diff options
Diffstat (limited to 'tools/lint/examples/ietf-netconf-acm-when2.yin')
-rw-r--r-- | tools/lint/examples/ietf-netconf-acm-when2.yin | 447 |
1 files changed, 447 insertions, 0 deletions
diff --git a/tools/lint/examples/ietf-netconf-acm-when2.yin b/tools/lint/examples/ietf-netconf-acm-when2.yin new file mode 100644 index 0000000..f8f25a0 --- /dev/null +++ b/tools/lint/examples/ietf-netconf-acm-when2.yin @@ -0,0 +1,447 @@ +<?xml version="1.0" encoding="UTF-8"?> +<module xmlns="urn:ietf:params:xml:ns:yang:yin:1" xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm" xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types" name="ietf-netconf-acm-when2"> + <namespace uri="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"/> + <prefix value="nacm"/> + <import module="ietf-yang-types"> + <prefix value="yang"/> + </import> + <organization> + <text>IETF NETCONF (Network Configuration) Working Group</text> + </organization> + <contact> + <text>WG Web: <http://tools.ietf.org/wg/netconf/> +WG List: <mailto:netconf@ietf.org> + +WG Chair: Mehmet Ersue + <mailto:mehmet.ersue@nsn.com> + +WG Chair: Bert Wijnen + <mailto:bertietf@bwijnen.net> + +Editor: Andy Bierman + <mailto:andy@yumaworks.com> + +Editor: Martin Bjorklund + <mailto:mbj@tail-f.com></text> + </contact> + <description> + <text>NETCONF Access Control Model. + +Copyright (c) 2012 IETF Trust and the persons identified as +authors of the code. All rights reserved. + +Redistribution and use in source and binary forms, with or +without modification, is permitted pursuant to, and subject +to the license terms contained in, the Simplified BSD +License set forth in Section 4.c of the IETF Trust's +Legal Provisions Relating to IETF Documents +(http://trustee.ietf.org/license-info). + +This version of this YANG module is part of RFC 6536; see +the RFC itself for full legal notices.</text> + </description> + <revision date="2012-02-22"> + <description> + <text>Initial version</text> + </description> + <reference> + <text>RFC 6536: Network Configuration Protocol (NETCONF) + Access Control Model</text> + </reference> + </revision> + <extension name="default-deny-write"> + <description> + <text>Used to indicate that the data model node +represents a sensitive security system parameter. + +If present, and the NACM module is enabled (i.e., +/nacm/enable-nacm object equals 'true'), the NETCONF server +will only allow the designated 'recovery session' to have +write access to the node. An explicit access control rule is +required for all other users. + +The 'default-deny-write' extension MAY appear within a data +definition statement. It is ignored otherwise.</text> + </description> + </extension> + <extension name="default-deny-all"> + <description> + <text>Used to indicate that the data model node +controls a very sensitive security system parameter. + +If present, and the NACM module is enabled (i.e., +/nacm/enable-nacm object equals 'true'), the NETCONF server +will only allow the designated 'recovery session' to have +read, write, or execute access to the node. An explicit +access control rule is required for all other users. + +The 'default-deny-all' extension MAY appear within a data +definition statement, 'rpc' statement, or 'notification' +statement. It is ignored otherwise.</text> + </description> + </extension> + <typedef name="user-name-type"> + <type name="string"> + <length value="1..max"/> + </type> + <description> + <text>General Purpose Username string.</text> + </description> + </typedef> + <typedef name="matchall-string-type"> + <type name="string"> + <pattern value="\*"/> + </type> + <description> + <text>The string containing a single asterisk '*' is used +to conceptually represent all possible values +for the particular leaf using this data type.</text> + </description> + </typedef> + <typedef name="access-operations-type"> + <type name="bits"> + <bit name="create"> + <description> + <text>Any protocol operation that creates a +new data node.</text> + </description> + </bit> + <bit name="read"> + <description> + <text>Any protocol operation or notification that +returns the value of a data node.</text> + </description> + </bit> + <bit name="update"> + <description> + <text>Any protocol operation that alters an existing +data node.</text> + </description> + </bit> + <bit name="delete"> + <description> + <text>Any protocol operation that removes a data node.</text> + </description> + </bit> + <bit name="exec"> + <description> + <text>Execution access to the specified protocol operation.</text> + </description> + </bit> + </type> + <description> + <text>NETCONF Access Operation.</text> + </description> + </typedef> + <typedef name="group-name-type"> + <type name="string"> + <length value="1..max"/> + <pattern value="[^\*].*"/> + </type> + <description> + <text>Name of administrative group to which +users can be assigned.</text> + </description> + </typedef> + <typedef name="action-type"> + <type name="enumeration"> + <enum name="permit"> + <description> + <text>Requested action is permitted.</text> + </description> + </enum> + <enum name="deny"> + <description> + <text>Requested action is denied.</text> + </description> + </enum> + </type> + <description> + <text>Action taken by the server when a particular +rule matches.</text> + </description> + </typedef> + <typedef name="node-instance-identifier"> + <type name="yang:xpath1.0"/> + <description> + <text>Path expression used to represent a special +data node instance identifier string. + +A node-instance-identifier value is an +unrestricted YANG instance-identifier expression. +All the same rules as an instance-identifier apply +except predicates for keys are optional. If a key +predicate is missing, then the node-instance-identifier +represents all possible server instances for that key. + +This XPath expression is evaluated in the following context: + + o The set of namespace declarations are those in scope on + the leaf element where this type is used. + + o The set of variable bindings contains one variable, + 'USER', which contains the name of the user of the current + session. + + o The function library is the core function library, but + note that due to the syntax restrictions of an + instance-identifier, no functions are allowed. + + o The context node is the root node in the data tree.</text> + </description> + </typedef> + <container name="nacm"> + <nacm:default-deny-all/> + <description> + <text>Parameters for NETCONF Access Control Model.</text> + </description> + <leaf name="enable-nacm"> + <type name="boolean"/> + <default value="true"/> + <description> + <text>Enables or disables all NETCONF access control +enforcement. If 'true', then enforcement +is enabled. If 'false', then enforcement +is disabled.</text> + </description> + </leaf> + <leaf name="read-default"> + <type name="action-type"/> + <default value="permit"/> + <description> + <text>Controls whether read access is granted if +no appropriate rule is found for a +particular read request.</text> + </description> + </leaf> + <leaf name="write-default"> + <type name="action-type"/> + <default value="deny"/> + <description> + <text>Controls whether create, update, or delete access +is granted if no appropriate rule is found for a +particular write request.</text> + </description> + </leaf> + <leaf name="exec-default"> + <type name="action-type"/> + <default value="permit"/> + <description> + <text>Controls whether exec access is granted if no appropriate +rule is found for a particular protocol operation request.</text> + </description> + </leaf> + <leaf name="enable-external-groups"> + <type name="boolean"/> + <default value="true"/> + <description> + <text>Controls whether the server uses the groups reported by the +NETCONF transport layer when it assigns the user to a set of +NACM groups. If this leaf has the value 'false', any group +names reported by the transport layer are ignored by the +server.</text> + </description> + </leaf> + <leaf name="denied-operations"> + <type name="yang:zero-based-counter32"/> + <config value="false"/> + <mandatory value="true"/> + <description> + <text>Number of times since the server last restarted that a +protocol operation request was denied.</text> + </description> + </leaf> + <leaf name="denied-data-writes"> + <type name="yang:zero-based-counter32"/> + <config value="false"/> + <mandatory value="true"/> + <when condition="../denied-operations > 0"/> + <description> + <text>Number of times since the server last restarted that a +protocol operation request to alter +a configuration datastore was denied.</text> + </description> + </leaf> + <leaf name="denied-notifications"> + <type name="yang:zero-based-counter32"/> + <config value="false"/> + <mandatory value="true"/> + <description> + <text>Number of times since the server last restarted that +a notification was dropped for a subscription because +access to the event type was denied.</text> + </description> + </leaf> + <container name="groups"> + <description> + <text>NETCONF Access Control Groups.</text> + </description> + <list name="group"> + <key value="name"/> + <description> + <text>One NACM Group Entry. This list will only contain +configured entries, not any entries learned from +any transport protocols.</text> + </description> + <leaf name="name"> + <type name="group-name-type"/> + <description> + <text>Group name associated with this entry.</text> + </description> + </leaf> + <leaf-list name="user-name"> + <type name="user-name-type"/> + <description> + <text>Each entry identifies the username of +a member of the group associated with +this entry.</text> + </description> + </leaf-list> + </list> + </container> + <list name="rule-list"> + <key value="name"/> + <ordered-by value="user"/> + <description> + <text>An ordered collection of access control rules.</text> + </description> + <leaf name="name"> + <type name="string"> + <length value="1..max"/> + </type> + <description> + <text>Arbitrary name assigned to the rule-list.</text> + </description> + </leaf> + <leaf-list name="group"> + <type name="union"> + <type name="matchall-string-type"/> + <type name="group-name-type"/> + </type> + <description> + <text>List of administrative groups that will be +assigned the associated access rights +defined by the 'rule' list. + +The string '*' indicates that all groups apply to the +entry.</text> + </description> + </leaf-list> + <list name="rule"> + <key value="name"/> + <ordered-by value="user"/> + <description> + <text>One access control rule. + +Rules are processed in user-defined order until a match is +found. A rule matches if 'module-name', 'rule-type', and +'access-operations' match the request. If a rule +matches, the 'action' leaf determines if access is granted +or not.</text> + </description> + <leaf name="name"> + <type name="string"> + <length value="1..max"/> + </type> + <description> + <text>Arbitrary name assigned to the rule.</text> + </description> + </leaf> + <leaf name="module-name"> + <type name="union"> + <type name="matchall-string-type"/> + <type name="string"/> + </type> + <default value="*"/> + <description> + <text>Name of the module associated with this rule. + +This leaf matches if it has the value '*' or if the +object being accessed is defined in the module with the +specified module name.</text> + </description> + </leaf> + <choice name="rule-type"> + <description> + <text>This choice matches if all leafs present in the rule +match the request. If no leafs are present, the +choice matches all requests.</text> + </description> + <case name="protocol-operation"> + <leaf name="rpc-name"> + <type name="union"> + <type name="matchall-string-type"/> + <type name="string"/> + </type> + <description> + <text>This leaf matches if it has the value '*' or if +its value equals the requested protocol operation +name.</text> + </description> + </leaf> + </case> + <case name="notification"> + <leaf name="notification-name"> + <type name="union"> + <type name="matchall-string-type"/> + <type name="string"/> + </type> + <description> + <text>This leaf matches if it has the value '*' or if its +value equals the requested notification name.</text> + </description> + </leaf> + </case> + <case name="data-node"> + <leaf name="path"> + <type name="node-instance-identifier"/> + <mandatory value="true"/> + <description> + <text>Data Node Instance Identifier associated with the +data node controlled by this rule. + +Configuration data or state data instance +identifiers start with a top-level data node. A +complete instance identifier is required for this +type of path value. + +The special value '/' refers to all possible +datastore contents.</text> + </description> + </leaf> + </case> + </choice> + <leaf name="access-operations"> + <type name="union"> + <type name="matchall-string-type"/> + <type name="access-operations-type"/> + </type> + <default value="*"/> + <description> + <text>Access operations associated with this rule. + +This leaf matches if it has the value '*' or if the +bit corresponding to the requested operation is set.</text> + </description> + </leaf> + <leaf name="action"> + <type name="action-type"/> + <mandatory value="true"/> + <description> + <text>The access control action associated with the +rule. If a rule is determined to match a +particular request, then this object is used +to determine whether to permit or deny the +request.</text> + </description> + </leaf> + <leaf name="comment"> + <type name="string"/> + <description> + <text>A textual description of the access rule.</text> + </description> + </leaf> + </list> + </list> + </container> +</module> |