netconfcentral logo

openconfig-aaa@2019-10-28



  module openconfig-aaa {

    yang-version 1;

    namespace
      "http://openconfig.net/yang/aaa";

    prefix oc-aaa;

    import openconfig-extensions {
      prefix oc-ext;
    }
    import openconfig-inet-types {
      prefix oc-inet;
    }
    import openconfig-yang-types {
      prefix oc-yang;
    }
    import openconfig-aaa-types {
      prefix oc-aaa-types;
    }

    include openconfig-aaa-tacacs;
    include openconfig-aaa-radius;

    organization "OpenConfig working group";

    contact
      "OpenConfig working group
    www.openconfig.net";

    description
      "This module defines configuration and operational state data
    related to authorization, authentication, and accounting (AAA)
    management.

    Portions of this model reuse data definitions or structure from
    RFC 7317 - A YANG Data Model for System Management";

    revision "2019-10-28" {
      description
        "Fix bug in when statement path";
      reference
        "0.4.3";

    }

    revision "2019-08-20" {
      description
        "Fix identity prefixes and when statement paths";
      reference
        "0.4.2";

    }

    revision "2018-11-21" {
      description
        "Add OpenConfig module metadata extensions.";
      reference
        "0.4.1";

    }

    revision "2018-04-12" {
      description
        "Add when conditions, correct identities";
      reference
        "0.4.0";

    }

    revision "2017-09-18" {
      description
        "Updated to use OpenConfig types modules";
      reference
        "0.3.0";

    }

    revision "2017-07-06" {
      description
        "Move to oc-inet types, add IETF attribution, add RADIUS
      counters, changed password leaf names to indicate hashed";
      reference
        "0.2.0";

    }

    revision "2017-01-29" {
      description "Initial public release";
      reference
        "0.1.0";

    }

    oc-ext:openconfig-version "0.4.3";
    oc-ext:regexp-posix;
    oc-ext:catalog-organization "openconfig";
    oc-ext:origin "openconfig";

    grouping aaa-servergroup-common-config {
      description
        "Configuration data for AAA server groups";
      leaf name {
        type string;
        description
          "Name for the server group";
      }

      leaf type {
        type identityref {
          base oc-aaa-types:AAA_SERVER_TYPE;
        }
        description
          "AAA server type -- all servers in the group must be of this
        type";
      }
    }  // grouping aaa-servergroup-common-config

    grouping aaa-servergroup-common-state {
      description
        "Operational state data for AAA server groups";
    }  // grouping aaa-servergroup-common-state

    grouping aaa-servergroup-common-top {
      description
        "Top-level grouping for AAA server groups";
      container server-groups {
        description
          "Enclosing container for AAA server groups";
        list server-group {
          key "name";
          description
            "List of AAA server groups.  All servers in a group
          must have the same type as indicated by the server
          type.";
          leaf name {
            type leafref {
              path "../config/name";
            }
            description
              "Reference to configured name of the server group";
          }

          container config {
            description
              "Configuration data for each server group";
            uses aaa-servergroup-common-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data for each server group";
            uses aaa-servergroup-common-config;

            uses aaa-servergroup-common-state;
          }  // container state

          uses aaa-server-top;
        }  // list server-group
      }  // container server-groups
    }  // grouping aaa-servergroup-common-top

    grouping aaa-server-config {
      description
        "Common configuration data for AAA servers";
      leaf name {
        type string;
        description
          "Name assigned to the server";
      }

      leaf address {
        type oc-inet:ip-address;
        description
          "Address of the authentication server";
      }

      leaf timeout {
        type uint16;
        units "seconds";
        description
          "Set the timeout in seconds on responses from the AAA
        server";
      }
    }  // grouping aaa-server-config

    grouping aaa-server-state {
      description
        "Common operational state data for AAA servers";
      leaf connection-opens {
        type oc-yang:counter64;
        description
          "Number of new connection requests sent to the server, e.g.
        socket open";
      }

      leaf connection-closes {
        type oc-yang:counter64;
        description
          "Number of connection close requests sent to the server, e.g.
        socket close";
      }

      leaf connection-aborts {
        type oc-yang:counter64;
        description
          "Number of aborted connections to the server.  These do
        not include connections that are close gracefully.";
      }

      leaf connection-failures {
        type oc-yang:counter64;
        description
          "Number of connection failures to the server";
      }

      leaf connection-timeouts {
        type oc-yang:counter64;
        description
          "Number of connection timeouts to the server";
      }

      leaf messages-sent {
        type oc-yang:counter64;
        description
          "Number of messages sent to the server";
      }

      leaf messages-received {
        type oc-yang:counter64;
        description
          "Number of messages received by the server";
      }

      leaf errors-received {
        type oc-yang:counter64;
        description
          "Number of error messages received from the server";
      }
    }  // grouping aaa-server-state

    grouping aaa-server-top {
      description
        "Top-level grouping for list of AAA servers";
      container servers {
        description
          "Enclosing container the list of servers";
        list server {
          key "address";
          description "List of AAA servers";
          leaf address {
            type leafref {
              path "../config/address";
            }
            description
              "Reference to the configured address of the AAA server";
          }

          container config {
            description
              "Configuration data ";
            uses aaa-server-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data ";
            uses aaa-server-config;

            uses aaa-server-state;
          }  // container state

          uses aaa-tacacs-server-top {
            when
              "../../config/type = 'oc-aaa:TACACS'";
          }

          uses aaa-radius-server-top {
            when
              "../../config/type = 'oc-aaa:RADIUS'";
          }
        }  // list server
      }  // container servers
    }  // grouping aaa-server-top

    grouping aaa-admin-config {
      description
        "Configuration data for the system built-in
      administrator / root user account";
      leaf admin-password {
        oc-ext:openconfig-hashed-value;
        type string;
        description
          "The admin/root password, supplied as a cleartext string.
        The system should hash and only store the password as a
        hashed value.";
      }

      leaf admin-password-hashed {
        type oc-aaa-types:crypt-password-type;
        description
          "The admin/root password, supplied as a hashed value
        using the notation described in the definition of the
        crypt-password-type.";
      }
    }  // grouping aaa-admin-config

    grouping aaa-admin-state {
      description
        "Operational state data for the root user";
      leaf admin-username {
        type string;
        description
          "Name of the administrator user account, e.g., admin, root,
        etc.";
      }
    }  // grouping aaa-admin-state

    grouping aaa-authentication-admin-top {
      description
        "Top-level grouping for root user configuration and state
      data";
      container admin-user {
        description
          "Top-level container for the system root or admin user
        configuration and operational state";
        container config {
          description
            "Configuration data for the root user account";
          uses aaa-admin-config;
        }  // container config

        container state {
          config false;
          description
            "Operational state data for the root user account";
          uses aaa-admin-config;

          uses aaa-admin-state;
        }  // container state
      }  // container admin-user
    }  // grouping aaa-authentication-admin-top

    grouping aaa-authentication-user-config {
      description
        "Configuration data for local users";
      leaf username {
        type string;
        description
          "Assigned username for this user";
      }

      leaf password {
        oc-ext:openconfig-hashed-value;
        type string;
        description
          "The user password, supplied as cleartext.  The system
        must hash the value and only store the hashed value.";
      }

      leaf password-hashed {
        type oc-aaa-types:crypt-password-type;
        description
          "The user password, supplied as a hashed value
        using the notation described in the definition of the
        crypt-password-type.";
      }

      leaf ssh-key {
        type string;
        description
          "SSH public key for the user (RSA or DSA)";
      }

      leaf role {
        type union {
          type string;
          type identityref {
            base oc-aaa-types:SYSTEM_DEFINED_ROLES;
          }
        }
        description
          "Role assigned to the user.  The role may be supplied
        as a string or a role defined by the SYSTEM_DEFINED_ROLES
        identity.";
      }
    }  // grouping aaa-authentication-user-config

    grouping aaa-authentication-user-state {
      description
        "Operational state data for local users";
    }  // grouping aaa-authentication-user-state

    grouping aaa-authentication-user-top {
      description
        "Top-level grouping for local users";
      container users {
        description
          "Enclosing container list of local users";
        list user {
          key "username";
          description
            "List of local users on the system";
          leaf username {
            type leafref {
              path "../config/username";
            }
            description
              "References the configured username for the user";
          }

          container config {
            description
              "Configuration data for local users";
            uses aaa-authentication-user-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data for local users";
            uses aaa-authentication-user-config;

            uses aaa-authentication-user-state;
          }  // container state
        }  // list user
      }  // container users
    }  // grouping aaa-authentication-user-top

    grouping aaa-accounting-methods-common {
      description
        "Common definitions for accounting methods";
      leaf-list accounting-method {
        type union {
          type identityref {
            base oc-aaa-types:AAA_METHOD_TYPE;
          }
          type string;
        }
        ordered-by user;
        description
          "An ordered list of methods used for AAA accounting for this
        event type.  The method is defined by the destination for
        accounting data, which may be specified as the group of
        all TACACS+/RADIUS servers, a defined server group, or
        the local system.";
      }
    }  // grouping aaa-accounting-methods-common

    grouping aaa-accounting-events-config {
      description
        "Configuration data for AAA accounting events";
      leaf event-type {
        type identityref {
          base oc-aaa-types:AAA_ACCOUNTING_EVENT_TYPE;
        }
        description
          "The type of activity to record at the AAA accounting
        server";
      }

      leaf record {
        type enumeration {
          enum "START_STOP" {
            value 0;
            description
              "Send START record to the accounting server at the
            beginning of the activity, and STOP record at the
            end of the activity.";
          }
          enum "STOP" {
            value 1;
            description
              "Send STOP record to the accounting server when the
            user activity completes";
          }
        }
        description
          "Type of record to send to the accounting server for this
        activity type";
      }
    }  // grouping aaa-accounting-events-config

    grouping aaa-accounting-events-state {
      description
        "Operational state data for accounting events";
    }  // grouping aaa-accounting-events-state

    grouping aaa-accounting-events-top {
      description
        "Top-level grouping for accounting events";
      container events {
        description
          "Enclosing container for defining handling of events
        for accounting";
        list event {
          key "event-type";
          description
            "List of events subject to accounting";
          leaf event-type {
            type leafref {
              path "../config/event-type";
            }
            description
              "Reference to the event-type being logged at the
            accounting server";
          }

          container config {
            description
              "Configuration data for accounting events";
            uses aaa-accounting-events-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data for accounting events";
            uses aaa-accounting-events-config;

            uses aaa-accounting-events-state;
          }  // container state
        }  // list event
      }  // container events
    }  // grouping aaa-accounting-events-top

    grouping aaa-accounting-config {
      description
        "Configuration data for event accounting";
      uses aaa-accounting-methods-common;
    }  // grouping aaa-accounting-config

    grouping aaa-accounting-state {
      description
        "Operational state data for event accounting services";
    }  // grouping aaa-accounting-state

    grouping aaa-accounting-top {
      description
        "Top-level grouping for user activity accounting";
      container accounting {
        description
          "Top-level container for AAA accounting";
        container config {
          description
            "Configuration data for user activity accounting.";
          uses aaa-accounting-config;
        }  // container config

        container state {
          config false;
          description
            "Operational state data for user accounting.";
          uses aaa-accounting-config;

          uses aaa-accounting-state;
        }  // container state

        uses aaa-accounting-events-top;
      }  // container accounting
    }  // grouping aaa-accounting-top

    grouping aaa-authorization-methods-config {
      description
        "Common definitions for authorization methods for global
      and per-event type";
      leaf-list authorization-method {
        type union {
          type identityref {
            base oc-aaa-types:AAA_METHOD_TYPE;
          }
          type string;
        }
        ordered-by user;
        description
          "Ordered list of methods for authorizing commands.  The first
        method that provides a response (positive or negative) should
        be used.  The list may contain a well-defined method such
        as the set of all TACACS or RADIUS servers, or the name of
        a defined AAA server group.  The system must validate
        that the named server group exists.";
      }
    }  // grouping aaa-authorization-methods-config

    grouping aaa-authorization-events-config {
      description
        "Configuration data for AAA authorization events";
      leaf event-type {
        type identityref {
          base oc-aaa-types:AAA_AUTHORIZATION_EVENT_TYPE;
        }
        description
          "The type of event to record at the AAA authorization
        server";
      }
    }  // grouping aaa-authorization-events-config

    grouping aaa-authorization-events-state {
      description
        "Operational state data for AAA authorization events";
    }  // grouping aaa-authorization-events-state

    grouping aaa-authorization-events-top {
      description
        "Top-level grouping for authorization events";
      container events {
        description
          "Enclosing container for the set of events subject
        to authorization";
        list event {
          key "event-type";
          description
            "List of events subject to AAA authorization";
          leaf event-type {
            type leafref {
              path "../config/event-type";
            }
            description
              "Reference to the event-type list key";
          }

          container config {
            description
              "Configuration data for each authorized event";
            uses aaa-authorization-events-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data for each authorized activity";
            uses aaa-authorization-events-config;

            uses aaa-authorization-events-state;
          }  // container state
        }  // list event
      }  // container events
    }  // grouping aaa-authorization-events-top

    grouping aaa-authorization-config {
      description
        "Configuration data for AAA authorization";
      uses aaa-authorization-methods-config;
    }  // grouping aaa-authorization-config

    grouping aaa-authorization-state {
      description
        "Operational state data for AAA authorization";
    }  // grouping aaa-authorization-state

    grouping aaa-authorization-top {
      description
        "Top-level grouping for AAA authorization";
      container authorization {
        description
          "Top-level container for AAA authorization configuration
        and operational state data";
        container config {
          description
            "Configuration data for authorization based on AAA
          methods";
          uses aaa-authorization-config;
        }  // container config

        container state {
          config false;
          description
            "Operational state data for authorization based on AAA";
          uses aaa-authorization-config;

          uses aaa-authorization-state;
        }  // container state

        uses aaa-authorization-events-top;
      }  // container authorization
    }  // grouping aaa-authorization-top

    grouping aaa-authentication-config {
      description
        "Configuration data for global authentication";
      leaf-list authentication-method {
        type union {
          type identityref {
            base oc-aaa-types:AAA_METHOD_TYPE;
          }
          type string;
        }
        ordered-by user;
        description
          "Ordered list of authentication methods for users.  This
        can be either a reference to a server group, or a well-
        defined designation in the AAA_METHOD_TYPE identity.  If
        authentication fails with one method, the next defined
        method is tried -- failure of all methods results in the
        user being denied access.";
      }
    }  // grouping aaa-authentication-config

    grouping aaa-authentication-state {
      description
        "Operational state data for global authentication";
    }  // grouping aaa-authentication-state

    grouping aaa-authentication-top {
      description
        "Top-level grouping for top-level authentication";
      container authentication {
        description
          "Top-level container for global authentication data";
        container config {
          description
            "Configuration data for global authentication services";
          uses aaa-authentication-config;
        }  // container config

        container state {
          config false;
          description
            "Operational state data for global authentication
          services";
          uses aaa-authentication-config;

          uses aaa-authentication-state;
        }  // container state

        uses aaa-authentication-admin-top;

        uses aaa-authentication-user-top;
      }  // container authentication
    }  // grouping aaa-authentication-top

    grouping aaa-config {
      description
        "Configuration data for top level AAA";
    }  // grouping aaa-config

    grouping aaa-state {
      description
        "Operational state data for top level AAA";
    }  // grouping aaa-state

    grouping aaa-top {
      description
        "Top-level grouping for AAA services";
      container aaa {
        description
          "Top-level container for AAA services";
        container config {
          description
            "Configuration data for top level AAA services";
          uses aaa-config;
        }  // container config

        container state {
          config false;
          description
            "Operational state data for top level AAA services ";
          uses aaa-config;

          uses aaa-state;
        }  // container state

        uses aaa-authentication-top;

        uses aaa-authorization-top;

        uses aaa-accounting-top;

        uses aaa-servergroup-common-top;
      }  // container aaa
    }  // grouping aaa-top
  }  // module openconfig-aaa