yuma-nacm

NETCONF Server Access Control Model Copyright (c) 2010 - 2012 Andy Bierman and the persons identified as authors of the code. ...

  • Version: 2012-10-05

    yuma-nacm@2012-10-05


    
      module yuma-nacm {
    
        yang-version 1;
    
        namespace
          "http://netconfcentral.org/ns/yuma-nacm";
    
        prefix nacm;
    
        import yuma-ncx {
          prefix ncx;
        }
        import yuma-types {
          prefix yt;
        }
        import ietf-yang-types {
          prefix yang;
        }
    
        organization "Netconf Central";
    
        contact
          "Andy Bierman <andy@netconfcentral.org>";
    
        description
          "NETCONF Server Access Control Model
    
         Copyright (c) 2010 - 2012 Andy Bierman and the persons
         identified as authors of the code.  All rights reserved.
    
         Redistribution and use in source and binary forms, with or
         without modification, is permitted pursuant to, and subject
         to the license terms contained in, the BSD 3-Clause License
         http://opensource.org/licenses/BSD-3-Clause";
    
        revision "2012-10-05" {
          description
            "Copy default-deny-all and default-deny-write
               extensions here to integrate with other modules
               more easily.";
        }
    
        revision "2012-05-31" {
          description
            "Change unrestricted strings to yang-identifier
               type because illegal chars were accepted for YANG
               identifier strings.";
        }
    
        revision "2012-01-13" {
          description
            "Add ncx:user-write restriction to prevent user deletion
               of the nacm container";
        }
    
        revision "2010-02-21" {
          description
            "Initial version (work-in-progress).";
        }
    
    
        typedef nacm-user-name {
          type string {
            length "1..64";
            pattern
              '[a-z,A-Z,_][a-z,A-Z,0-9,\-,_,@,.]{0,63}';
          }
          description
            "General Purpose User Name string.";
        }
    
        typedef nacm-rights {
          type bits {
            bit read {
              position 0;
              description
                "Read access allowed to all specified data.
                   Any protocol operation or notification that
                   returns data to an application is a read 
                   operation.";
            }
            bit write {
              position 1;
              description
                "Write access allowed to all specified data.
                   Any protocol operation that alters a database
                   is a write operation.";
            }
            bit exec {
              position 2;
              description
                "Execution access to the specified RPC operation.
                   Any RPC operation invocation is an exec operation.";
            }
          }
          description "NETCONF Access Rights";
        }
    
        typedef nacm-group {
          type identityref {
            base nacm-groups;
          }
          description
            "Type of administrative group that can be
             assigned to the user, and specified in
             an access control rule.
    
             The identityref data type is used to allow as 
             many groups to be added as needed.  There are
             no standard semantics for each identity.
             It simply represents a unique group name.";
        }
    
        typedef nacm-action {
          type enumeration {
            enum "permit" {
              value 0;
              description
                "Requested action is permitted.";
            }
            enum "deny" {
              value 1;
              description
                "Requested action is denied.";
            }
          }
          description
            "Action taken by the server when a particular
               rule matches.";
        }
    
        typedef schema-instance-identifier {
          type string;
          description
            "Path expression used to represent a special 
             schema-instance identifier string.
           
             A schema-instance-identifier value string is an 
             unrestricted YANG instance-identifier expression.
             All the same rules as an instance-identifier apply
             except predicates for keys are optional.  If a key
             predicate is missing, then the schema-instance-identifier
             represents all possible server instances for that key.";
        }
    
        extension default-deny-write {
          description
            "Copy of IETF version of 'secure' extension.";
          reference
            "RFC 6536";
    
        }
    
        extension default-deny-all {
          description
            "Copy of IETF version of 'very-secure' extension.";
          reference
            "RFC 6536";
    
        }
    
        extension secure {
          description
            "Used to indicate that the data model node 
             represents a sensitive security system parameter.
    
             If present, the NETCONF server will only allow
             the designated 'superuser' to have write or execute
             default nacm-rights for the node.  An explicit access
             control rule is required for all other users.
    
             The 'secure' extension may appear within a data, rpc,
             or notification node definition.  It is ignored 
             otherwise.";
        }
    
        extension very-secure {
          description
            "Used to indicate that the data model node 
             controls a very sensitive security system parameter.
    
             If present, the NETCONF server will only allow
             the designated 'superuser' to have read, write, or execute
             default nacm-rights for the node.  An explicit access
             control rule is required for all other users.
    
             The 'very-secure' extension may appear within a data, rpc,
             or notification node definition.  It is ignored
             otherwise.";
        }
    
        identity nacm-groups {
          description
            "Root of all NETCONF Administrative Groups";
        }
    
        identity admin {
          base nacm-groups;
          description
            "Example Administrator group.";
        }
    
        identity monitor {
          base nacm-groups;
          description
            "Example Monitoring group.";
        }
    
        identity guest {
          base nacm-groups;
          description "Example Guest group.";
        }
    
        container nacm {
          ncx:user-write "update";
          nacm:very-secure;
          presence
            "An empty nacm container indicates that the 
              NACM service is running, and possibly using
              all default parameters.";
          description
            "Parameters for NETCONF Access Control Model.";
          leaf enable-nacm {
            type boolean;
            default 'true';
            description
              "Enable or disable all NETCONF access control
                  enforcement.  If 'true', then enforcement
                  is enabled.  If 'false', then enforcement
                  is disabled.";
          }
    
          leaf read-default {
            type nacm-action;
            default "permit";
            description
              "Controls whether read access is granted if
                   no appropriate rule is found for a
                   particular read request.";
          }
    
          leaf write-default {
            type nacm-action;
            default "deny";
            description
              "Controls whether write access is granted if
                   no appropriate rule is found for a
                   particular write request.";
          }
    
          leaf exec-default {
            type nacm-action;
            default "permit";
            description
              "Controls whether exec access is granted if
                   no appropriate rule is found for a
                   particular RPC operation request.";
          }
    
          leaf denied-rpcs {
            type yang:zero-based-counter32;
            config false;
            description
              "Number of times an RPC operation request was denied";
          }
    
          leaf denied-data-writes {
            type yang:zero-based-counter32;
            config false;
            description
              "Number of times a request to alter a data node
                   was denied.";
          }
    
          container groups {
            description "NACM Group Table";
            list group {
              key "group-identity";
              description "One NACM Group Entry";
              leaf group-identity {
                type nacm-group;
                description
                  "Group identity associated with this entry.";
              }
    
              leaf-list user-name {
                type nacm-user-name;
                description
                  "Each entry identifies the user name of 
                           a member of the group associated with 
                           this entry.";
              }
            }  // list group
          }  // container groups
    
          container rules {
            description
              "NETCONF Access Control Rules.";
            list module-rule {
              key "module-name rule-name";
              ordered-by user;
              description
                "One Module Access Rule.
                        Rules are processed in user-defined order.
                        A module rule is considered a match if
                        the XML namespace for the specified module
                        name matches the XML namespace used within
                        a NETCONF PDU, and the administrative group
                        associated with the requesting session is
                        specified in the 'allowed-group' leaf-list.";
              leaf module-name {
                type yt:yang-identifier;
                description
                  "Name of the module associated with 
                           this rule.";
              }
    
              leaf rule-name {
                type string {
                  length "1..1023";
                }
                description
                  "Arbitrary name assigned to the
    access control rule.";
              }
    
              leaf allowed-rights {
                type nacm-rights;
                mandatory true;
                description
                  "List of access rights granted to
    specified administrative groups for the
    content specified by the associated path.";
              }
    
              leaf-list allowed-group {
                type nacm-group;
                min-elements 1;
                description
                  "List of administrative groups which will be
    assigned the associated access rights
    for the content specified by the associated
    path.";
              }
    
              leaf comment {
                type string {
                  length "0..4095";
                }
                description
                  "A textual description of the access rule.";
              }
            }  // list module-rule
    
            list rpc-rule {
              key "rpc-module-name rpc-name rule-name";
              ordered-by user;
              description
                "One RPC Operation Access Rule.
                        Rules are processed in user-defined order.
                        An RPC rule is considered a match if
                        the module name of the requested RPC
                        operation matches 'rpc-module-name',
                        the requested RPC operation matches
                        'rpc-name', and an administrative group
                        associated with the session user
                        is listed in the 'allowed-group'
                        leaf-list";
              leaf rpc-module-name {
                type yt:yang-identifier;
                description
                  "Name of the module defining this 
                           RPC operation.";
              }
    
              leaf rpc-name {
                type yt:yang-identifier;
                description
                  "Name of the RPC operation.";
              }
    
              leaf rule-name {
                type string {
                  length "1..1023";
                }
                description
                  "Arbitrary name assigned to the
    access control rule.";
              }
    
              leaf allowed-rights {
                type nacm-rights;
                mandatory true;
                description
                  "List of access rights granted to
    specified administrative groups for the
    content specified by the associated path.";
              }
    
              leaf-list allowed-group {
                type nacm-group;
                min-elements 1;
                description
                  "List of administrative groups which will be
    assigned the associated access rights
    for the content specified by the associated
    path.";
              }
    
              leaf comment {
                type string {
                  length "0..4095";
                }
                description
                  "A textual description of the access rule.";
              }
            }  // list rpc-rule
    
            list data-rule {
              key "rule-name";
              ordered-by user;
              description
                "One Data Access Control Rule.
                       Rules are processed in user-defined order.
                       A data rule is considered to match when
                       the path expression identifies
                       the same node that is being accessed
                       in the NETCONF database, and the administrative
                       group associated with the session is identified
                       in the 'allowed-group' leaf-list.";
              leaf path {
                type schema-instance-identifier;
                mandatory true;
                description
                  "Schema Instance Identifier associated with
                         the data node controlled by this rule.
    
                         Configuration data or state data
                         instance identifiers start with
                         a top-level data node.
                         A complete instance identifier is 
                         required for this type of path value.
    
                         The special value '/' refers to all
                         possible database contents.";
              }
    
              leaf rule-name {
                type string {
                  length "1..1023";
                }
                description
                  "Arbitrary name assigned to the
    access control rule.";
              }
    
              leaf allowed-rights {
                type nacm-rights;
                mandatory true;
                description
                  "List of access rights granted to
    specified administrative groups for the
    content specified by the associated path.";
              }
    
              leaf-list allowed-group {
                type nacm-group;
                min-elements 1;
                description
                  "List of administrative groups which will be
    assigned the associated access rights
    for the content specified by the associated
    path.";
              }
    
              leaf comment {
                type string {
                  length "0..4095";
                }
                description
                  "A textual description of the access rule.";
              }
            }  // list data-rule
    
            list notification-rule {
              key "notification-module-name notification-name rule-name";
              ordered-by user;
              description
                "One Notification Access Rule.
                        A notification is considered a match if
                        the module name of the requested
                        event type matches 'notification-module-name',
                        the requested event type matches the
                        'notification-name', and the administrative group
                        associated with the requesting session
                        is listed in the 'allowed-group' leaf-list.";
              leaf notification-module-name {
                type yt:yang-identifier;
                description
                  "Name of the module defining this 
                           notification event type.";
              }
    
              leaf notification-name {
                type yt:yang-identifier;
                description
                  "Name of the notification event.";
              }
    
              leaf rule-name {
                type string {
                  length "1..1023";
                }
                description
                  "Arbitrary name assigned to the
    access control rule.";
              }
    
              leaf allowed-rights {
                type nacm-rights;
                mandatory true;
                description
                  "List of access rights granted to
    specified administrative groups for the
    content specified by the associated path.";
              }
    
              leaf-list allowed-group {
                type nacm-group;
                min-elements 1;
                description
                  "List of administrative groups which will be
    assigned the associated access rights
    for the content specified by the associated
    path.";
              }
    
              leaf comment {
                type string {
                  length "0..4095";
                }
                description
                  "A textual description of the access rule.";
              }
            }  // list notification-rule
          }  // container rules
        }  // container nacm
      }  // module yuma-nacm
    

© 2023 YumaWorks, Inc. All rights reserved.