From 7fbd95d491c6e5e69af380c7e1e0c5e28bf2bb05 Mon Sep 17 00:00:00 2001 From: Olof hagsand Date: Mon, 2 Apr 2018 13:33:24 +0200 Subject: [PATCH] Updated ietf-netconf-acm to ietf-netconf-acm@2018-02-14.yang from RFC 8341 --- CHANGELOG.md | 1 + yang/Makefile.in | 2 +- ....yang => ietf-netconf-acm@2018-02-14.yang} | 141 ++++++++++-------- 3 files changed, 83 insertions(+), 61 deletions(-) rename yang/{ietf-netconf-acm@2012-02-22.yang => ietf-netconf-acm@2018-02-14.yang} (73%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 487f9e5c..dc4dbe17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,7 @@ ### Minor changes: +* Updated ietf-netconf-acm to ietf-netconf-acm@2018-02-14.yang from RFC 8341 * The Clixon example has changed name from "routing" to "example" affecting all config files, plugins, tests, etc. * Removed username to rpc calls (added below) * README.md extended with new yang, netconf, restconf, datastore, and auth sections. diff --git a/yang/Makefile.in b/yang/Makefile.in index cd3f988c..28a397c1 100644 --- a/yang/Makefile.in +++ b/yang/Makefile.in @@ -40,7 +40,7 @@ datarootdir = @datarootdir@ YANGSPECS = clixon-config@2018-02-12.yang YANGSPECS += ietf-netconf@2011-06-01.yang -YANGSPECS += ietf-netconf-acm@2012-02-22.yang +YANGSPECS += ietf-netconf-acm@2018-02-14.yang YANGSPECS += ietf-inet-types@2013-07-15.yang APPNAME = clixon # subdir ehere these files are installed diff --git a/yang/ietf-netconf-acm@2012-02-22.yang b/yang/ietf-netconf-acm@2018-02-14.yang similarity index 73% rename from yang/ietf-netconf-acm@2012-02-22.yang rename to yang/ietf-netconf-acm@2018-02-14.yang index 32888d51..d6e7d86e 100644 --- a/yang/ietf-netconf-acm@2012-02-22.yang +++ b/yang/ietf-netconf-acm@2018-02-14.yang @@ -1,47 +1,54 @@ module ietf-netconf-acm { + namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm"; - prefix "nacm"; + + prefix nacm; + import ietf-yang-types { prefix yang; } + organization "IETF NETCONF (Network Configuration) Working Group"; contact - "WG Web: + "WG Web: WG List: - WG Chair: Mehmet Ersue - - - WG Chair: Bert Wijnen - - - Editor: Andy Bierman + Author: Andy Bierman - Editor: Martin Bjorklund + Author: Martin Bjorklund "; description - "NETCONF Access Control Model. + "Network Configuration Access Control Model. - Copyright (c) 2012 IETF Trust and the persons identified as - authors of the code. All rights reserved. + Copyright (c) 2012 - 2018 IETF Trust and the persons + identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info). + (https://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC 6536; see + This version of this YANG module is part of RFC 8341; see the RFC itself for full legal notices."; + revision "2018-02-14" { + description + "Added support for YANG 1.1 actions and notifications tied to + data nodes. Clarified how NACM extensions can be used by + other data models."; + reference + "RFC 8341: Network Configuration Access Control Model"; + } + revision "2012-02-22" { description - "Initial version"; + "Initial version."; reference "RFC 6536: Network Configuration Protocol (NETCONF) Access Control Model"; @@ -56,11 +63,13 @@ module ietf-netconf-acm { "Used to indicate that the data model node represents a sensitive security system parameter. - If present, and the NACM module is enabled (i.e., - /nacm/enable-nacm object equals 'true'), the NETCONF server - will only allow the designated 'recovery session' to have - write access to the node. An explicit access control rule is - required for all other users. + If present, the NETCONF server will only allow the designated + 'recovery session' to have write access to the node. An + explicit access control rule is required for all other users. + + If the NACM module is used, then it must be enabled (i.e., + /nacm/enable-nacm object equals 'true'), or this extension + is ignored. The 'default-deny-write' extension MAY appear within a data definition statement. It is ignored otherwise."; @@ -71,11 +80,14 @@ module ietf-netconf-acm { "Used to indicate that the data model node controls a very sensitive security system parameter. - If present, and the NACM module is enabled (i.e., - /nacm/enable-nacm object equals 'true'), the NETCONF server - will only allow the designated 'recovery session' to have - read, write, or execute access to the node. An explicit - access control rule is required for all other users. + If present, the NETCONF server will only allow the designated + 'recovery session' to have read, write, or execute access to + the node. An explicit access control rule is required for all + other users. + + If the NACM module is used, then it must be enabled (i.e., + /nacm/enable-nacm object equals 'true'), or this extension + is ignored. The 'default-deny-all' extension MAY appear within a data definition statement, 'rpc' statement, or 'notification' @@ -91,12 +103,12 @@ module ietf-netconf-acm { length "1..max"; } description - "General Purpose Username string."; + "General-purpose username string."; } typedef matchall-string-type { type string { - pattern "\*"; + pattern '\*'; } description "The string containing a single asterisk '*' is used @@ -121,6 +133,7 @@ module ietf-netconf-acm { "Any protocol operation that alters an existing data node."; } + bit delete { description "Any protocol operation that removes a data node."; @@ -131,13 +144,13 @@ module ietf-netconf-acm { } } description - "NETCONF Access Operation."; + "Access operation."; } typedef group-name-type { type string { length "1..max"; - pattern "[^\*].*"; + pattern '[^\*].*'; } description "Name of administrative group to which @@ -164,29 +177,35 @@ module ietf-netconf-acm { type yang:xpath1.0; description "Path expression used to represent a special - data node instance identifier string. + data node, action, or notification instance-identifier + string. A node-instance-identifier value is an unrestricted YANG instance-identifier expression. - All the same rules as an instance-identifier apply - except predicates for keys are optional. If a key + + All the same rules as an instance-identifier apply, + except that predicates for keys are optional. If a key predicate is missing, then the node-instance-identifier represents all possible server instances for that key. - This XPath expression is evaluated in the following context: + This XML Path Language (XPath) expression is evaluated in the + following context: - o The set of namespace declarations are those in scope on - the leaf element where this type is used. + o The set of namespace declarations are those in scope on + the leaf element where this type is used. - o The set of variable bindings contains one variable, - 'USER', which contains the name of the user of the current - session. + o The set of variable bindings contains one variable, + 'USER', which contains the name of the user of the + current session. - o The function library is the core function library, but - note that due to the syntax restrictions of an - instance-identifier, no functions are allowed. + o The function library is the core function library, but + note that due to the syntax restrictions of an + instance-identifier, no functions are allowed. - o The context node is the root node in the data tree."; + o The context node is the root node in the data tree. + + The accessible tree includes actions and notifications tied + to data nodes."; } /* @@ -197,11 +216,11 @@ module ietf-netconf-acm { nacm:default-deny-all; description - "Parameters for NETCONF Access Control Model."; + "Parameters for NETCONF access control model."; leaf enable-nacm { type boolean; - default true; + default "true"; description "Enables or disables all NETCONF access control enforcement. If 'true', then enforcement @@ -237,7 +256,7 @@ module ietf-netconf-acm { leaf enable-external-groups { type boolean; - default true; + default "true"; description "Controls whether the server uses the groups reported by the NETCONF transport layer when it assigns the user to a set of @@ -277,13 +296,13 @@ module ietf-netconf-acm { container groups { description - "NETCONF Access Control Groups."; + "NETCONF access control groups."; list group { key name; description - "One NACM Group Entry. This list will only contain + "One NACM group entry. This list will only contain configured entries, not any entries learned from any transport protocols."; @@ -304,7 +323,7 @@ module ietf-netconf-acm { } list rule-list { - key "name"; + key name; ordered-by user; description "An ordered collection of access control rules."; @@ -331,7 +350,7 @@ module ietf-netconf-acm { } list rule { - key "name"; + key name; ordered-by user; description "One access control rule. @@ -339,8 +358,8 @@ module ietf-netconf-acm { Rules are processed in user-defined order until a match is found. A rule matches if 'module-name', 'rule-type', and 'access-operations' match the request. If a rule - matches, the 'action' leaf determines if access is granted - or not."; + matches, the 'action' leaf determines whether or not + access is granted."; leaf name { type string { @@ -391,18 +410,20 @@ module ietf-netconf-acm { value equals the requested notification name."; } } + case data-node { leaf path { type node-instance-identifier; mandatory true; description - "Data Node Instance Identifier associated with the - data node controlled by this rule. + "Data node instance-identifier associated with the + data node, action, or notification controlled by + this rule. - Configuration data or state data instance - identifiers start with a top-level data node. A - complete instance identifier is required for this - type of path value. + Configuration data or state data + instance-identifiers start with a top-level + data node. A complete instance-identifier is + required for this type of path value. The special value '/' refers to all possible datastore contents."; @@ -428,7 +449,7 @@ module ietf-netconf-acm { mandatory true; description "The access control action associated with the - rule. If a rule is determined to match a + rule. If a rule has been determined to match a particular request, then this object is used to determine whether to permit or deny the request."; @@ -442,4 +463,4 @@ module ietf-netconf-acm { } } } -} \ No newline at end of file +}