1 <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
2 <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><?xml version="1.0" encoding="UTF-8"?>
3 <module name="ietf-netconf-acm"
4 xmlns="urn:ietf:params:xml:ns:yang:yin:1"
5 xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"
6 xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types">
7 <namespace uri="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"/>
8 <prefix value="nacm"/>
9 <import module="ietf-yang-types">
10 <prefix value="yang"/>
13 <text>IETF NETCONF (Network Configuration) Working Group</text>
16 <text>WG Web: &lt;http://tools.ietf.org/wg/netconf/&gt;
17 WG List: &lt;mailto:netconf@ietf.org&gt;
19 WG Chair: Mehmet Ersue
20 &lt;mailto:mehmet.ersue@nsn.com&gt;
23 &lt;mailto:bertietf@bwijnen.net&gt;
26 &lt;mailto:andy@yumaworks.com&gt;
28 Editor: Martin Bjorklund
29 &lt;mailto:mbj@tail-f.com&gt;</text>
32 <text>NETCONF Access Control Model.
34 Copyright (c) 2012 IETF Trust and the persons identified as
35 authors of the code. All rights reserved.
37 Redistribution and use in source and binary forms, with or
38 without modification, is permitted pursuant to, and subject
39 to the license terms contained in, the Simplified BSD
40 License set forth in Section 4.c of the IETF Trust's
41 Legal Provisions Relating to IETF Documents
42 (http://trustee.ietf.org/license-info).
44 This version of this YANG module is part of RFC 6536; see
45 the RFC itself for full legal notices.</text>
47 <revision date="2012-02-22">
49 <text>Initial version</text>
52 <text>RFC 6536: Network Configuration Protocol (NETCONF)
53 Access Control Model</text>
56 <extension name="default-deny-write">
58 <text>Used to indicate that the data model node
59 represents a sensitive security system parameter.
61 If present, and the NACM module is enabled (i.e.,
62 /nacm/enable-nacm object equals 'true'), the NETCONF server
63 will only allow the designated 'recovery session' to have
64 write access to the node. An explicit access control rule is
65 required for all other users.
67 The 'default-deny-write' extension MAY appear within a data
68 definition statement. It is ignored otherwise.</text>
71 <extension name="default-deny-all">
73 <text>Used to indicate that the data model node
74 controls a very sensitive security system parameter.
76 If present, and the NACM module is enabled (i.e.,
77 /nacm/enable-nacm object equals 'true'), the NETCONF server
78 will only allow the designated 'recovery session' to have
79 read, write, or execute access to the node. An explicit
80 access control rule is required for all other users.
82 The 'default-deny-all' extension MAY appear within a data
83 definition statement, 'rpc' statement, or 'notification'
84 statement. It is ignored otherwise.</text>
87 <typedef name="user-name-type">
88 <type name="string">
89 <length value="1..max"/>
92 <text>General Purpose Username string.</text>
95 <typedef name="matchall-string-type">
96 <type name="string">
97 <pattern value="\*"/>
100 <text>The string containing a single asterisk '*' is used
101 to conceptually represent all possible values
102 for the particular leaf using this data type.</text>
105 <typedef name="access-operations-type">
106 <type name="bits">
107 <bit name="create">
109 <text>Any protocol operation that creates a
110 new data node.</text>
113 <bit name="read">
115 <text>Any protocol operation or notification that
116 returns the value of a data node.</text>
119 <bit name="update">
121 <text>Any protocol operation that alters an existing
122 data node.</text>
125 <bit name="delete">
127 <text>Any protocol operation that removes a data node.</text>
130 <bit name="exec">
132 <text>Execution access to the specified protocol operation.</text>
137 <text>NETCONF Access Operation.</text>
140 <typedef name="group-name-type">
141 <type name="string">
142 <length value="1..max"/>
143 <pattern value="[^\*].*"/>
146 <text>Name of administrative group to which
147 users can be assigned.</text>
150 <typedef name="action-type">
151 <type name="enumeration">
152 <enum name="permit">
154 <text>Requested action is permitted.</text>
157 <enum name="deny">
159 <text>Requested action is denied.</text>
164 <text>Action taken by the server when a particular
165 rule matches.</text>
168 <typedef name="node-instance-identifier">
169 <type name="yang:xpath1.0"/>
171 <text>Path expression used to represent a special
172 data node instance identifier string.
174 A node-instance-identifier value is an
175 unrestricted YANG instance-identifier expression.
176 All the same rules as an instance-identifier apply
177 except predicates for keys are optional. If a key
178 predicate is missing, then the node-instance-identifier
179 represents all possible server instances for that key.
181 This XPath expression is evaluated in the following context:
183 o The set of namespace declarations are those in scope on
184 the leaf element where this type is used.
186 o The set of variable bindings contains one variable,
187 'USER', which contains the name of the user of the current
190 o The function library is the core function library, but
191 note that due to the syntax restrictions of an
192 instance-identifier, no functions are allowed.
194 o The context node is the root node in the data tree.</text>
197 <container name="nacm">
198 <nacm:default-deny-all/>
200 <text>Parameters for NETCONF Access Control Model.</text>
202 <leaf name="enable-nacm">
203 <type name="boolean"/>
204 <default value="true"/>
206 <text>Enables or disables all NETCONF access control
207 enforcement. If 'true', then enforcement
208 is enabled. If 'false', then enforcement
209 is disabled.</text>
212 <leaf name="read-default">
213 <type name="action-type"/>
214 <default value="permit"/>
216 <text>Controls whether read access is granted if
217 no appropriate rule is found for a
218 particular read request.</text>
221 <leaf name="write-default">
222 <type name="action-type"/>
223 <default value="deny"/>
225 <text>Controls whether create, update, or delete access
226 is granted if no appropriate rule is found for a
227 particular write request.</text>
230 <leaf name="exec-default">
231 <type name="action-type"/>
232 <default value="permit"/>
234 <text>Controls whether exec access is granted if no appropriate
235 rule is found for a particular protocol operation request.</text>
238 <leaf name="enable-external-groups">
239 <type name="boolean"/>
240 <default value="true"/>
242 <text>Controls whether the server uses the groups reported by the
243 NETCONF transport layer when it assigns the user to a set of
244 NACM groups. If this leaf has the value 'false', any group
245 names reported by the transport layer are ignored by the
249 <leaf name="denied-operations">
250 <type name="yang:zero-based-counter32"/>
251 <config value="false"/>
252 <mandatory value="true"/>
254 <text>Number of times since the server last restarted that a
255 protocol operation request was denied.</text>
258 <leaf name="denied-data-writes">
259 <type name="yang:zero-based-counter32"/>
260 <config value="false"/>
261 <mandatory value="true"/>
263 <text>Number of times since the server last restarted that a
264 protocol operation request to alter
265 a configuration datastore was denied.</text>
268 <leaf name="denied-notifications">
269 <type name="yang:zero-based-counter32"/>
270 <config value="false"/>
271 <mandatory value="true"/>
273 <text>Number of times since the server last restarted that
274 a notification was dropped for a subscription because
275 access to the event type was denied.</text>
278 <container name="groups">
280 <text>NETCONF Access Control Groups.</text>
282 <list name="group">
283 <key value="name"/>
285 <text>One NACM Group Entry. This list will only contain
286 configured entries, not any entries learned from
287 any transport protocols.</text>
289 <leaf name="name">
290 <type name="group-name-type"/>
292 <text>Group name associated with this entry.</text>
295 <leaf-list name="user-name">
296 <type name="user-name-type"/>
298 <text>Each entry identifies the username of
299 a member of the group associated with
300 this entry.</text>
305 <list name="rule-list">
306 <key value="name"/>
307 <ordered-by value="user"/>
309 <text>An ordered collection of access control rules.</text>
311 <leaf name="name">
312 <type name="string">
313 <length value="1..max"/>
316 <text>Arbitrary name assigned to the rule-list.</text>
319 <leaf-list name="group">
320 <type name="union">
321 <type name="matchall-string-type"/>
322 <type name="group-name-type"/>
325 <text>List of administrative groups that will be
326 assigned the associated access rights
327 defined by the 'rule' list.
329 The string '*' indicates that all groups apply to the
333 <list name="rule">
334 <key value="name"/>
335 <ordered-by value="user"/>
337 <text>One access control rule.
339 Rules are processed in user-defined order until a match is
340 found. A rule matches if 'module-name', 'rule-type', and
341 'access-operations' match the request. If a rule
342 matches, the 'action' leaf determines if access is granted
345 <leaf name="name">
346 <type name="string">
347 <length value="1..max"/>
350 <text>Arbitrary name assigned to the rule.</text>
353 <leaf name="module-name">
354 <type name="union">
355 <type name="matchall-string-type"/>
356 <type name="string"/>
358 <default value="*"/>
360 <text>Name of the module associated with this rule.
362 This leaf matches if it has the value '*' or if the
363 object being accessed is defined in the module with the
364 specified module name.</text>
367 <choice name="rule-type">
369 <text>This choice matches if all leafs present in the rule
370 match the request. If no leafs are present, the
371 choice matches all requests.</text>
373 <case name="protocol-operation">
374 <leaf name="rpc-name">
375 <type name="union">
376 <type name="matchall-string-type"/>
377 <type name="string"/>
380 <text>This leaf matches if it has the value '*' or if
381 its value equals the requested protocol operation
386 <case name="notification">
387 <leaf name="notification-name">
388 <type name="union">
389 <type name="matchall-string-type"/>
390 <type name="string"/>
393 <text>This leaf matches if it has the value '*' or if its
394 value equals the requested notification name.</text>
398 <case name="data-node">
399 <leaf name="path">
400 <type name="node-instance-identifier"/>
401 <mandatory value="true"/>
403 <text>Data Node Instance Identifier associated with the
404 data node controlled by this rule.
406 Configuration data or state data instance
407 identifiers start with a top-level data node. A
408 complete instance identifier is required for this
411 The special value '/' refers to all possible
412 datastore contents.</text>
417 <leaf name="access-operations">
418 <type name="union">
419 <type name="matchall-string-type"/>
420 <type name="access-operations-type"/>
422 <default value="*"/>
424 <text>Access operations associated with this rule.
426 This leaf matches if it has the value '*' or if the
427 bit corresponding to the requested operation is set.</text>
430 <leaf name="action">
431 <type name="action-type"/>
432 <mandatory value="true"/>
434 <text>The access control action associated with the
435 rule. If a rule is determined to match a
436 particular request, then this object is used
437 to determine whether to permit or deny the
438 request.</text>
441 <leaf name="comment">
442 <type name="string"/>
444 <text>A textual description of the access rule.</text>
Code Review / demo.git / blob