From cd07912073c951b4bbb871ed2653af1be2cfc714 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 11:55:11 +0200 Subject: Adding upstream version 2.1.30. Signed-off-by: Daniel Baumann --- tools/lint/examples/ietf-netconf-acm-when.yin | 447 ++++++++++++++++++++++++++ 1 file changed, 447 insertions(+) create mode 100644 tools/lint/examples/ietf-netconf-acm-when.yin (limited to 'tools/lint/examples/ietf-netconf-acm-when.yin') diff --git a/tools/lint/examples/ietf-netconf-acm-when.yin b/tools/lint/examples/ietf-netconf-acm-when.yin new file mode 100644 index 0000000..cbff758 --- /dev/null +++ b/tools/lint/examples/ietf-netconf-acm-when.yin @@ -0,0 +1,447 @@ + + + + + + + + + IETF NETCONF (Network Configuration) Working Group + + + WG Web: <http://tools.ietf.org/wg/netconf/> +WG List: <mailto:netconf@ietf.org> + +WG Chair: Mehmet Ersue + <mailto:mehmet.ersue@nsn.com> + +WG Chair: Bert Wijnen + <mailto:bertietf@bwijnen.net> + +Editor: Andy Bierman + <mailto:andy@yumaworks.com> + +Editor: Martin Bjorklund + <mailto:mbj@tail-f.com> + + + NETCONF Access Control Model. + +Copyright (c) 2012 IETF Trust and the persons identified as +authors of the code. All rights reserved. + +Redistribution and use in source and binary forms, with or +without modification, is permitted pursuant to, and subject +to the license terms contained in, the Simplified BSD +License set forth in Section 4.c of the IETF Trust's +Legal Provisions Relating to IETF Documents +(http://trustee.ietf.org/license-info). + +This version of this YANG module is part of RFC 6536; see +the RFC itself for full legal notices. + + + + Initial version + + + RFC 6536: Network Configuration Protocol (NETCONF) + Access Control Model + + + + + Used to indicate that the data model node +represents a sensitive security system parameter. + +If present, and the NACM module is enabled (i.e., +/nacm/enable-nacm object equals 'true'), the NETCONF server +will only allow the designated 'recovery session' to have +write access to the node. An explicit access control rule is +required for all other users. + +The 'default-deny-write' extension MAY appear within a data +definition statement. It is ignored otherwise. + + + + + Used to indicate that the data model node +controls a very sensitive security system parameter. + +If present, and the NACM module is enabled (i.e., +/nacm/enable-nacm object equals 'true'), the NETCONF server +will only allow the designated 'recovery session' to have +read, write, or execute access to the node. An explicit +access control rule is required for all other users. + +The 'default-deny-all' extension MAY appear within a data +definition statement, 'rpc' statement, or 'notification' +statement. It is ignored otherwise. + + + + + + + + General Purpose Username string. + + + + + + + + The string containing a single asterisk '*' is used +to conceptually represent all possible values +for the particular leaf using this data type. + + + + + + + Any protocol operation that creates a +new data node. + + + + + Any protocol operation or notification that +returns the value of a data node. + + + + + Any protocol operation that alters an existing +data node. + + + + + Any protocol operation that removes a data node. + + + + + Execution access to the specified protocol operation. + + + + + NETCONF Access Operation. + + + + + + + + + Name of administrative group to which +users can be assigned. + + + + + + + Requested action is permitted. + + + + + Requested action is denied. + + + + + Action taken by the server when a particular +rule matches. + + + + + + Path expression used to represent a special +data node instance identifier string. + +A node-instance-identifier value is an +unrestricted YANG instance-identifier expression. +All the same rules as an instance-identifier apply +except predicates for keys are optional. If a key +predicate is missing, then the node-instance-identifier +represents all possible server instances for that key. + +This XPath expression is evaluated in the following context: + + o The set of namespace declarations are those in scope on + the leaf element where this type is used. + + o The set of variable bindings contains one variable, + 'USER', which contains the name of the user of the current + session. + + o The function library is the core function library, but + note that due to the syntax restrictions of an + instance-identifier, no functions are allowed. + + o The context node is the root node in the data tree. + + + + + + Parameters for NETCONF Access Control Model. + + + + + + Enables or disables all NETCONF access control +enforcement. If 'true', then enforcement +is enabled. If 'false', then enforcement +is disabled. + + + + + + + Controls whether read access is granted if +no appropriate rule is found for a +particular read request. + + + + + + + Controls whether create, update, or delete access +is granted if no appropriate rule is found for a +particular write request. + + + + + + + Controls whether exec access is granted if no appropriate +rule is found for a particular protocol operation request. + + + + + + + Controls whether the server uses the groups reported by the +NETCONF transport layer when it assigns the user to a set of +NACM groups. If this leaf has the value 'false', any group +names reported by the transport layer are ignored by the +server. + + + + + + + + Number of times since the server last restarted that a +protocol operation request was denied. + + + + + + + + + Number of times since the server last restarted that a +protocol operation request to alter +a configuration datastore was denied. + + + + + + + + Number of times since the server last restarted that +a notification was dropped for a subscription because +access to the event type was denied. + + + + + NETCONF Access Control Groups. + + + + + One NACM Group Entry. This list will only contain +configured entries, not any entries learned from +any transport protocols. + + + + + Group name associated with this entry. + + + + + + Each entry identifies the username of +a member of the group associated with +this entry. + + + + + + + + + An ordered collection of access control rules. + + + + + + + Arbitrary name assigned to the rule-list. + + + + + + + + + List of administrative groups that will be +assigned the associated access rights +defined by the 'rule' list. + +The string '*' indicates that all groups apply to the +entry. + + + + + + + One access control rule. + +Rules are processed in user-defined order until a match is +found. A rule matches if 'module-name', 'rule-type', and +'access-operations' match the request. If a rule +matches, the 'action' leaf determines if access is granted +or not. + + + + + + + Arbitrary name assigned to the rule. + + + + + + + + + + Name of the module associated with this rule. + +This leaf matches if it has the value '*' or if the +object being accessed is defined in the module with the +specified module name. + + + + + This choice matches if all leafs present in the rule +match the request. If no leafs are present, the +choice matches all requests. + + + + + + + + + This leaf matches if it has the value '*' or if +its value equals the requested protocol operation +name. + + + + + + + + + + + This leaf matches if it has the value '*' or if its +value equals the requested notification name. + + + + + + + + + Data Node Instance Identifier associated with the +data node controlled by this rule. + +Configuration data or state data instance +identifiers start with a top-level data node. A +complete instance identifier is required for this +type of path value. + +The special value '/' refers to all possible +datastore contents. + + + + + + + + + + + + Access operations associated with this rule. + +This leaf matches if it has the value '*' or if the +bit corresponding to the requested operation is set. + + + + + + + The access control action associated with the +rule. If a rule is determined to match a +particular request, then this object is used +to determine whether to permit or deny the +request. + + + + + + A textual description of the access rule. + + + + + + -- cgit v1.2.3