summaryrefslogtreecommitdiffstats
path: root/yang/ietf/ietf-netconf-acm.yang
blob: f7e02f280ef999e4c3071b2448fcd8319c940217 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
module ietf-netconf-acm {

  namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";

  prefix nacm;

  import ietf-yang-types {
    prefix yang;
  }

  organization
    "IETF NETCONF (Network Configuration) Working Group";

  contact
    "WG Web:   <https://datatracker.ietf.org/wg/netconf/>
     WG List:  <mailto:netconf@ietf.org>

     Author:   Andy Bierman
               <mailto:andy@yumaworks.com>

     Author:   Martin Bjorklund
               <mailto:mbj@tail-f.com>";

  description
    "Network Configuration Access Control Model.

     Copyright (c) 2012 - 2018 IETF Trust and the persons
     identified as authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the Simplified BSD
     License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC 8341; see
     the RFC itself for full legal notices.";

  revision 2018-02-14 {
    description
      "Added support for YANG 1.1 actions and notifications tied to
       data nodes.  Clarified how NACM extensions can be used by
       other data models.";
    reference
      "RFC 8341: Network Configuration Access Control Model";
  }

  revision 2012-02-22 {
    description
      "Initial version.";
    reference
      "RFC 6536: Network Configuration Protocol (NETCONF)
                 Access Control Model";
  }

  /*
   * Extension statements
   */

  extension default-deny-write {
    description
      "Used to indicate that the data model node
       represents a sensitive security system parameter.

       If present, the NETCONF server will only allow the designated
       'recovery session' to have write access to the node.  An
       explicit access control rule is required for all other users.

       If the NACM module is used, then it must be enabled (i.e.,
       /nacm/enable-nacm object equals 'true'), or this extension
       is ignored.

       The 'default-deny-write' extension MAY appear within a data
       definition statement.  It is ignored otherwise.";
  }

  extension default-deny-all {
    description
      "Used to indicate that the data model node
       controls a very sensitive security system parameter.

       If present, the NETCONF server will only allow the designated
       'recovery session' to have read, write, or execute access to
       the node.  An explicit access control rule is required for all
       other users.

       If the NACM module is used, then it must be enabled (i.e.,
       /nacm/enable-nacm object equals 'true'), or this extension
       is ignored.

       The 'default-deny-all' extension MAY appear within a data
       definition statement, 'rpc' statement, or 'notification'
       statement.  It is ignored otherwise.";
  }

  /*
   * Derived types
   */

  typedef user-name-type {
    type string {
      length "1..max";
    }
    description
      "General-purpose username string.";
  }

  typedef matchall-string-type {
    type string {
      pattern '\*';
    }
    description
      "The string containing a single asterisk '*' is used
       to conceptually represent all possible values
       for the particular leaf using this data type.";
  }

  typedef access-operations-type {
    type bits {
      bit create {
        description
          "Any protocol operation that creates a
           new data node.";
      }
      bit read {
        description
          "Any protocol operation or notification that
           returns the value of a data node.";
      }
      bit update {
        description
          "Any protocol operation that alters an existing
           data node.";
      }
      bit delete {
        description
          "Any protocol operation that removes a data node.";
      }
      bit exec {
        description
          "Execution access to the specified protocol operation.";
      }
    }
    description
      "Access operation.";
  }

  typedef group-name-type {
    type string {
      length "1..max";
      pattern '[^\*].*';
    }
    description
      "Name of administrative group to which
       users can be assigned.";
  }

  typedef action-type {
    type enumeration {
      enum permit {
        description
          "Requested action is permitted.";
      }
      enum deny {
        description
          "Requested action is denied.";
      }
    }
    description
      "Action taken by the server when a particular
       rule matches.";
  }

  typedef node-instance-identifier {
    type yang:xpath1.0;
    description
      "Path expression used to represent a special
       data node, action, or notification instance-identifier
       string.

       A node-instance-identifier value is an
       unrestricted YANG instance-identifier expression.
       All the same rules as an instance-identifier apply,
       except that predicates for keys are optional.  If a key
       predicate is missing, then the node-instance-identifier
       represents all possible server instances for that key.

       This XML Path Language (XPath) expression is evaluated in the
       following context:

          o  The set of namespace declarations are those in scope on
             the leaf element where this type is used.

          o  The set of variable bindings contains one variable,
             'USER', which contains the name of the user of the
             current session.

          o  The function library is the core function library, but
             note that due to the syntax restrictions of an
             instance-identifier, no functions are allowed.

          o  The context node is the root node in the data tree.

       The accessible tree includes actions and notifications tied
       to data nodes.";
  }

  /*
   * Data definition statements
   */

  container nacm {
    nacm:default-deny-all;

    description
      "Parameters for NETCONF access control model.";

    leaf enable-nacm {
      type boolean;
      default "true";
      description
        "Enables or disables all NETCONF access control
         enforcement.  If 'true', then enforcement
         is enabled.  If 'false', then enforcement
         is disabled.";
    }

    leaf read-default {
      type action-type;
      default "permit";
      description
        "Controls whether read access is granted if
         no appropriate rule is found for a
         particular read request.";
    }

    leaf write-default {
      type action-type;
      default "deny";
      description
        "Controls whether create, update, or delete access
         is granted if no appropriate rule is found for a
         particular write request.";
    }

    leaf exec-default {
      type action-type;
      default "permit";
      description
        "Controls whether exec access is granted if no appropriate
         rule is found for a particular protocol operation request.";
    }

    leaf enable-external-groups {
      type boolean;
      default "true";
      description
        "Controls whether the server uses the groups reported by the
         NETCONF transport layer when it assigns the user to a set of
         NACM groups.  If this leaf has the value 'false', any group
         names reported by the transport layer are ignored by the
         server.";
    }

    leaf denied-operations {
      type yang:zero-based-counter32;
      config false;
      mandatory true;
      description
        "Number of times since the server last restarted that a
         protocol operation request was denied.";
    }

    leaf denied-data-writes {
      type yang:zero-based-counter32;
      config false;
      mandatory true;
      description
        "Number of times since the server last restarted that a
         protocol operation request to alter
         a configuration datastore was denied.";
    }

    leaf denied-notifications {
      type yang:zero-based-counter32;
      config false;
      mandatory true;
      description
        "Number of times since the server last restarted that
         a notification was dropped for a subscription because
         access to the event type was denied.";
    }

    container groups {
      description
        "NETCONF access control groups.";

      list group {
        key name;

        description
          "One NACM group entry.  This list will only contain
           configured entries, not any entries learned from
           any transport protocols.";

        leaf name {
          type group-name-type;
          description
            "Group name associated with this entry.";
        }

        leaf-list user-name {
          type user-name-type;
          description
            "Each entry identifies the username of
             a member of the group associated with
             this entry.";
        }
      }
    }

    list rule-list {
      key name;
      ordered-by user;
      description
        "An ordered collection of access control rules.";

      leaf name {
        type string {
          length "1..max";
        }
        description
          "Arbitrary name assigned to the rule-list.";
      }
      leaf-list group {
        type union {
          type matchall-string-type;
          type group-name-type;
        }
        description
          "List of administrative groups that will be
           assigned the associated access rights
           defined by the 'rule' list.

           The string '*' indicates that all groups apply to the
           entry.";
      }

      list rule {
        key name;
        ordered-by user;
        description
          "One access control rule.

           Rules are processed in user-defined order until a match is
           found.  A rule matches if 'module-name', 'rule-type', and
           'access-operations' match the request.  If a rule
           matches, the 'action' leaf determines whether or not
           access is granted.";

        leaf name {
          type string {
            length "1..max";
          }
          description
            "Arbitrary name assigned to the rule.";
        }

        leaf module-name {
          type union {
            type matchall-string-type;
            type string;
          }
          default "*";
          description
            "Name of the module associated with this rule.

             This leaf matches if it has the value '*' or if the
             object being accessed is defined in the module with the
             specified module name.";
        }
        choice rule-type {
          description
            "This choice matches if all leafs present in the rule
             match the request.  If no leafs are present, the
             choice matches all requests.";
          case protocol-operation {
            leaf rpc-name {
              type union {
                type matchall-string-type;
                type string;
              }
              description
                "This leaf matches if it has the value '*' or if
                 its value equals the requested protocol operation
                 name.";
            }
          }
          case notification {
            leaf notification-name {
              type union {
                type matchall-string-type;
                type string;
              }
              description
                "This leaf matches if it has the value '*' or if its
                 value equals the requested notification name.";
            }
          }

          case data-node {
            leaf path {
              type node-instance-identifier;
              mandatory true;
              description
                "Data node instance-identifier associated with the
                 data node, action, or notification controlled by
                 this rule.

                 Configuration data or state data
                 instance-identifiers start with a top-level
                 data node.  A complete instance-identifier is
                 required for this type of path value.

                 The special value '/' refers to all possible
                 datastore contents.";
            }
          }
        }

        leaf access-operations {
          type union {
            type matchall-string-type;
            type access-operations-type;
          }
          default "*";
          description
            "Access operations associated with this rule.

             This leaf matches if it has the value '*' or if the
             bit corresponding to the requested operation is set.";
        }

        leaf action {
          type action-type;
          mandatory true;
          description
            "The access control action associated with the
             rule.  If a rule has been determined to match a
             particular request, then this object is used
             to determine whether to permit or deny the
             request.";
        }

        leaf comment {
          type string;
          description
            "A textual description of the access rule.";
        }
      }
    }
  }
}