
        "RFC XXXX: Network Configuration Protocol (NETCONF)
        	  Access Control Model";

    }

    revision "2012-02-22" {
      description "Initial version";
      reference
        "RFC 6536: Network Configuration Protocol (NETCONF)
        	  Access Control Model";

    }


    extension default-deny-write {
      description
        "Used to indicate that the data model node
       represents a sensitive security system parameter.

       If present, the NETCONF server will only allow the designated
       'recovery session' to have write access to the node.  An
       explicit access control rule is required for all other users.

       If the NACM module is used, then it must be enabled (i.e.,
       /nacm/enable-nacm object equals 'true'), or this extension
       is ignored.

       The 'default-deny-write' extension MAY appear within a data
       definition statement.  It is ignored otherwise.";
    }

    extension default-deny-all {
      description
        "Used to indicate that the data model node
       controls a very sensitive security system parameter.

       If present, the NETCONF server will only allow the designated
       'recovery session' to have read, write, or execute access to the
       node.  An explicit access control rule is required for all other
       users.

       If the NACM module is used, then it must be enabled (i.e.,
       /nacm/enable-nacm object equals 'true'), or this extension
       is ignored.

       The 'default-deny-all' extension MAY appear within a data
       definition statement, 'rpc' statement, or 'notification'
       statement.  It is ignored otherwise.";
    }

    typedef user-name-type {
      type string {
        length "1..max";
      }
      description
        "General Purpose Username string.";
    }

    typedef matchall-string-type {
      type string {
        pattern '\*';
      }
      description
        "The string containing a single asterisk '*' is used
       to conceptually represent all possible values
       for the particular leaf using this data type.";
    }

    typedef access-operations-type {
      type bits {
        bit create {
          position 0;
          description
            "Any protocol operation that creates a
           new data node.";
        }
        bit read {
          position 1;
          description
            "Any protocol operation or notification that
           returns the value of a data node.";
        }
        bit update {
          position 2;
          description
            "Any protocol operation that alters an existing
           data node.";
        }
        bit delete {
          position 3;
          description
            "Any protocol operation that removes a data node.";
        }
        bit exec {
          position 4;
          description
            "Execution access to the specified protocol operation.";
        }
      }
      description "Access Operation.";
    }

    typedef group-name-type {
      type string {
        length "1..max";
        pattern '[^\*].*';
      }
      description
        "Name of administrative group to which
       users can be assigned.";
    }

    typedef action-type {
      type enumeration {
        enum "permit" {
          value 0;
          description
            "Requested action is permitted.";
        }
        enum "deny" {
          value 1;
          description
            "Requested action is denied.";
        }
      }
      description
        "Action taken by the server when a particular
       rule matches.";
    }

    typedef node-instance-identifier {
      type yang:xpath1.0;
      description
        "Path expression used to represent a special
       data node, action, or notification instance identifier
       string.

       A node-instance-identifier value is an
       unrestricted YANG instance-identifier expression.
       All the same rules as an instance-identifier apply
       except predicates for keys are optional.  If a key
       predicate is missing, then the node-instance-identifier
       represents all possible server instances for that key.

       This XPath expression is evaluated in the following context:

        o  The set of namespace declarations are those in scope on
           the leaf element where this type is used.
        o  The set of variable bindings contains one variable,
           'USER', which contains the name of the user of the current
            session.

        o  The function library is the core function library, but
           note that due to the syntax restrictions of an
           instance-identifier, no functions are allowed.

        o  The context node is the root node in the data tree.

        The accessible tree includes actions and notifications tied
        to data nodes.";
    }

    container nacm {
      nacm:default-deny-all;
      description
        "Parameters for NETCONF Access Control Model.";
      leaf enable-nacm {
        type boolean;
        default 'true';
        description
          "Enables or disables all NETCONF access control
         enforcement.  If 'true', then enforcement
         is enabled.  If 'false', then enforcement
         is disabled.";
      }

      leaf read-default {
        type action-type;
        default "permit";
        description
          "Controls whether read access is granted if
         no appropriate rule is found for a
         particular read request.";
      }

      leaf write-default {
        type action-type;
        default "deny";
        description
          "Controls whether create, update, or delete access
         is granted if no appropriate rule is found for a
         particular write request.";
      }

      leaf exec-default {
        type action-type;
        default "permit";
        description
          "Controls whether exec access is granted if no appropriate
         rule is found for a particular protocol operation request.";
      }

      leaf enable-external-groups {
        type boolean;
        default 'true';
        description
          "Controls whether the server uses the groups reported by the
         NETCONF transport layer when it assigns the user to a set of
         NACM groups.  If this leaf has the value 'false', any group
         names reported by the transport layer are ignored by the
         server.";
      }

      leaf denied-operations {
        type yang:zero-based-counter32;
        config false;
        mandatory true;
        description
          "Number of times since the server last restarted that a
         protocol operation request was denied.";
      }

      leaf denied-data-writes {
        type yang:zero-based-counter32;
        config false;
        mandatory true;
        description
          "Number of times since the server last restarted that a
         protocol operation request to alter
         a configuration datastore was denied.";
      }

      leaf denied-notifications {
        type yang:zero-based-counter32;
        config false;
        mandatory true;
        description
          "Number of times since the server last restarted that
         a notification was dropped for a subscription because
         access to the event type was denied.";
      }

      container groups {
        description
          "NETCONF Access Control Groups.";
        list group {
          key "name";
          description
            "One NACM Group Entry.  This list will only contain
           configured entries, not any entries learned from
           any transport protocols.";
          leaf name {
            type group-name-type;
            description
              "Group name associated with this entry.";
          }

          leaf-list user-name {
            type user-name-type;
            description
              "Each entry identifies the username of
             a member of the group associated with
             this entry.";
          }
        }  // list group
      }  // container groups

      list rule-list {
        key "name";
        ordered-by user;
        description
          "An ordered collection of access control rules.";
        leaf name {
          type string {
            length "1..max";
          }
          description
            "Arbitrary name assigned to the rule-list.";
        }

        leaf-list group {
          type union {
            type matchall-string-type;
            type group-name-type;
          }
          description
            "List of administrative groups that will be
           assigned the associated access rights
           defined by the 'rule' list.

           The string '*' indicates that all groups apply to the
           entry.";
        }

        list rule {
          key "name";
          ordered-by user;
          description
            "One access control rule.

           Rules are processed in user-defined order until a match is
           found.  A rule matches if 'module-name', 'rule-type', and
           'access-operations' match the request.  If a rule
           matches, the 'action' leaf determines if access is granted
           or not.";
          leaf name {
            type string {
              length "1..max";
            }
            description
              "Arbitrary name assigned to the rule.";
          }

          leaf module-name {
            type union {
              type matchall-string-type;
              type string;
            }
            default "*";
            description
              "Name of the module associated with this rule.

             This leaf matches if it has the value '*' or if the
             object being accessed is defined in the module with the
             specified module name.";
          }

          choice rule-type {
            description
              "This choice matches if all leafs present in the rule
             match the request.  If no leafs are present, the
             choice matches all requests.";
            leaf rpc-name {
              type union {
                type matchall-string-type;
                type string;
              }
              description
                "This leaf matches if it has the value '*' or if
                 its value equals the requested protocol operation
                 name.";
            }
            leaf notification-name {
              type union {
                type matchall-string-type;
                type string;
              }
              description
                "This leaf matches if it has the value '*' or if its
                 value equals the requested notification name.";
            }
            leaf path {
              type node-instance-identifier;
              mandatory true;
              description
                "Data Node Instance Identifier associated with the
                 data node, action, or notification controlled by
                 this rule.

                 Configuration data or state data instance
                 identifiers start with a top-level data node.  A
                 complete instance identifier is required for this
                 type of path value.

                 The special value '/' refers to all possible
                 datastore contents.";
            }
          }  // choice rule-type

          leaf access-operations {
            type union {
              type matchall-string-type;
              type access-operations-type;
            }
            default "*";
            description
              "Access operations associated with this rule.

             This leaf matches if it has the value '*' or if the
             bit corresponding to the requested operation is set.";
          }

          leaf action {
            type action-type;
            mandatory true;
            description
              "The access control action associated with the
             rule.  If a rule is determined to match a
             particular request, then this object is used
             to determine whether to permit or deny the
             request.";
          }

          leaf comment {
            type string;
            description
              "A textual description of the access rule.";
          }
        }  // list rule
      }  // list rule-list
    }  // container nacm
  }  // module ietf-netconf-acm

Summary

  
ietf-netconf-acm  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-netconf-acm
Version 2012-02-22
File ietf-netconf-acm.yang
  
Prefix nacm
Namespace urn:ietf:params:xml:ns:yang:ietf-netconf-acm
  
Cooked /cookedmodules/ietf-netconf-acm/2012-02-22
YANG /src/ietf-netconf-acm@2012-02-22.yang
XSD /xsd/ietf-netconf-acm@2012-02-22.xsd
  
Abstract NETCONF Access Control Model. Copyright (c) 2012 IETF Trust and the persons identified as authors of the code. All rights rese...
  
Contact
WG Web:   <http://tools.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>

WG Chair: Mehmet Ersue
	  <mailto:mehmet.ersue@nsn.com>

WG Chair: Bert Wijnen
	  <mailto:bertietf@bwijnen.net>

Editor:   Andy Bierman
	  <mailto:andy@yumaworks.com>

Editor:   Martin Bjorklund
	  <mailto:mbj@tail-f.com>
  
ietf-netconf-acm  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-netconf-acm
Version 2017-12-11
File ietf-netconf-acm@2017-12-11.yang
  
Prefix nacm
Namespace urn:ietf:params:xml:ns:yang:ietf-netconf-acm
  
Cooked /cookedmodules/ietf-netconf-acm/2017-12-11
YANG /src/ietf-netconf-acm@2017-12-11.yang
XSD /xsd/ietf-netconf-acm@2017-12-11.xsd
  
Abstract Network Configuration Access Control Model. Copyright (c) 2012, 2017 IETF Trust and the persons identified as authors of the co...
  
Contact
WG Web:   <http://tools.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>

Author:   Andy Bierman
	  <mailto:andy@yumaworks.com>

Author:   Martin Bjorklund
	  <mailto:mbj@tail-f.com>

Description

 
ietf-netconf-acm
NETCONF Access Control Model.

Copyright (c) 2012 IETF Trust and the persons identified as
authors of the code.  All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC 6536; see
the RFC itself for full legal notices.
 
ietf-netconf-acm
Network Configuration Access Control Model.

Copyright (c) 2012, 2017 IETF Trust and the persons
identified as authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.

Typedefs

Typedef Base type Abstract
access-operations-type bits NETCONF Access Operation.
access-operations-type bits Access Operation.
action-type enumeration Action taken by the server when a particular rule matches.
action-type enumeration Action taken by the server when a particular rule matches.
group-name-type string Name of administrative group to which users can be assigned.
group-name-type string Name of administrative group to which users can be assigned.
matchall-string-type string The string containing a single asterisk '*' is used to conceptually represent all possible values for the particular leaf using this data type.
matchall-string-type string The string containing a single asterisk '*' is used to conceptually represent all possible values for the particular leaf using this data type.
node-instance-identifier string Path expression used to represent a special data node instance identifier string. A node-instance-identifier value is an unrestricted YANG instance-identifier expression. All the same rules as an instance-identifier apply except predicates for keys are o...
node-instance-identifier string Path expression used to represent a special data node, action, or notification instance identifier string. A node-instance-identifier value is an unrestricted YANG instance-identifier expression. All the same rules as an instance-identifier apply except ...
user-name-type string General Purpose Username string.
user-name-type string General Purpose Username string.

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
nacm container Parameters for NETCONF Access Control Model.
nacm container Parameters for NETCONF Access Control Model.
   denied-data-writes leaf Number of times since the server last restarted that a protocol operation request to alter a configuration datastore was denied.
   denied-data-writes leaf Number of times since the server last restarted that a protocol operation request to alter a configuration datastore was denied.
   denied-notifications leaf Number of times since the server last restarted that a notification was dropped for a subscription because access to the event type was denied.
   denied-notifications leaf Number of times since the server last restarted that a notification was dropped for a subscription because access to the event type was denied.
   denied-operations leaf Number of times since the server last restarted that a protocol operation request was denied.
   denied-operations leaf Number of times since the server last restarted that a protocol operation request was denied.
   enable-external-groups leaf Controls whether the server uses the groups reported by the NETCONF transport layer when it assigns the user to a set of NACM groups. If this leaf has the value 'false', any group names reported by the transport layer are ignored by the server.
   enable-external-groups leaf Controls whether the server uses the groups reported by the NETCONF transport layer when it assigns the user to a set of NACM groups. If this leaf has the value 'false', any group names reported by the transport layer are ignored by the server.
   enable-nacm leaf Enables or disables all NETCONF access control enforcement. If 'true', then enforcement is enabled. If 'false', then enforcement is disabled.
   enable-nacm leaf Enables or disables all NETCONF access control enforcement. If 'true', then enforcement is enabled. If 'false', then enforcement is disabled.
   exec-default leaf Controls whether exec access is granted if no appropriate rule is found for a particular protocol operation request.
   exec-default leaf Controls whether exec access is granted if no appropriate rule is found for a particular protocol operation request.
   groups container NETCONF Access Control Groups.
   groups container NETCONF Access Control Groups.
      group list One NACM Group Entry. This list will only contain configured entries, not any entries learned from any transport protocols.
      group list One NACM Group Entry. This list will only contain configured entries, not any entries learned from any transport protocols.
         name leaf Group name associated with this entry.
         name leaf Group name associated with this entry.
         user-name leaf-list Each entry identifies the username of a member of the group associated with this entry.
         user-name leaf-list Each entry identifies the username of a member of the group associated with this entry.
   read-default leaf Controls whether read access is granted if no appropriate rule is found for a particular read request.
   read-default leaf Controls whether read access is granted if no appropriate rule is found for a particular read request.
   rule-list list An ordered collection of access control rules.
   rule-list list An ordered collection of access control rules.
      group leaf-list List of administrative groups that will be assigned the associated access rights defined by the 'rule' list. The string '*' indicates that all groups apply to the entry.
      group leaf-list List of administrative groups that will be assigned the associated access rights defined by the 'rule' list. The string '*' indicates that all groups apply to the entry.
      name leaf Arbitrary name assigned to the rule-list.
      name leaf Arbitrary name assigned to the rule-list.
      rule list One access control rule. Rules are processed in user-defined order until a match is found. A rule matches if 'module-name', 'rule-type', and 'access-operations' match the request. If a rule matches, the 'action' leaf determines if access is granted or ...
      rule list One access control rule. Rules are processed in user-defined order until a match is found. A rule matches if 'module-name', 'rule-type', and 'access-operations' match the request. If a rule matches, the 'action' leaf determines if access is granted or ...
         access-operations leaf Access operations associated with this rule. This leaf matches if it has the value '*' or if the bit corresponding to the requested operation is set.
         access-operations leaf Access operations associated with this rule. This leaf matches if it has the value '*' or if the bit corresponding to the requested operation is set.
         action leaf The access control action associated with the rule. If a rule is determined to match a particular request, then this object is used to determine whether to permit or deny the request.
         action leaf The access control action associated with the rule. If a rule is determined to match a particular request, then this object is used to determine whether to permit or deny the request.
         comment leaf A textual description of the access rule.
         comment leaf A textual description of the access rule.
         module-name leaf Name of the module associated with this rule. This leaf matches if it has the value '*' or if the object being accessed is defined in the module with the specified module name.
         module-name leaf Name of the module associated with this rule. This leaf matches if it has the value '*' or if the object being accessed is defined in the module with the specified module name.
         name leaf Arbitrary name assigned to the rule.
         name leaf Arbitrary name assigned to the rule.
         rule-type choice This choice matches if all leafs present in the rule match the request. If no leafs are present, the choice matches all requests.
         rule-type choice This choice matches if all leafs present in the rule match the request. If no leafs are present, the choice matches all requests.
            data-node case path
            data-node case path
               path leaf Data Node Instance Identifier associated with the data node controlled by this rule. Configuration data or state data instance identifiers start with a top-level data node. A complete instance identifier is required for this type of path value. The spe...
               path leaf Data Node Instance Identifier associated with the data node, action, or notification controlled by this rule. Configuration data or state data instance identifiers start with a top-level data node. A complete instance identifier is required for this typ...
            notification case notification-name
            notification case notification-name
               notification-name leaf This leaf matches if it has the value '*' or if its value equals the requested notification name.
               notification-name leaf This leaf matches if it has the value '*' or if its value equals the requested notification name.
            protocol-operation case rpc-name
            protocol-operation case rpc-name
               rpc-name leaf This leaf matches if it has the value '*' or if its value equals the requested protocol operation name.
               rpc-name leaf This leaf matches if it has the value '*' or if its value equals the requested protocol operation name.
   write-default leaf Controls whether create, update, or delete access is granted if no appropriate rule is found for a particular write request.
   write-default leaf Controls whether create, update, or delete access is granted if no appropriate rule is found for a particular write request.

Extensions

Extension Argument Abstract
default-deny-all   Used to indicate that the data model node controls a very sensitive security system parameter. If present, and the NACM module is enabled (i.e., /nacm/enable-nacm object equals 'true'), the NETCONF server will only allow the designated 'recovery session'...
default-deny-all   Used to indicate that the data model node controls a very sensitive security system parameter. If present, the NETCONF server will only allow the designated 'recovery session' to have read, write, or execute access to the node. An explicit access contro...
default-deny-write   Used to indicate that the data model node represents a sensitive security system parameter. If present, and the NACM module is enabled (i.e., /nacm/enable-nacm object equals 'true'), the NETCONF server will only allow the designated 'recovery session' to...
default-deny-write   Used to indicate that the data model node represents a sensitive security system parameter. If present, the NETCONF server will only allow the designated 'recovery session' to have write access to the node. An explicit access control rule is required fo...