diff --git a/yang/clixon/Makefile.in b/yang/clixon/Makefile.in index 6578514a..206876c3 100644 --- a/yang/clixon/Makefile.in +++ b/yang/clixon/Makefile.in @@ -45,7 +45,7 @@ YANGSPECS = clixon-config@2021-03-08.yang YANGSPECS += clixon-lib@2021-03-08.yang YANGSPECS += clixon-rfc5277@2008-07-01.yang YANGSPECS += clixon-xml-changelog@2019-03-21.yang -YANGSPECS += clixon-restconf@2020-12-30.yang +YANGSPECS += clixon-restconf@2021-03-15.yang APPNAME = clixon # subdir ehere these files are installed diff --git a/yang/clixon/clixon-restconf@2021-03-15.yang b/yang/clixon/clixon-restconf@2021-03-15.yang new file mode 100644 index 00000000..25ec9b21 --- /dev/null +++ b/yang/clixon/clixon-restconf@2021-03-15.yang @@ -0,0 +1,212 @@ +module clixon-restconf { + yang-version 1.1; + namespace "http://clicon.org/restconf"; + prefix "clrc"; + + import ietf-inet-types { + prefix inet; + } + + organization + "Clixon"; + + contact + "Olof Hagsand "; + + description + "This YANG module provides a data-model for the Clixon RESTCONF daemon. + ***** BEGIN LICENSE BLOCK ***** + Copyright (C) 2020 Olof Hagsand and Rubicon Communications, LLC(Netgate) + + This file is part of CLIXON + + Licensed under the Apache License, Version 2.0 (the \"License\"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an \"AS IS\" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + Alternatively, the contents of this file may be used under the terms of + the GNU General Public License Version 3 or later (the \"GPL\"), + in which case the provisions of the GPL are applicable instead + of those above. If you wish to allow use of your version of this file only + under the terms of the GPL, and not to allow others to + use your version of this file under the terms of Apache License version 2, + indicate your decision by deleting the provisions above and replace them with + the notice and other provisions required by the GPL. If you do not delete + the provisions above, a recipient may use your version of this file under + the terms of any one of the Apache License version 2 or the GPL. + + ***** END LICENSE BLOCK *****"; + + revision 2021-03-15 { + description + "make authentication-type none a feature"; + } + revision 2020-12-30 { + description + "Added: debug field + Added 'none' as default value for auth-type + Changed http-auth-type enum from 'password' to 'user'"; + } + revision 2020-10-30 { + description + "Initial release"; + } + + feature fcgi { + description + "This feature indicates that the restconf server supports the fast-cgi reverse + proxy solution. + That is, a reverse proxy is the HTTP front-end and the restconf daemon listens + to a fcgi socket. + The alternative is the internal HTTP solution using evhtp."; + } + + feature allow-auth-none { + description + "This feature allows the use of authentication-type none."; + } + + typedef http-auth-type { + type enumeration { + enum none { + if-feature "allow-auth-none"; + description + "Incoming message are set to authenticated by default. No ca-auth callback is called, + Authenticated user is set to special user 'none'. + Typically assumes NACM is not enabled."; + } + enum client-certificate { + description + "TLS client certificate validation is made on each incoming message. If it passes + the authenticated user is extracted from the SSL_CN parameter + The ca-auth callback can be used to revise this behavior."; + } + enum user { + description + "User-defined authentication as defined by the ca-auth callback. + One example is some form of password authentication, such as basic auth."; + } + } + description + "Enumeration of HTTP authorization types."; + } + grouping clixon-restconf{ + description + "HTTP RESTCONF configuration."; + leaf enable { + type boolean; + default "false"; + description + "Enables RESTCONF functionality. + Note that starting/stopping of a restconf daemon is different from it being + enabled or not. + For example, if the restconf daemon is under systemd management, the restconf + daemon will only start if enable=true."; + } + leaf auth-type { + type http-auth-type; + description + "The authentication type. + Note client-certificate applies only if ssl-enable is true and socket has ssl"; + default user; + } + leaf debug { + description + "Set debug level of restconf daemon. + 0 is no debug, 1 is debugging, more is detailed debug. + Debug logs will be directed to syslog with + ident: clixon_restconf and PID + facility: LOG_USER + level: LOG_DEBUG"; + type uint32; + default 0; + } + leaf pretty { + type boolean; + default true; + description + "Restconf return value pretty print. + Restconf clients may add HTTP header: + Accept: application/yang-data+json, or + Accept: application/yang-data+xml + to get return value in XML or JSON. + RFC 8040 examples print XML and JSON in pretty-printed form. + Setting this value to false makes restconf return not pretty-printed + which may be desirable for performance or tests + This replaces the CLICON_RESTCONF_PRETTY option in clixon-config.yang"; + } + /* From this point only specific options + * First fcgi-specific options + */ + leaf fcgi-socket { + if-feature fcgi; /* Set by default by fcgi clixon_restconf daemon */ + type string; + default "/www-data/fastcgi_restconf.sock"; + description + "Path to FastCGI unix socket. Should be specified in webserver + Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock + Only if with-restconf=fcgi, NOT evhtp + This replaces CLICON_RESTCONF_PATH option in clixon-config.yang"; + } + /* Second, evhtp-specific options */ + leaf server-cert-path { + type string; + description + "Path to server certificate file. + Note only applies if socket has ssl enabled"; + } + leaf server-key-path { + type string; + description + "Path to server key file + Note only applies if socket has ssl enabled"; + } + leaf server-ca-cert-path { + type string; + description + "Path to server CA cert file + Note only applies if socket has ssl enabled"; + } + list socket { + description + "List of server sockets that the restconf daemon listens to"; + key "namespace address port"; + leaf namespace { + type string; + description + "Network namespace. + On platforms where namespaces are not suppported, always 'default'"; + } + leaf address { + type inet:ip-address; + description "IP address to bind to"; + } + leaf port { + type inet:port-number; + description "TCP port to bind to"; + } + leaf ssl { + type boolean; + default true; + description "Enable for HTTPS otherwise HTTP protocol"; + } + } + } + container restconf { + description + "This presence is strictly not necessary since the enable flag + in clixon-restconf is the flag bearing the actual semantics. + However, removing the presence leads to default config in all + clixon installations, even those which do not use backend-started restconf. + One could see this as mostly cosmetically annoying. + Alternative would be to make the inclusion of this yang conditional."; + presence "Enables RESTCONF"; + uses clixon-restconf; + } +}