This module provides a data model for the metadata of SSH and console credentials installed on a networking device. The followi...
Version: 2024-02-13
module openconfig-gnsi-credentialz { yang-version 1; namespace "https://github.com/openconfig/yang/gnsi/credentialz"; prefix oc-gnsi-credz; import openconfig-extensions { prefix oc-ext; } import openconfig-system { prefix oc-sys; } import openconfig-types { prefix oc-types; } import openconfig-yang-types { prefix oc-yang; } import openconfig-system-grpc { prefix oc-sys-grpc; } import openconfig-gnsi { prefix oc-gnsi; } organization "OpenConfig Working Group"; contact "OpenConfig working group netopenconfig@googlegroups.com"; description "This module provides a data model for the metadata of SSH and console credentials installed on a networking device. The following leaves MUST be treated as invalid when the gNSI server is enabled and credentialz is supported by the implementation: /system/aaa/authentication/users/user/config/ssh-key /system/aaa/authentication/users/user/state/ssh-key /system/aaa/authentication/users/user/config/password /system/aaa/authentication/users/user/state/password /system/aaa/authentication/users/user/config/password-hashed /system/aaa/authentication/users/user/state/password-hashed"; revision "2024-02-13" { description "Major style updates and move to openconfig/public from openconfig/gnsi. Last commit at https://github.com/openconfig/gnsi/commit/347935aac66135d5649dadb9583ed0914578aab0"; reference "0.6.0"; } revision "2024-01-05" { description "Fix typo in YANG leaves"; reference "0.5.0"; } revision "2023-10-03" { description "Added state leaves for admin-user"; reference "0.4.0"; } revision "2023-08-18" { description "Fixed the canonical order of config field."; reference "0.3.0"; } revision "2022-10-30" { description "Adds success/failure counters."; reference "0.2.0"; } revision "2022-08-22" { description "Initial revision."; reference "0.1.0"; } oc-ext:openconfig-version "0.6.0"; typedef version { type string; description "The version ID of the credential as provided by the credential manager when the credential was pushed. This leaf persists through a reboot."; } typedef created-on { type oc-types:timeticks64; description "The creation time of the credential as reported by the credential manager when the credential was pushed to the device. This value is reported as nanoseconds since epoch (January 1st, 1970 00:00:00 GMT). This leaf persists through a reboot."; } grouping ssh-server-credentials-version { description "SSH server credentials freshness-related data."; leaf active-trusted-user-ca-keys-version { type version; description "The version of the Certificate Authority keys."; } leaf active-trusted-user-ca-keys-created-on { type created-on; description "The timestamp of the moment when the trusted user CA keys were created."; } leaf active-host-certificate-version { type version; description "The version of the host certificate."; } leaf active-host-certificate-created-on { type created-on; description "The timestamp of the moment when the host certificate was created."; } leaf active-host-key-version { type version; description "The version of the host public key."; } leaf active-host-key-created-on { type created-on; description "The timestamp of the moment when the host key was created."; } } // grouping ssh-server-credentials-version grouping counters { description "A collection of counters that were collected while evaluating access to the target."; container counters { config false; description "A collection of counters collected while authorizing users accessing the target."; leaf access-rejects { type oc-yang:counter64; description "The total number of times access to the target has been denied."; } leaf last-access-reject { type oc-types:timeticks64; description "A timestamp of the last time access to the target has been denied."; } leaf access-accepts { type oc-yang:counter64; description "The total number of times access to the target has been allowed."; } leaf last-access-accept { type oc-types:timeticks64; description "A timestamp of the last time access to the target has been allowed."; } } // container counters } // grouping counters grouping user-ssh-credentials-version { description "System role credentials freshness-related data."; leaf authorized-principals-list-version { type version; description "The version of the list of authorized principals currently associated with this system role."; } leaf authorized-principals-list-created-on { type created-on; description "The timestamp of the moment the currently used list of authorized principals has been created."; } leaf authorized-keys-list-version { type version; description "The version of the list of authorized keys that is currently associated with this system role."; } leaf authorized-keys-list-created-on { type created-on; description "The timestamp of the moment the currently used list of authorized keys has been created."; } } // grouping user-ssh-credentials-version grouping console-config-state { description "Console-related configuration and state."; container console { description "Console-related configuration and state."; container config { description "Console-related configuration."; } // container config container state { config false; description "Console-related state."; uses counters; } // container state } // container console } // grouping console-config-state grouping user-console-credentials-version { description "System role credentials freshness-related data."; leaf password-version { type version; description "The version of the password that is currently used to authenticate this user account."; } leaf password-created-on { type created-on; description "The timestamp of the moment the currently used password has been created."; } } // grouping user-console-credentials-version augment /oc-sys:system { when "oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + "/oc-sys-grpc:enable = 'true'"; description "Console credentials freshness data."; uses console-config-state; } augment /oc-sys:system/oc-sys:ssh-server/oc-sys:state { when "../../oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + "/oc-sys-grpc:enable = 'true'"; description "SSH server credentials freshness data."; uses ssh-server-credentials-version; uses counters; } augment /oc-sys:system/oc-sys:aaa/oc-sys:authentication/oc-sys:users/oc-sys:user/oc-sys:state { when "../../../../../oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + "/oc-sys-grpc:enable = 'true'"; description "A system role credentials freshness information."; uses user-console-credentials-version; uses user-ssh-credentials-version; } augment /oc-sys:system/oc-sys:aaa/oc-sys:authentication/oc-sys:admin-user/oc-sys:state { when "../../../../oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + "/oc-sys-grpc:enable = 'true'"; description "A system role credentials freshness information."; uses user-console-credentials-version; uses user-ssh-credentials-version; } } // module openconfig-gnsi-credentialz
© 2023 YumaWorks, Inc. All rights reserved.