1 <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="<MID>">
2 <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-system {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-system";
6 import ietf-yang-types {
10 import ietf-inet-types {
14 import ietf-netconf-acm {
18 import iana-crypt-hash {
23 "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
25 "WG Web: <http://tools.ietf.org/wg/netmod/>
26 WG List: <mailto:netmod@ietf.org>
28 WG Chair: Thomas Nadeau
29 <mailto:tnadeau@lucidvision.com>
31 WG Chair: Juergen Schoenwaelder
32 <mailto:j.schoenwaelder@jacobs-university.de>
35 <mailto:andy@yumaworks.com>
37 Editor: Martin Bjorklund
38 <mailto:mbj@tail-f.com>";
40 "This module contains a collection of YANG definitions for the
41 configuration and identification of some common system
42 properties within a device containing a NETCONF server. This
43 includes data node definitions for system identification,
44 time-of-day management, user management, DNS resolver
45 configuration, and some protocol operations for system
48 Copyright (c) 2014 IETF Trust and the persons identified as
49 authors of the code. All rights reserved.
51 Redistribution and use in source and binary forms, with or
52 without modification, is permitted pursuant to, and subject
53 to the license terms contained in, the Simplified BSD License
54 set forth in Section 4.c of the IETF Trust's Legal Provisions
55 Relating to IETF Documents
56 (http://trustee.ietf.org/license-info).
58 This version of this YANG module is part of RFC 7317; see
59 the RFC itself for full legal notices.";
65 "RFC 7317: A YANG Data Model for System Management";
70 "Indicates that the device can be configured as a RADIUS
73 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
76 feature authentication {
78 "Indicates that the device supports configuration of
79 user authentication.";
83 if-feature "authentication";
85 "Indicates that the device supports configuration of
86 local user authentication.";
89 feature radius-authentication {
91 if-feature "authentication";
93 "Indicates that the device supports configuration of user
94 authentication over RADIUS.";
96 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)
97 RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
98 Authorization for Network Access Server (NAS)
104 "Indicates that the device can be configured to use one or
105 more NTP servers to set the system date and time.";
108 feature ntp-udp-port {
111 "Indicates that the device supports the configuration of
112 the UDP port for NTP servers.
114 This is a 'feature', since many implementations do not support
115 any port other than the default port.";
118 feature timezone-name {
120 "Indicates that the local time zone on the device
121 can be configured to use the TZ database
122 to set the time zone and manage daylight saving time.";
124 "RFC 6557: Procedures for Maintaining the Time Zone Database";
127 feature dns-udp-tcp-port {
129 "Indicates that the device supports the configuration of
130 the UDP and TCP port for DNS servers.
132 This is a 'feature', since many implementations do not support
133 any port other than the default port.";
136 identity authentication-method {
138 "Base identity for user authentication methods.";
142 base authentication-method;
144 "Indicates user authentication using RADIUS.";
146 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)
147 RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
148 Authorization for Network Access Server (NAS)
152 identity local-users {
153 base authentication-method;
155 "Indicates password-based authentication of locally
159 identity radius-authentication-type {
161 "Base identity for RADIUS authentication types.";
164 identity radius-pap {
165 base radius-authentication-type;
167 "The device requests Password Authentication Protocol (PAP)
168 authentication from the RADIUS server.";
170 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
173 identity radius-chap {
174 base radius-authentication-type;
176 "The device requests Challenge Handshake Authentication
177 Protocol (CHAP) authentication from the RADIUS server.";
179 "RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
182 typedef timezone-name {
185 "A time zone name as used by the Time Zone Database,
186 sometimes referred to as the 'Olson Database'.
188 The exact set of valid values is an implementation-specific
189 matter. Client discovery of the exact set of time zone names
190 for a particular server is out of scope.";
192 "RFC 6557: Procedures for Maintaining the Time Zone Database";
197 "System group configuration.";
201 "The administrator contact information for the system.
203 A server implementation MAY map this leaf to the sysContact
204 MIB object. Such an implementation needs to use some
205 mechanism to handle the differences in size and characters
206 allowed between this leaf and sysContact. The definition of
207 such a mechanism is outside the scope of this document.";
209 "RFC 3418: Management Information Base (MIB) for the
210 Simple Network Management Protocol (SNMP)
211 SNMPv2-MIB.sysContact";
215 type inet:domain-name;
217 "The name of the host. This name can be a single domain
218 label or the fully qualified domain name of the host.";
224 "The system location.
226 A server implementation MAY map this leaf to the sysLocation
227 MIB object. Such an implementation needs to use some
228 mechanism to handle the differences in size and characters
229 allowed between this leaf and sysLocation. The definition
230 of such a mechanism is outside the scope of this document.";
232 "RFC 3418: Management Information Base (MIB) for the
233 Simple Network Management Protocol (SNMP)
234 SNMPv2-MIB.sysLocation";
239 "Configuration of the system date and time properties.";
242 "The system time zone information.";
244 if-feature "timezone-name";
248 "The TZ database name to use for the system, such
249 as 'Europe/Stockholm'.";
253 case timezone-utc-offset {
254 leaf timezone-utc-offset {
256 range "-1500 .. 1500";
260 "The number of minutes to add to UTC time to
261 identify the time zone for this system. For example,
262 'UTC - 8:00 hours' would be represented as '-480'.
263 Note that automatic daylight saving time adjustment
264 is not provided if this object is used.";
272 presence "Enables the NTP client unless the 'enabled' leaf
273 (which defaults to 'true') is set to 'false'";
275 "Configuration of the NTP client.";
280 "Indicates that the system should attempt to
281 synchronize the system clock with an NTP server
282 from the 'ntp/server' list.";
288 "List of NTP servers to use for system clock
289 synchronization. If '/system/ntp/enabled'
290 is 'true', then the system will attempt to
291 contact and utilize the specified NTP servers.";
295 "An arbitrary name for the NTP server.";
301 "The transport-protocol-specific parameters for this
306 "Contains UDP-specific configuration parameters
312 "The address of the NTP server.";
316 if-feature "ntp-udp-port";
317 type inet:port-number;
320 "The port number of the NTP server.";
326 leaf association-type {
330 "Use client association mode. This device
331 will not provide synchronization to the
332 configured NTP server.";
336 "Use symmetric active association mode.
337 This device may provide synchronization
338 to the configured NTP server.";
342 "Use client association mode with one or
343 more of the NTP servers found by DNS
344 resolution of the domain name given by
345 the 'address' leaf. This device will not
346 provide synchronization to the servers.";
351 "The desired association type for this NTP server.";
358 "Indicates whether this server should enable burst
359 synchronization or not.";
366 "Indicates whether this server should be preferred
372 container dns-resolver {
374 "Configuration of the DNS resolver.";
376 type inet:domain-name;
379 "An ordered list of domains to search when resolving
387 "List of the DNS servers that the resolver should query.
389 When the resolver is invoked by a calling application, it
390 sends the query to the first name server in this list. If
391 no response has been received within 'timeout' seconds,
392 the resolver continues with the next server in the list.
393 If no response is received from any server, the resolver
394 continues with the first server again. When the resolver
395 has traversed the list 'attempts' times without receiving
396 any response, it gives up and returns an error to the
399 Implementations MAY limit the number of entries in this
404 "An arbitrary name for the DNS server.";
410 "The transport-protocol-specific parameters for this
413 container udp-and-tcp {
415 "Contains UDP- and TCP-specific configuration
416 parameters for DNS.";
418 "RFC 1035: Domain Names - Implementation and
420 RFC 5966: DNS Transport over TCP - Implementation
423 type inet:ip-address;
426 "The address of the DNS server.";
430 if-feature "dns-udp-tcp-port";
431 type inet:port-number;
434 "The UDP and TCP port number of the DNS server.";
443 "Resolver options. The set of available options has been
444 limited to those that are generally available across
445 different resolver implementations and generally useful.";
453 "The amount of time the resolver will wait for a
454 response from each remote name server before
455 retrying the query via a different name server.";
464 "The number of times the resolver will send a query to
465 all of its name servers before giving up and returning
466 an error to the calling application.";
474 "Configuration of the RADIUS client.";
479 "List of RADIUS servers used by the device.
481 When the RADIUS client is invoked by a calling
482 application, it sends the query to the first server in
483 this list. If no response has been received within
484 'timeout' seconds, the client continues with the next
485 server in the list. If no response is received from any
486 server, the client continues with the first server again.
487 When the client has traversed the list 'attempts' times
488 without receiving any response, it gives up and returns an
489 error to the calling application.";
493 "An arbitrary name for the RADIUS server.";
499 "The transport-protocol-specific parameters for this
504 "Contains UDP-specific configuration parameters
510 "The address of the RADIUS server.";
513 leaf authentication-port {
514 type inet:port-number;
517 "The port number of the RADIUS server.";
521 nacm:default-deny-all;
525 "The shared secret, which is known to both the
526 RADIUS client and server.";
528 "RFC 2865: Remote Authentication Dial In User
535 leaf authentication-type {
537 base radius-authentication-type;
539 default "radius-pap";
541 "The authentication type requested from the RADIUS
548 "RADIUS client options.";
556 "The number of seconds the device will wait for a
557 response from each RADIUS server before trying with a
567 "The number of times the device will send a query to
568 all of its RADIUS servers before giving up.";
573 container authentication {
574 nacm:default-deny-write;
575 if-feature "authentication";
577 "The authentication configuration subtree.";
578 leaf-list user-authentication-order {
580 base authentication-method;
582 must "(. != \"sys:radius\" or ../../radius/server)" {
584 "When 'radius' is used, a RADIUS server must be configured.";
586 "When 'radius' is used as an authentication method,
587 a RADIUS server must be configured.";
591 "When the device authenticates a user with a password,
592 it tries the authentication methods in this leaf-list in
593 order. If authentication with one method fails, the next
594 method is used. If no method succeeds, the user is
597 An empty user-authentication-order leaf-list still allows
598 authentication of users using mechanisms that do not
601 If the 'radius-authentication' feature is advertised by
602 the NETCONF server, the 'radius' identity can be added to
605 If the 'local-users' feature is advertised by the
606 NETCONF server, the 'local-users' identity can be
607 added to this list.";
611 if-feature "local-users";
614 "The list of local users configured on this device.";
618 "The user name string identifying this entry.";
622 type ianach:crypt-hash;
624 "The password for this entry.";
627 list authorized-key {
630 "A list of public SSH keys for this user. These keys
631 are allowed for SSH authentication, as described in
634 "RFC 4253: The Secure Shell (SSH) Transport Layer
639 "An arbitrary name for the SSH key.";
646 "The public key algorithm name for this SSH key.
648 Valid values are the values in the IANA 'Secure Shell
649 (SSH) Protocol Parameters' registry, Public Key
652 "IANA 'Secure Shell (SSH) Protocol Parameters'
653 registry, Public Key Algorithm Names";
660 "The binary public key data for this SSH key, as
661 specified by RFC 4253, Section 6.6, i.e.:
663 string certificate or public key format
665 byte[n] key/certificate data.";
667 "RFC 4253: The Secure Shell (SSH) Transport Layer
675 container system-state {
678 "System group operational state.";
681 "Contains vendor-specific information for
682 identifying the system platform and operating system.";
684 "IEEE Std 1003.1-2008 - sys/utsname.h";
688 "The name of the operating system in use -
689 for example, 'Linux'.";
691 "IEEE Std 1003.1-2008 - utsname.sysname";
697 "The current release level of the operating
698 system in use. This string MAY indicate
699 the OS source code revision.";
701 "IEEE Std 1003.1-2008 - utsname.release";
707 "The current version level of the operating
708 system in use. This string MAY indicate
709 the specific OS build date and target variant
712 "IEEE Std 1003.1-2008 - utsname.version";
718 "A vendor-specific identifier string representing
719 the hardware in use.";
721 "IEEE Std 1003.1-2008 - utsname.machine";
727 "Monitoring of the system date and time properties.";
728 leaf current-datetime {
729 type yang:date-and-time;
731 "The current system date and time.";
735 type yang:date-and-time;
737 "The system date and time when the system last restarted.";
742 rpc set-current-datetime {
743 nacm:default-deny-all;
745 "Set the /system-state/clock/current-datetime leaf
746 to the specified value.
748 If the system is using NTP (i.e., /system/ntp/enabled
749 is set to 'true'), then this operation will fail with
750 error-tag 'operation-failed' and error-app-tag value of
753 leaf current-datetime {
754 type yang:date-and-time;
757 "The current system date and time.";
763 nacm:default-deny-all;
765 "Request that the entire system be restarted immediately.
766 A server SHOULD send an rpc reply to the client before
767 restarting the system.";
770 rpc system-shutdown {
771 nacm:default-deny-all;
773 "Request that the entire system be shut down immediately.
774 A server SHOULD send an rpc reply to the client before
775 shutting down the system.";