yuma-nacm
HTML
yuma-nacm.yang
module yuma-nacm { yang-version 1; namespace "http://netconfcentral.org/ns/yuma-nacm"; prefix "nacm"; import ietf-yang-types { prefix "yang"; } organization "Netconf Central"; contact "Andy Bierman <andy@netconfcentral.org>."; description "NETCONF Server Access Control Model"; revision "2010-02-21" { description "Initial version (work-in-progress)."; } typedef nacm-user-name { type string { length "1..64"; pattern '[a-z,A-Z,_][a-z,A-Z,0-9,\-,_,@,.]{0,63}'; } description "General Purpose User Name string."; } typedef nacm-rights { type bits { bit "read" { position 0; description "Read access allowed to all specified data. Any protocol operation or notification that returns data to an application is a read operation."; } bit "write" { position 1; description "Write access allowed to all specified data. Any protocol operation that alters a database is a write operation."; } bit "exec" { position 2; description "Execution access to the specified RPC operation. Any RPC operation invocation is an exec operation."; } } description "NETCONF Access Rights"; } typedef nacm-group { type identityref { base nacm-groups; } description "Type of administrative group that can be assigned to the user, and specified in an access control rule. The identityref data type is used to allow as many groups to be added as needed. There are no standard semantics for each identity. It simply represents a unique group name."; } typedef nacm-action { type enumeration { enum "permit" { value 0; description "Requested action is permitted."; } enum "deny" { value 1; description "Requested action is denied."; } } description "Action taken by the server when a particular rule matches."; } typedef schema-instance-identifier { type string; description "Path expression used to represent a special schema-instance identifier string. A schema-instance-identifier value string is an unrestricted YANG instance-identifier expression. All the same rules as an instance-identifier apply except predicates for keys are optional. If a key predicate is missing, then the schema-instance-identifier represents all possible server instances for that key."; } extension secure { description "Used to indicate that the data model node represents a sensitive security system parameter. If present, the NETCONF server will only allow the designated 'superuser' to have write or execute default nacm-rights for the node. An explicit access control rule is required for all other users. The 'secure' extension may appear within a data, rpc, or notification node definition. It is ignored otherwise."; } extension very-secure { description "Used to indicate that the data model node controls a very sensitive security system parameter. If present, the NETCONF server will only allow the designated 'superuser' to have read, write, or execute default nacm-rights for the node. An explicit access control rule is required for all other users. The 'very-secure' extension may appear within a data, rpc, or notification node definition. It is ignored otherwise."; } identity nacm-groups { description "Root of all NETCONF Administrative Groups"; } identity admin { base nacm-groups; description "Example Administrator group."; } identity monitor { base nacm-groups; description "Example Monitoring group."; } identity guest { base nacm-groups; description "Example Guest group."; } container nacm { presence "An empty nacm container indicates that the NACM service is running, and possibly using all default parameters."; description "Parameters for NETCONF Access Control Model."; leaf enable-nacm { type boolean; default "true"; description "Enable or disable all NETCONF access control enforcement. If 'true', then enforcement is enabled. If 'false', then enforcement is disabled."; } leaf read-default { type nacm-action; default "permit"; description "Controls whether read access is granted if no appropriate rule is found for a particular read request."; } leaf write-default { type nacm-action; default "deny"; description "Controls whether write access is granted if no appropriate rule is found for a particular write request."; } leaf exec-default { type nacm-action; default "permit"; description "Controls whether exec access is granted if no appropriate rule is found for a particular RPC operation request."; } leaf denied-rpcs { type yang:zero-based-counter32; config "false"; description "Number of times an RPC operation request was denied"; } leaf denied-data-writes { type yang:zero-based-counter32; config "false"; description "Number of times a request to alter a data node was denied."; } container groups { description "NACM Group Table"; list group { key "group-identity"; description "One NACM Group Entry"; leaf group-identity { type nacm-group; description "Group identity associated with this entry."; } leaf-list user-name { type nacm-user-name; description "Each entry identifies the user name of a member of the group associated with this entry."; } } // list group } // container groups container rules { description "NETCONF Access Control Rules."; grouping common-rule-parms { leaf rule-name { type string { length "1..1023"; } description "Arbitrary name assigned to the access control rule."; } leaf allowed-rights { type nacm-rights; mandatory "true"; description "List of access rights granted to specified administrative groups for the content specified by the associated path."; } leaf-list allowed-group { type nacm-group; min-elements "1"; description "List of administrative groups which will be assigned the associated access rights for the content specified by the associated path."; } leaf comment { type string { length "0..4095"; } description "A textual description of the access rule."; } } // grouping common-rule-parms list module-rule { key "module-name rule-name"; ordered-by "user"; description "One Module Access Rule. Rules are processed in user-defined order. A module rule is considered a match if the XML namespace for the specified module name matches the XML namespace used within a NETCONF PDU, and the administrative group associated with the requesting session is specified in the 'allowed-group' leaf-list."; leaf module-name { type string { length "1..max"; } description "Name of the module associated with this rule."; } uses common-rule-parms; } // list module-rule list rpc-rule { key "rpc-module-name rpc-name rule-name"; ordered-by "user"; description "One RPC Operation Access Rule. Rules are processed in user-defined order. An RPC rule is considered a match if the module name of the requested RPC operation matches 'rpc-module-name', the requested RPC operation matches 'rpc-name', and an administrative group associated with the session user is listed in the 'allowed-group' leaf-list"; leaf rpc-module-name { type string { length "1..max"; } description "Name of the module defining this RPC operation."; } leaf rpc-name { type string { length "1..max"; } description "Name of the RPC operation."; } uses common-rule-parms; } // list rpc-rule list data-rule { key "rule-name"; ordered-by "user"; description "One Data Access Control Rule. Rules are processed in user-defined order. A data rule is considered to match when the path expression identifies the same node that is being accessed in the NETCONF database, and the administrative group associated with the session is identified in the 'allowed-group' leaf-list."; leaf path { type schema-instance-identifier; mandatory "true"; description "Schema Instance Identifier associated with the data node controlled by this rule. Configuration data or state data instance identifiers start with a top-level data node. A complete instance identifier is required for this type of path value. The special value '/' refers to all possible database contents."; } uses common-rule-parms; } // list data-rule list notification-rule { key "notification-module-name notification-name rule-name"; ordered-by "user"; description "One Notification Access Rule. A notification is considered a match if the module name of the requested event type matches 'notification-module-name', the requested event type matches the 'notification-name', and the administrative group associated with the requesting session is listed in the 'allowed-group' leaf-list."; leaf notification-module-name { type string { length "1..max"; } description "Name of the module defining this notification event type."; } leaf notification-name { type string { length "1..max"; } description "Name of the notification event."; } uses common-rule-parms; } // list notification-rule } // container rules nacm:very-secure; } // container nacm } // module yuma-nacm
Summary
| Organization | Netconf Central |
| Module | yuma-nacm |
| Version | 2010-02-21 |
| File | yuma-nacm.yang |
| Prefix | nacm |
| Namespace | http://netconfcentral.org/ns/yuma-nacm |
| Cooked | /cookedmodules/yuma-nacm/2010-02-21 |
| YANG | /src/yuma-nacm@2010-02-21.yang |
| XSD | /xsd/yuma-nacm@2010-02-21.xsd |
| Abstract | NETCONF Server Access Control Model |
| Contact | Andy Bierman <andy@netconfcentral.org>. |
Description
NETCONF Server Access Control Model |
Typedefs
| Typedef | Base type | Abstract |
| nacm-action | enumeration | Action taken by the server when a particular rule matches. |
| nacm-group | identityref | Type of administrative group that can be assigned to the user, and specified in an access control rule. The identityref data type is used to allow as many groups to be added as needed. There are no standard semantics for each identity. It simply repres... |
| nacm-rights | bits | NETCONF Access Rights |
| nacm-user-name | string | General Purpose User Name string. |
| schema-instance-identifier | string | Path expression used to represent a special schema-instance identifier string. A schema-instance-identifier value string is an unrestricted YANG instance-identifier expression. All the same rules as an instance-identifier apply except predicates for ke... |
Objects
| Type Key |
| Mandatory config |
| Optional config |
| Not config |
| Object | Type | Abstract |
| nacm | container | Parameters for NETCONF Access Control Model. |
| denied-data-writes | leaf | Number of times a request to alter a data node was denied. |
| denied-rpcs | leaf | Number of times an RPC operation request was denied |
| enable-nacm | leaf | Enable or disable all NETCONF access control enforcement. If 'true', then enforcement is enabled. If 'false', then enforcement is disabled. |
| exec-default | leaf | Controls whether exec access is granted if no appropriate rule is found for a particular RPC operation request. |
| groups | container | NACM Group Table |
| group | list | One NACM Group Entry |
| group-identity | leaf | Group identity associated with this entry. |
| user-name | leaf-list | Each entry identifies the user name of a member of the group associated with this entry. |
| read-default | leaf | Controls whether read access is granted if no appropriate rule is found for a particular read request. |
| rules | container | NETCONF Access Control Rules. |
| data-rule | list | One Data Access Control Rule. Rules are processed in user-defined order. A data rule is considered to match when the path expression identifies the same node that is being accessed in the NETCONF database, and the administrative group associated with the ... |
| allowed-group | leaf-list | List of administrative groups which will be assigned the associated access rights for the content specified by the associated path. |
| allowed-rights | leaf | List of access rights granted to specified administrative groups for the content specified by the associated path. |
| comment | leaf | A textual description of the access rule. |
| path | leaf | Schema Instance Identifier associated with the data node controlled by this rule. Configuration data or state data instance identifiers start with a top-level data node. A complete instance identifier is required for this type of path value. The specia... |
| rule-name | leaf | Arbitrary name assigned to the access control rule. |
| module-rule | list | One Module Access Rule. Rules are processed in user-defined order. A module rule is considered a match if the XML namespace for the specified module name matches the XML namespace used within a NETCONF PDU, and the administrative group associated with the... |
| allowed-group | leaf-list | List of administrative groups which will be assigned the associated access rights for the content specified by the associated path. |
| allowed-rights | leaf | List of access rights granted to specified administrative groups for the content specified by the associated path. |
| comment | leaf | A textual description of the access rule. |
| module-name | leaf | Name of the module associated with this rule. |
| rule-name | leaf | Arbitrary name assigned to the access control rule. |
| notification-rule | list | One Notification Access Rule. A notification is considered a match if the module name of the requested event type matches 'notification-module-name', the requested event type matches the 'notification-name', and the administrative group associated with th... |
| allowed-group | leaf-list | List of administrative groups which will be assigned the associated access rights for the content specified by the associated path. |
| allowed-rights | leaf | List of access rights granted to specified administrative groups for the content specified by the associated path. |
| comment | leaf | A textual description of the access rule. |
| notification-module-name | leaf | Name of the module defining this notification event type. |
| notification-name | leaf | Name of the notification event. |
| rule-name | leaf | Arbitrary name assigned to the access control rule. |
| rpc-rule | list | One RPC Operation Access Rule. Rules are processed in user-defined order. An RPC rule is considered a match if the module name of the requested RPC operation matches 'rpc-module-name', the requested RPC operation matches 'rpc-name', and an administrative ... |
| allowed-group | leaf-list | List of administrative groups which will be assigned the associated access rights for the content specified by the associated path. |
| allowed-rights | leaf | List of access rights granted to specified administrative groups for the content specified by the associated path. |
| comment | leaf | A textual description of the access rule. |
| rpc-module-name | leaf | Name of the module defining this RPC operation. |
| rpc-name | leaf | Name of the RPC operation. |
| rule-name | leaf | Arbitrary name assigned to the access control rule. |
| write-default | leaf | Controls whether write access is granted if no appropriate rule is found for a particular write request. |
Extensions
| Extension | Argument | Abstract |
| secure | Used to indicate that the data model node represents a sensitive security system parameter. If present, the NETCONF server will only allow the designated 'superuser' to have write or execute default nacm-rights for the node. An explicit access control ... | |
| very-secure | Used to indicate that the data model node controls a very sensitive security system parameter. If present, the NETCONF server will only allow the designated 'superuser' to have read, write, or execute default nacm-rights for the node. An explicit acces... |