2 namespace "urn:ietf:params:xml:ns:yang:ietf-system";
5 import ietf-yang-types {
9 import ietf-inet-types {
13 import ietf-netconf-acm {
17 import iana-crypt-hash {
22 "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
31 "WG Web: <http://tools.ietf.org/wg/netmod/>
32 WG List: <mailto:netmod@ietf.org>
34 WG Chair: Thomas Nadeau
35 <mailto:tnadeau@lucidvision.com>
37 WG Chair: Juergen Schoenwaelder
38 <mailto:j.schoenwaelder@jacobs-university.de>
41 <mailto:andy@yumaworks.com>
43 Editor: Martin Bjorklund
44 <mailto:mbj@tail-f.com>";
47 "This module contains a collection of YANG definitions for the
48 configuration and identification of some common system
49 properties within a device containing a NETCONF server. This
50 includes data node definitions for system identification,
51 time-of-day management, user management, DNS resolver
52 configuration, and some protocol operations for system
55 Copyright (c) 2014 IETF Trust and the persons identified as
56 authors of the code. All rights reserved.
58 Redistribution and use in source and binary forms, with or
59 without modification, is permitted pursuant to, and subject
60 to the license terms contained in, the Simplified BSD License
61 set forth in Section 4.c of the IETF Trust's Legal Provisions
62 Relating to IETF Documents
63 (http://trustee.ietf.org/license-info).
65 This version of this YANG module is part of RFC 7317; see
66 the RFC itself for full legal notices.";
72 "RFC 7317: A YANG Data Model for System Management";
82 typedef timezone-name {
85 "A time zone name as used by the Time Zone Database,
86 sometimes referred to as the 'Olson Database'.
88 The exact set of valid values is an implementation-specific
89 matter. Client discovery of the exact set of time zone names
90 for a particular server is out of scope.";
92 "RFC 6557: Procedures for Maintaining the Time Zone Database";
101 "Indicates that the device can be configured as a RADIUS
104 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
107 feature authentication {
109 "Indicates that the device supports configuration of
110 user authentication.";
113 feature local-users {
114 if-feature authentication;
116 "Indicates that the device supports configuration of
117 local user authentication.";
126 feature radius-authentication {
128 if-feature authentication;
130 "Indicates that the device supports configuration of user
131 authentication over RADIUS.";
133 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)
134 RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
135 Authorization for Network Access Server (NAS)
141 "Indicates that the device can be configured to use one or
142 more NTP servers to set the system date and time.";
145 feature ntp-udp-port {
148 "Indicates that the device supports the configuration of
149 the UDP port for NTP servers.
151 This is a 'feature', since many implementations do not support
152 any port other than the default port.";
155 feature timezone-name {
157 "Indicates that the local time zone on the device
158 can be configured to use the TZ database
159 to set the time zone and manage daylight saving time.";
161 "RFC 6557: Procedures for Maintaining the Time Zone Database";
164 feature dns-udp-tcp-port {
166 "Indicates that the device supports the configuration of
167 the UDP and TCP port for DNS servers.
169 This is a 'feature', since many implementations do not support
170 any port other than the default port.";
178 identity authentication-method {
180 "Base identity for user authentication methods.";
184 base authentication-method;
186 "Indicates user authentication using RADIUS.";
188 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)
189 RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
190 Authorization for Network Access Server (NAS)
194 identity local-users {
195 base authentication-method;
197 "Indicates password-based authentication of locally
201 identity radius-authentication-type {
203 "Base identity for RADIUS authentication types.";
206 identity radius-pap {
207 base radius-authentication-type;
209 "The device requests Password Authentication Protocol (PAP)
210 authentication from the RADIUS server.";
212 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
222 identity radius-chap {
223 base radius-authentication-type;
225 "The device requests Challenge Handshake Authentication
226 Protocol (CHAP) authentication from the RADIUS server.";
228 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
232 * Configuration data nodes
237 "System group configuration.";
242 "The administrator contact information for the system.
244 A server implementation MAY map this leaf to the sysContact
245 MIB object. Such an implementation needs to use some
246 mechanism to handle the differences in size and characters
247 allowed between this leaf and sysContact. The definition of
248 such a mechanism is outside the scope of this document.";
250 "RFC 3418: Management Information Base (MIB) for the
251 Simple Network Management Protocol (SNMP)
252 SNMPv2-MIB.sysContact";
255 type inet:domain-name;
257 "The name of the host. This name can be a single domain
258 label or the fully qualified domain name of the host.";
263 "The system location.
265 A server implementation MAY map this leaf to the sysLocation
266 MIB object. Such an implementation needs to use some
267 mechanism to handle the differences in size and characters
268 allowed between this leaf and sysLocation. The definition
269 of such a mechanism is outside the scope of this document.";
271 "RFC 3418: Management Information Base (MIB) for the
272 Simple Network Management Protocol (SNMP)
273 SNMPv2-MIB.sysLocation";
278 "Configuration of the system date and time properties.";
282 "The system time zone information.";
285 if-feature timezone-name;
289 "The TZ database name to use for the system, such
290 as 'Europe/Stockholm'.";
293 case timezone-utc-offset {
294 leaf timezone-utc-offset {
296 range "-1500 .. 1500";
300 "The number of minutes to add to UTC time to
301 identify the time zone for this system. For example,
302 'UTC - 8:00 hours' would be represented as '-480'.
303 Note that automatic daylight saving time adjustment
304 is not provided if this object is used.";
313 "Enables the NTP client unless the 'enabled' leaf
314 (which defaults to 'true') is set to 'false'";
316 "Configuration of the NTP client.";
322 "Indicates that the system should attempt to
323 synchronize the system clock with an NTP server
324 from the 'ntp/server' list.";
329 "List of NTP servers to use for system clock
330 synchronization. If '/system/ntp/enabled'
331 is 'true', then the system will attempt to
332 contact and utilize the specified NTP servers.";
337 "An arbitrary name for the NTP server.";
342 "The transport-protocol-specific parameters for this
348 "Contains UDP-specific configuration parameters
354 "The address of the NTP server.";
357 if-feature ntp-udp-port;
358 type inet:port-number;
361 "The port number of the NTP server.";
366 leaf association-type {
370 "Use client association mode. This device
371 will not provide synchronization to the
372 configured NTP server.";
376 "Use symmetric active association mode.
377 This device may provide synchronization
378 to the configured NTP server.";
382 "Use client association mode with one or
383 more of the NTP servers found by DNS
384 resolution of the domain name given by
385 the 'address' leaf. This device will not
386 provide synchronization to the servers.";
391 "The desired association type for this NTP server.";
397 "Indicates whether this server should enable burst
398 synchronization or not.";
404 "Indicates whether this server should be preferred
410 container dns-resolver {
412 "Configuration of the DNS resolver.";
415 type inet:domain-name;
418 "An ordered list of domains to search when resolving
425 "List of the DNS servers that the resolver should query.
427 When the resolver is invoked by a calling application, it
428 sends the query to the first name server in this list. If
429 no response has been received within 'timeout' seconds,
430 the resolver continues with the next server in the list.
431 If no response is received from any server, the resolver
432 continues with the first server again. When the resolver
433 has traversed the list 'attempts' times without receiving
434 any response, it gives up and returns an error to the
437 Implementations MAY limit the number of entries in this
443 "An arbitrary name for the DNS server.";
448 "The transport-protocol-specific parameters for this
452 container udp-and-tcp {
454 "Contains UDP- and TCP-specific configuration
455 parameters for DNS.";
457 "RFC 1035: Domain Names - Implementation and
459 RFC 5966: DNS Transport over TCP - Implementation
463 type inet:ip-address;
466 "The address of the DNS server.";
469 if-feature dns-udp-tcp-port;
470 type inet:port-number;
473 "The UDP and TCP port number of the DNS server.";
481 "Resolver options. The set of available options has been
482 limited to those that are generally available across
483 different resolver implementations and generally useful.";
491 "The amount of time the resolver will wait for a
492 response from each remote name server before
493 retrying the query via a different name server.";
501 "The number of times the resolver will send a query to
502 all of its name servers before giving up and returning
503 an error to the calling application.";
514 "Configuration of the RADIUS client.";
520 "List of RADIUS servers used by the device.
522 When the RADIUS client is invoked by a calling
523 application, it sends the query to the first server in
524 this list. If no response has been received within
525 'timeout' seconds, the client continues with the next
526 server in the list. If no response is received from any
527 server, the client continues with the first server again.
528 When the client has traversed the list 'attempts' times
529 without receiving any response, it gives up and returns an
530 error to the calling application.";
535 "An arbitrary name for the RADIUS server.";
540 "The transport-protocol-specific parameters for this
546 "Contains UDP-specific configuration parameters
552 "The address of the RADIUS server.";
558 leaf authentication-port {
559 type inet:port-number;
562 "The port number of the RADIUS server.";
567 nacm:default-deny-all;
569 "The shared secret, which is known to both the
570 RADIUS client and server.";
572 "RFC 2865: Remote Authentication Dial In User
578 leaf authentication-type {
580 base radius-authentication-type;
584 "The authentication type requested from the RADIUS
590 "RADIUS client options.";
599 "The number of seconds the device will wait for a
600 response from each RADIUS server before trying with a
612 "The number of times the device will send a query to
613 all of its RADIUS servers before giving up.";
618 container authentication {
619 nacm:default-deny-write;
620 if-feature authentication;
623 "The authentication configuration subtree.";
625 leaf-list user-authentication-order {
627 base authentication-method;
629 must '(. != "sys:radius" or ../../radius/server)' {
631 "When 'radius' is used, a RADIUS server"
632 + " must be configured.";
634 "When 'radius' is used as an authentication method,
635 a RADIUS server must be configured.";
640 "When the device authenticates a user with a password,
641 it tries the authentication methods in this leaf-list in
642 order. If authentication with one method fails, the next
643 method is used. If no method succeeds, the user is
646 An empty user-authentication-order leaf-list still allows
647 authentication of users using mechanisms that do not
650 If the 'radius-authentication' feature is advertised by
651 the NETCONF server, the 'radius' identity can be added to
654 If the 'local-users' feature is advertised by the
655 NETCONF server, the 'local-users' identity can be
656 added to this list.";
660 if-feature local-users;
663 "The list of local users configured on this device.";
668 "The user name string identifying this entry.";
671 type ianach:crypt-hash;
673 "The password for this entry.";
675 list authorized-key {
678 "A list of public SSH keys for this user. These keys
679 are allowed for SSH authentication, as described in
682 "RFC 4253: The Secure Shell (SSH) Transport Layer
688 "An arbitrary name for the SSH key.";
706 "The public key algorithm name for this SSH key.
708 Valid values are the values in the IANA 'Secure Shell
709 (SSH) Protocol Parameters' registry, Public Key
712 "IANA 'Secure Shell (SSH) Protocol Parameters'
713 registry, Public Key Algorithm Names";
719 "The binary public key data for this SSH key, as
720 specified by RFC 4253, Section 6.6, i.e.:
722 string certificate or public key format
724 byte[n] key/certificate data.";
726 "RFC 4253: The Secure Shell (SSH) Transport Layer
735 * Operational state data nodes
738 container system-state {
741 "System group operational state.";
745 "Contains vendor-specific information for
746 identifying the system platform and operating system.";
748 "IEEE Std 1003.1-2008 - sys/utsname.h";
753 "The name of the operating system in use -
754 for example, 'Linux'.";
756 "IEEE Std 1003.1-2008 - utsname.sysname";
761 "The current release level of the operating
762 system in use. This string MAY indicate
763 the OS source code revision.";
765 "IEEE Std 1003.1-2008 - utsname.release";
770 "The current version level of the operating
771 system in use. This string MAY indicate
772 the specific OS build date and target variant
775 "IEEE Std 1003.1-2008 - utsname.version";
780 "A vendor-specific identifier string representing
781 the hardware in use.";
783 "IEEE Std 1003.1-2008 - utsname.machine";
789 "Monitoring of the system date and time properties.";
791 leaf current-datetime {
792 type yang:date-and-time;
794 "The current system date and time.";
799 type yang:date-and-time;
801 "The system date and time when the system last restarted.";
806 rpc set-current-datetime {
807 nacm:default-deny-all;
809 "Set the /system-state/clock/current-datetime leaf
810 to the specified value.
812 If the system is using NTP (i.e., /system/ntp/enabled
813 is set to 'true'), then this operation will fail with
814 error-tag 'operation-failed' and error-app-tag value of
817 leaf current-datetime {
818 type yang:date-and-time;
821 "The current system date and time.";
827 nacm:default-deny-all;
829 "Request that the entire system be restarted immediately.
830 A server SHOULD send an rpc reply to the client before
831 restarting the system.";
834 rpc system-shutdown {
835 nacm:default-deny-all;
837 "Request that the entire system be shut down immediately.
838 A server SHOULD send an rpc reply to the client before
839 shutting down the system.";