1 module ietf-netconf-acm {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
7 import ietf-yang-types {
12 "IETF NETCONF (Network Configuration) Working Group";
15 "WG Web: <http://tools.ietf.org/wg/netconf/>
16 WG List: <mailto:netconf@ietf.org>
18 WG Chair: Mehmet Ersue
19 <mailto:mehmet.ersue@nsn.com>
22 <mailto:bertietf@bwijnen.net>
25 <mailto:andy@yumaworks.com>
27 Editor: Martin Bjorklund
28 <mailto:mbj@tail-f.com>";
31 "NETCONF Access Control Model.
33 Copyright (c) 2012 IETF Trust and the persons identified as
34 authors of the code. All rights reserved.
36 Redistribution and use in source and binary forms, with or
37 without modification, is permitted pursuant to, and subject
38 to the license terms contained in, the Simplified BSD
39 License set forth in Section 4.c of the IETF Trust's
40 Legal Provisions Relating to IETF Documents
41 (http://trustee.ietf.org/license-info).
43 This version of this YANG module is part of RFC 6536; see
44 the RFC itself for full legal notices.";
46 revision "2012-02-22" {
50 "RFC 6536: Network Configuration Protocol (NETCONF)
51 Access Control Model";
55 * Extension statements
58 extension default-deny-write {
60 "Used to indicate that the data model node
61 represents a sensitive security system parameter.
63 If present, and the NACM module is enabled (i.e.,
64 /nacm/enable-nacm object equals 'true'), the NETCONF server
65 will only allow the designated 'recovery session' to have
66 write access to the node. An explicit access control rule is
67 required for all other users.
69 The 'default-deny-write' extension MAY appear within a data
70 definition statement. It is ignored otherwise.";
73 extension default-deny-all {
75 "Used to indicate that the data model node
76 controls a very sensitive security system parameter.
78 If present, and the NACM module is enabled (i.e.,
79 /nacm/enable-nacm object equals 'true'), the NETCONF server
80 will only allow the designated 'recovery session' to have
81 read, write, or execute access to the node. An explicit
82 access control rule is required for all other users.
84 The 'default-deny-all' extension MAY appear within a data
85 definition statement, 'rpc' statement, or 'notification'
86 statement. It is ignored otherwise.";
93 typedef user-name-type {
98 "General Purpose Username string.";
101 typedef matchall-string-type {
106 "The string containing a single asterisk '*' is used
107 to conceptually represent all possible values
108 for the particular leaf using this data type.";
111 typedef access-operations-type {
115 "Any protocol operation that creates a
120 "Any protocol operation or notification that
121 returns the value of a data node.";
125 "Any protocol operation that alters an existing
130 "Any protocol operation that removes a data node.";
134 "Execution access to the specified protocol operation.";
138 "NETCONF Access Operation.";
141 typedef group-name-type {
147 "Name of administrative group to which
148 users can be assigned.";
151 typedef action-type {
155 "Requested action is permitted.";
159 "Requested action is denied.";
163 "Action taken by the server when a particular
167 typedef node-instance-identifier {
170 "Path expression used to represent a special
171 data node instance identifier string.
173 A node-instance-identifier value is an
174 unrestricted YANG instance-identifier expression.
175 All the same rules as an instance-identifier apply
176 except predicates for keys are optional. If a key
177 predicate is missing, then the node-instance-identifier
178 represents all possible server instances for that key.
180 This XPath expression is evaluated in the following context:
182 o The set of namespace declarations are those in scope on
183 the leaf element where this type is used.
185 o The set of variable bindings contains one variable,
186 'USER', which contains the name of the user of the current
189 o The function library is the core function library, but
190 note that due to the syntax restrictions of an
191 instance-identifier, no functions are allowed.
193 o The context node is the root node in the data tree.";
197 * Data definition statements
201 nacm:default-deny-all;
204 "Parameters for NETCONF Access Control Model.";
210 "Enables or disables all NETCONF access control
211 enforcement. If 'true', then enforcement
212 is enabled. If 'false', then enforcement
220 "Controls whether read access is granted if
221 no appropriate rule is found for a
222 particular read request.";
229 "Controls whether create, update, or delete access
230 is granted if no appropriate rule is found for a
231 particular write request.";
238 "Controls whether exec access is granted if no appropriate
239 rule is found for a particular protocol operation request.";
242 leaf enable-external-groups {
246 "Controls whether the server uses the groups reported by the
247 NETCONF transport layer when it assigns the user to a set of
248 NACM groups. If this leaf has the value 'false', any group
249 names reported by the transport layer are ignored by the
253 leaf denied-operations {
254 type yang:zero-based-counter32;
258 "Number of times since the server last restarted that a
259 protocol operation request was denied.";
262 leaf denied-data-writes {
263 type yang:zero-based-counter32;
267 "Number of times since the server last restarted that a
268 protocol operation request to alter
269 a configuration datastore was denied.";
272 leaf denied-notifications {
273 type yang:zero-based-counter32;
277 "Number of times since the server last restarted that
278 a notification was dropped for a subscription because
279 access to the event type was denied.";
284 "NETCONF Access Control Groups.";
290 "One NACM Group Entry. This list will only contain
291 configured entries, not any entries learned from
292 any transport protocols.";
295 type group-name-type;
297 "Group name associated with this entry.";
300 leaf-list user-name {
303 "Each entry identifies the username of
304 a member of the group associated with
314 "An ordered collection of access control rules.";
321 "Arbitrary name assigned to the rule-list.";
325 type matchall-string-type;
326 type group-name-type;
329 "List of administrative groups that will be
330 assigned the associated access rights
331 defined by the 'rule' list.
333 The string '*' indicates that all groups apply to the
341 "One access control rule.
343 Rules are processed in user-defined order until a match is
344 found. A rule matches if 'module-name', 'rule-type', and
345 'access-operations' match the request. If a rule
346 matches, the 'action' leaf determines if access is granted
354 "Arbitrary name assigned to the rule.";
359 type matchall-string-type;
364 "Name of the module associated with this rule.
366 This leaf matches if it has the value '*' or if the
367 object being accessed is defined in the module with the
368 specified module name.";
372 "This choice matches if all leafs present in the rule
373 match the request. If no leafs are present, the
374 choice matches all requests.";
375 case protocol-operation {
378 type matchall-string-type;
382 "This leaf matches if it has the value '*' or if
383 its value equals the requested protocol operation
388 leaf notification-name {
390 type matchall-string-type;
394 "This leaf matches if it has the value '*' or if its
395 value equals the requested notification name.";
400 type node-instance-identifier;
403 "Data Node Instance Identifier associated with the
404 data node controlled by this rule.
406 Configuration data or state data instance
407 identifiers start with a top-level data node. A
408 complete instance identifier is required for this
411 The special value '/' refers to all possible
412 datastore contents.";
417 leaf access-operations {
419 type matchall-string-type;
420 type access-operations-type;
424 "Access operations associated with this rule.
426 This leaf matches if it has the value '*' or if the
427 bit corresponding to the requested operation is set.";
434 "The access control action associated with the
435 rule. If a rule is determined to match a
436 particular request, then this object is used
437 to determine whether to permit or deny the
444 "A textual description of the access rule.";