netconfcentral logo

yuma-nacm

HTML

yuma-nacm@2012-10-05



  module yuma-nacm {

    yang-version 1;

    namespace
      "http://netconfcentral.org/ns/yuma-nacm";

    prefix nacm;

    import yuma-ncx {
      prefix ncx;
    }
    import yuma-types {
      prefix yt;
    }
    import ietf-yang-types {
      prefix yang;
    }

    organization "Netconf Central";

    contact
      "Andy Bierman <andy@netconfcentral.org>";

    description
      "NETCONF Server Access Control Model

     Copyright (c) 2010 - 2012 Andy Bierman and the persons
     identified as authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the BSD 3-Clause License
     http://opensource.org/licenses/BSD-3-Clause";

    revision "2012-10-05" {
      description
        "Copy default-deny-all and default-deny-write
           extensions here to integrate with other modules
           more easily.";
    }

    revision "2012-05-31" {
      description
        "Change unrestricted strings to yang-identifier
           type because illegal chars were accepted for YANG
           identifier strings.";
    }

    revision "2012-01-13" {
      description
        "Add ncx:user-write restriction to prevent user deletion
           of the nacm container";
    }

    revision "2010-02-21" {
      description
        "Initial version (work-in-progress).";
    }


    typedef nacm-user-name {
      type string {
        length "1..64";
        pattern
          '[a-z,A-Z,_][a-z,A-Z,0-9,\-,_,@,.]{0,63}';
      }
      description
        "General Purpose User Name string.";
    }

    typedef nacm-rights {
      type bits {
        bit read {
          position 0;
          description
            "Read access allowed to all specified data.
               Any protocol operation or notification that
               returns data to an application is a read 
               operation.";
        }
        bit write {
          position 1;
          description
            "Write access allowed to all specified data.
               Any protocol operation that alters a database
               is a write operation.";
        }
        bit exec {
          position 2;
          description
            "Execution access to the specified RPC operation.
               Any RPC operation invocation is an exec operation.";
        }
      }
      description "NETCONF Access Rights";
    }

    typedef nacm-group {
      type identityref {
        base nacm-groups;
      }
      description
        "Type of administrative group that can be
         assigned to the user, and specified in
         an access control rule.

         The identityref data type is used to allow as 
         many groups to be added as needed.  There are
         no standard semantics for each identity.
         It simply represents a unique group name.";
    }

    typedef nacm-action {
      type enumeration {
        enum "permit" {
          value 0;
          description
            "Requested action is permitted.";
        }
        enum "deny" {
          value 1;
          description
            "Requested action is denied.";
        }
      }
      description
        "Action taken by the server when a particular
           rule matches.";
    }

    typedef schema-instance-identifier {
      type string;
      description
        "Path expression used to represent a special 
         schema-instance identifier string.
       
         A schema-instance-identifier value string is an 
         unrestricted YANG instance-identifier expression.
         All the same rules as an instance-identifier apply
         except predicates for keys are optional.  If a key
         predicate is missing, then the schema-instance-identifier
         represents all possible server instances for that key.";
    }

    extension default-deny-write {
      description
        "Copy of IETF version of 'secure' extension.";
      reference
        "RFC 6536";

    }

    extension default-deny-all {
      description
        "Copy of IETF version of 'very-secure' extension.";
      reference
        "RFC 6536";

    }

    extension secure {
      description
        "Used to indicate that the data model node 
         represents a sensitive security system parameter.

         If present, the NETCONF server will only allow
         the designated 'superuser' to have write or execute
         default nacm-rights for the node.  An explicit access
         control rule is required for all other users.

         The 'secure' extension may appear within a data, rpc,
         or notification node definition.  It is ignored 
         otherwise.";
    }

    extension very-secure {
      description
        "Used to indicate that the data model node 
         controls a very sensitive security system parameter.

         If present, the NETCONF server will only allow
         the designated 'superuser' to have read, write, or execute
         default nacm-rights for the node.  An explicit access
         control rule is required for all other users.

         The 'very-secure' extension may appear within a data, rpc,
         or notification node definition.  It is ignored
         otherwise.";
    }

    identity nacm-groups {
      base 
      description
        "Root of all NETCONF Administrative Groups";
    }

    identity admin {
      base nacm-groups;
      description
        "Example Administrator group.";
    }

    identity monitor {
      base nacm-groups;
      description
        "Example Monitoring group.";
    }

    identity guest {
      base nacm-groups;
      description "Example Guest group.";
    }

    container nacm {
      ncx:user-write "update";
      nacm:very-secure;
      presence
        "An empty nacm container indicates that the 
          NACM service is running, and possibly using
          all default parameters.";
      description
        "Parameters for NETCONF Access Control Model.";
      leaf enable-nacm {
        type boolean;
        default 'true';
        description
          "Enable or disable all NETCONF access control
              enforcement.  If 'true', then enforcement
              is enabled.  If 'false', then enforcement
              is disabled.";
      }

      leaf read-default {
        type nacm-action;
        default "permit";
        description
          "Controls whether read access is granted if
               no appropriate rule is found for a
               particular read request.";
      }

      leaf write-default {
        type nacm-action;
        default "deny";
        description
          "Controls whether write access is granted if
               no appropriate rule is found for a
               particular write request.";
      }

      leaf exec-default {
        type nacm-action;
        default "permit";
        description
          "Controls whether exec access is granted if
               no appropriate rule is found for a
               particular RPC operation request.";
      }

      leaf denied-rpcs {
        type yang:zero-based-counter32;
        config false;
        description
          "Number of times an RPC operation request was denied";
      }

      leaf denied-data-writes {
        type yang:zero-based-counter32;
        config false;
        description
          "Number of times a request to alter a data node
               was denied.";
      }

      container groups {
        description "NACM Group Table";
        list group {
          key "group-identity";
          description "One NACM Group Entry";
          leaf group-identity {
            type nacm-group;
            description
              "Group identity associated with this entry.";
          }

          leaf-list user-name {
            type nacm-user-name;
            description
              "Each entry identifies the user name of 
                       a member of the group associated with 
                       this entry.";
          }
        }  // list group
      }  // container groups

      container rules {
        description
          "NETCONF Access Control Rules.";
        grouping common-rule-parms {
          leaf rule-name {
            type string {
              length "1..1023";
            }
            description
              "Arbitrary name assigned to the
                       access control rule.";
          }

          leaf allowed-rights {
            type nacm-rights;
            mandatory true;
            description
              "List of access rights granted to
                       specified administrative groups for the
                       content specified by the associated path.";
          }

          leaf-list allowed-group {
            type nacm-group;
            min-elements 1;
            description
              "List of administrative groups which will be
                       assigned the associated access rights
                       for the content specified by the associated
                       path.";
          }

          leaf comment {
            type string {
              length "0..4095";
            }
            description
              "A textual description of the access rule.";
          }
        }  // grouping common-rule-parms
        list module-rule {
          key "module-name rule-name";
          ordered-by user;
          description
            "One Module Access Rule.
                    Rules are processed in user-defined order.
                    A module rule is considered a match if
                    the XML namespace for the specified module
                    name matches the XML namespace used within
                    a NETCONF PDU, and the administrative group
                    associated with the requesting session is
                    specified in the 'allowed-group' leaf-list.";
          leaf module-name {
            type yt:yang-identifier;
            description
              "Name of the module associated with 
                       this rule.";
          }

          uses common-rule-parms;
        }  // list module-rule

        list rpc-rule {
          key "rpc-module-name rpc-name rule-name";
          ordered-by user;
          description
            "One RPC Operation Access Rule.
                    Rules are processed in user-defined order.
                    An RPC rule is considered a match if
                    the module name of the requested RPC
                    operation matches 'rpc-module-name',
                    the requested RPC operation matches
                    'rpc-name', and an administrative group
                    associated with the session user
                    is listed in the 'allowed-group'
                    leaf-list";
          leaf rpc-module-name {
            type yt:yang-identifier;
            description
              "Name of the module defining this 
                       RPC operation.";
          }

          leaf rpc-name {
            type yt:yang-identifier;
            description
              "Name of the RPC operation.";
          }

          uses common-rule-parms;
        }  // list rpc-rule

        list data-rule {
          key "rule-name";
          ordered-by user;
          description
            "One Data Access Control Rule.
                   Rules are processed in user-defined order.
                   A data rule is considered to match when
                   the path expression identifies
                   the same node that is being accessed
                   in the NETCONF database, and the administrative
                   group associated with the session is identified
                   in the 'allowed-group' leaf-list.";
          leaf path {
            type schema-instance-identifier;
            mandatory true;
            description
              "Schema Instance Identifier associated with
                     the data node controlled by this rule.

                     Configuration data or state data
                     instance identifiers start with
                     a top-level data node.
                     A complete instance identifier is 
                     required for this type of path value.

                     The special value '/' refers to all
                     possible database contents.";
          }

          uses common-rule-parms;
        }  // list data-rule

        list notification-rule {
          key "notification-module-name notification-name rule-name";
          ordered-by user;
          description
            "One Notification Access Rule.
                    A notification is considered a match if
                    the module name of the requested
                    event type matches 'notification-module-name',
                    the requested event type matches the
                    'notification-name', and the administrative group
                    associated with the requesting session
                    is listed in the 'allowed-group' leaf-list.";
          leaf notification-module-name {
            type yt:yang-identifier;
            description
              "Name of the module defining this 
                       notification event type.";
          }

          leaf notification-name {
            type yt:yang-identifier;
            description
              "Name of the notification event.";
          }

          uses common-rule-parms;
        }  // list notification-rule
      }  // container rules
    }  // container nacm
  }  // module yuma-nacm

Summary

  
  
Organization Netconf Central
  
Module yuma-nacm
Version 2012-10-05
File yuma-nacm.yang
  
Prefix nacm
Namespace http://netconfcentral.org/ns/yuma-nacm
  
Cooked /cookedmodules/yuma-nacm/2012-10-05
YANG /src/yuma-nacm@2012-10-05.yang
XSD /xsd/yuma-nacm@2012-10-05.xsd
  
Abstract NETCONF Server Access Control Model Copyright (c) 2010 - 2012 Andy Bierman and the persons identified as authors of the code. ...
  
Contact
Andy Bierman <andy@netconfcentral.org>

Description

 
NETCONF Server Access Control Model

Copyright (c) 2010 - 2012 Andy Bierman and the persons
identified as authors of the code.  All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the BSD 3-Clause License
http://opensource.org/licenses/BSD-3-Clause

Typedefs

Typedef Base type Abstract
nacm-action enumeration Action taken by the server when a particular rule matches.
nacm-group identityref Type of administrative group that can be assigned to the user, and specified in an access control rule. The identityref data type is used to allow as many groups to be added as needed. There are no standard semantics for each identity. It simply represe...
nacm-rights bits NETCONF Access Rights
nacm-user-name string General Purpose User Name string.
schema-instance-identifier string Path expression used to represent a special schema-instance identifier string. A schema-instance-identifier value string is an unrestricted YANG instance-identifier expression. All the same rules as an instance-identifier apply except predicates for keys...

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
nacm container Parameters for NETCONF Access Control Model.
   denied-data-writes leaf Number of times a request to alter a data node was denied.
   denied-rpcs leaf Number of times an RPC operation request was denied
   enable-nacm leaf Enable or disable all NETCONF access control enforcement. If 'true', then enforcement is enabled. If 'false', then enforcement is disabled.
   exec-default leaf Controls whether exec access is granted if no appropriate rule is found for a particular RPC operation request.
   groups container NACM Group Table
      group list One NACM Group Entry
         group-identity leaf Group identity associated with this entry.
         user-name leaf-list Each entry identifies the user name of a member of the group associated with this entry.
   read-default leaf Controls whether read access is granted if no appropriate rule is found for a particular read request.
   rules container NETCONF Access Control Rules.
      data-rule list One Data Access Control Rule. Rules are processed in user-defined order. A data rule is considered to match when the path expression identifies the same node that is being accessed in the NETCONF database, and the administrative group associated with the ...
         allowed-group leaf-list List of administrative groups which will be assigned the associated access rights for the content specified by the associated path.
         allowed-rights leaf List of access rights granted to specified administrative groups for the content specified by the associated path.
         comment leaf A textual description of the access rule.
         path leaf Schema Instance Identifier associated with the data node controlled by this rule. Configuration data or state data instance identifiers start with a top-level data node. A complete instance identifier is required for this type of path value. The special...
         rule-name leaf Arbitrary name assigned to the access control rule.
      module-rule list One Module Access Rule. Rules are processed in user-defined order. A module rule is considered a match if the XML namespace for the specified module name matches the XML namespace used within a NETCONF PDU, and the administrative group associated with the...
         allowed-group leaf-list List of administrative groups which will be assigned the associated access rights for the content specified by the associated path.
         allowed-rights leaf List of access rights granted to specified administrative groups for the content specified by the associated path.
         comment leaf A textual description of the access rule.
         module-name leaf Name of the module associated with this rule.
         rule-name leaf Arbitrary name assigned to the access control rule.
      notification-rule list One Notification Access Rule. A notification is considered a match if the module name of the requested event type matches 'notification-module-name', the requested event type matches the 'notification-name', and the administrative group associated with th...
         allowed-group leaf-list List of administrative groups which will be assigned the associated access rights for the content specified by the associated path.
         allowed-rights leaf List of access rights granted to specified administrative groups for the content specified by the associated path.
         comment leaf A textual description of the access rule.
         notification-module-name leaf Name of the module defining this notification event type.
         notification-name leaf Name of the notification event.
         rule-name leaf Arbitrary name assigned to the access control rule.
      rpc-rule list One RPC Operation Access Rule. Rules are processed in user-defined order. An RPC rule is considered a match if the module name of the requested RPC operation matches 'rpc-module-name', the requested RPC operation matches 'rpc-name', and an administrative ...
         allowed-group leaf-list List of administrative groups which will be assigned the associated access rights for the content specified by the associated path.
         allowed-rights leaf List of access rights granted to specified administrative groups for the content specified by the associated path.
         comment leaf A textual description of the access rule.
         rpc-module-name leaf Name of the module defining this RPC operation.
         rpc-name leaf Name of the RPC operation.
         rule-name leaf Arbitrary name assigned to the access control rule.
   write-default leaf Controls whether write access is granted if no appropriate rule is found for a particular write request.

Extensions

Extension Argument Abstract
default-deny-all   Copy of IETF version of 'very-secure' extension.
default-deny-write   Copy of IETF version of 'secure' extension.
secure   Used to indicate that the data model node represents a sensitive security system parameter. If present, the NETCONF server will only allow the designated 'superuser' to have write or execute default nacm-rights for the node. An explicit access control r...
very-secure   Used to indicate that the data model node controls a very sensitive security system parameter. If present, the NETCONF server will only allow the designated 'superuser' to have read, write, or execute default nacm-rights for the node. An explicit access...