experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated ietf-netconf-acm to ietf-netconf-acm@2018-02-14.yang from RFC 8341

Browse source
This commit is contained in:
Olof hagsand 2018-04-02 13:33:24 +02:00
parent 6ed769e082
commit 7fbd95d491
3 changed files with 83 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -42,6 +42,7 @@
### Minor changes: ### Minor changes:
* Updated ietf-netconf-acm to ietf-netconf-acm@2018-02-14.yang from RFC 8341
* The Clixon example has changed name from "routing" to "example" affecting all config files, plugins, tests, etc. * The Clixon example has changed name from "routing" to "example" affecting all config files, plugins, tests, etc.
* Removed username to rpc calls (added below) * Removed username to rpc calls (added below)
* README.md extended with new yang, netconf, restconf, datastore, and auth sections. * README.md extended with new yang, netconf, restconf, datastore, and auth sections.

2
yang/Makefile.in
View file

@ -40,7 +40,7 @@ datarootdir = @datarootdir@
YANGSPECS = clixon-config@2018-02-12.yang YANGSPECS = clixon-config@2018-02-12.yang
YANGSPECS += ietf-netconf@2011-06-01.yang YANGSPECS += ietf-netconf@2011-06-01.yang
YANGSPECS += ietf-netconf-acm@2012-02-22.yang YANGSPECS += ietf-netconf-acm@2018-02-14.yang
YANGSPECS += ietf-inet-types@2013-07-15.yang YANGSPECS += ietf-inet-types@2013-07-15.yang
APPNAME = clixon # subdir ehere these files are installed APPNAME = clixon # subdir ehere these files are installed

141
yang/ietf-netconf-acm@2012-02-22.yang → yang/ietf-netconf-acm@2018-02-14.yang
View file

@ -1,47 +1,54 @@
module ietf-netconf-acm { module ietf-netconf-acm {
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm"; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
prefix "nacm";
prefix nacm;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netconf/> "WG Web: <https://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
WG Chair: Mehmet Ersue Author: Andy Bierman
<mailto:mehmet.ersue@nsn.com>
WG Chair: Bert Wijnen
<mailto:bertietf@bwijnen.net>
Editor: Andy Bierman
<mailto:andy@yumaworks.com> <mailto:andy@yumaworks.com>
Editor: Martin Bjorklund Author: Martin Bjorklund
<mailto:mbj@tail-f.com>"; <mailto:mbj@tail-f.com>";
description description
"NETCONF Access Control Model. "Network Configuration Access Control Model.
Copyright (c) 2012 IETF Trust and the persons identified as Copyright (c) 2012 - 2018 IETF Trust and the persons
authors of the code. All rights reserved. identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 6536; see This version of this YANG module is part of RFC 8341; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2018-02-14" {
description
"Added support for YANG 1.1 actions and notifications tied to
data nodes. Clarified how NACM extensions can be used by
other data models.";
reference
"RFC 8341: Network Configuration Access Control Model";
}
revision "2012-02-22" { revision "2012-02-22" {
description description
"Initial version"; "Initial version.";
reference reference
"RFC 6536: Network Configuration Protocol (NETCONF) "RFC 6536: Network Configuration Protocol (NETCONF)
Access Control Model"; Access Control Model";
@ -56,11 +63,13 @@ module ietf-netconf-acm {
"Used to indicate that the data model node "Used to indicate that the data model node
represents a sensitive security system parameter. represents a sensitive security system parameter.
If present, and the NACM module is enabled (i.e., If present, the NETCONF server will only allow the designated
/nacm/enable-nacm object equals 'true'), the NETCONF server 'recovery session' to have write access to the node. An
will only allow the designated 'recovery session' to have explicit access control rule is required for all other users.
write access to the node. An explicit access control rule is
required for all other users. If the NACM module is used, then it must be enabled (i.e.,
/nacm/enable-nacm object equals 'true'), or this extension
is ignored.
The 'default-deny-write' extension MAY appear within a data The 'default-deny-write' extension MAY appear within a data
definition statement. It is ignored otherwise."; definition statement. It is ignored otherwise.";
@ -71,11 +80,14 @@ module ietf-netconf-acm {
"Used to indicate that the data model node "Used to indicate that the data model node
controls a very sensitive security system parameter. controls a very sensitive security system parameter.
If present, and the NACM module is enabled (i.e., If present, the NETCONF server will only allow the designated
/nacm/enable-nacm object equals 'true'), the NETCONF server 'recovery session' to have read, write, or execute access to
will only allow the designated 'recovery session' to have the node. An explicit access control rule is required for all
read, write, or execute access to the node. An explicit other users.
access control rule is required for all other users.
If the NACM module is used, then it must be enabled (i.e.,
/nacm/enable-nacm object equals 'true'), or this extension
is ignored.
The 'default-deny-all' extension MAY appear within a data The 'default-deny-all' extension MAY appear within a data
definition statement, 'rpc' statement, or 'notification' definition statement, 'rpc' statement, or 'notification'
@ -91,12 +103,12 @@ module ietf-netconf-acm {
length "1..max"; length "1..max";
} }
description description
"General Purpose Username string."; "General-purpose username string.";
} }
typedef matchall-string-type { typedef matchall-string-type {
type string { type string {
pattern "\*"; pattern '\*';
} }
description description
"The string containing a single asterisk '*' is used "The string containing a single asterisk '*' is used
@ -121,6 +133,7 @@ module ietf-netconf-acm {
"Any protocol operation that alters an existing "Any protocol operation that alters an existing
data node."; data node.";
} }
bit delete { bit delete {
description description
"Any protocol operation that removes a data node."; "Any protocol operation that removes a data node.";
@ -131,13 +144,13 @@ module ietf-netconf-acm {
} }
} }
description description
"NETCONF Access Operation."; "Access operation.";
} }
typedef group-name-type { typedef group-name-type {
type string { type string {
length "1..max"; length "1..max";
pattern "[^\*].*"; pattern '[^\*].*';
} }
description description
"Name of administrative group to which "Name of administrative group to which
@ -164,29 +177,35 @@ module ietf-netconf-acm {
type yang:xpath1.0; type yang:xpath1.0;
description description
"Path expression used to represent a special "Path expression used to represent a special
data node instance identifier string. data node, action, or notification instance-identifier
string.
A node-instance-identifier value is an A node-instance-identifier value is an
unrestricted YANG instance-identifier expression. unrestricted YANG instance-identifier expression.
All the same rules as an instance-identifier apply
except predicates for keys are optional. If a key All the same rules as an instance-identifier apply,
except that predicates for keys are optional. If a key
predicate is missing, then the node-instance-identifier predicate is missing, then the node-instance-identifier
represents all possible server instances for that key. represents all possible server instances for that key.
This XPath expression is evaluated in the following context: This XML Path Language (XPath) expression is evaluated in the
following context:
o The set of namespace declarations are those in scope on o The set of namespace declarations are those in scope on
the leaf element where this type is used. the leaf element where this type is used.
o The set of variable bindings contains one variable, o The set of variable bindings contains one variable,
'USER', which contains the name of the user of the current 'USER', which contains the name of the user of the
session. current session.
o The function library is the core function library, but o The function library is the core function library, but
note that due to the syntax restrictions of an note that due to the syntax restrictions of an
instance-identifier, no functions are allowed. instance-identifier, no functions are allowed.
o The context node is the root node in the data tree."; o The context node is the root node in the data tree.
The accessible tree includes actions and notifications tied
to data nodes.";
} }
/* /*
@ -197,11 +216,11 @@ module ietf-netconf-acm {
nacm:default-deny-all; nacm:default-deny-all;
description description
"Parameters for NETCONF Access Control Model."; "Parameters for NETCONF access control model.";
leaf enable-nacm { leaf enable-nacm {
type boolean; type boolean;
default true; default "true";
description description
"Enables or disables all NETCONF access control "Enables or disables all NETCONF access control
enforcement. If 'true', then enforcement enforcement. If 'true', then enforcement
@ -237,7 +256,7 @@ module ietf-netconf-acm {
leaf enable-external-groups { leaf enable-external-groups {
type boolean; type boolean;
default true; default "true";
description description
"Controls whether the server uses the groups reported by the "Controls whether the server uses the groups reported by the
NETCONF transport layer when it assigns the user to a set of NETCONF transport layer when it assigns the user to a set of
@ -277,13 +296,13 @@ module ietf-netconf-acm {
container groups { container groups {
description description
"NETCONF Access Control Groups."; "NETCONF access control groups.";
list group { list group {
key name; key name;
description description
"One NACM Group Entry. This list will only contain "One NACM group entry. This list will only contain
configured entries, not any entries learned from configured entries, not any entries learned from
any transport protocols."; any transport protocols.";
@ -304,7 +323,7 @@ module ietf-netconf-acm {
} }
list rule-list { list rule-list {
key "name"; key name;
ordered-by user; ordered-by user;
description description
"An ordered collection of access control rules."; "An ordered collection of access control rules.";
@ -331,7 +350,7 @@ module ietf-netconf-acm {
} }
list rule { list rule {
key "name"; key name;
ordered-by user; ordered-by user;
description description
"One access control rule. "One access control rule.
@ -339,8 +358,8 @@ module ietf-netconf-acm {
Rules are processed in user-defined order until a match is Rules are processed in user-defined order until a match is
found. A rule matches if 'module-name', 'rule-type', and found. A rule matches if 'module-name', 'rule-type', and
'access-operations' match the request. If a rule 'access-operations' match the request. If a rule
matches, the 'action' leaf determines if access is granted matches, the 'action' leaf determines whether or not
or not."; access is granted.";
leaf name { leaf name {
type string { type string {
@ -391,18 +410,20 @@ module ietf-netconf-acm {
value equals the requested notification name."; value equals the requested notification name.";
} }
} }
case data-node { case data-node {
leaf path { leaf path {
type node-instance-identifier; type node-instance-identifier;
mandatory true; mandatory true;
description description
"Data Node Instance Identifier associated with the "Data node instance-identifier associated with the
data node controlled by this rule. data node, action, or notification controlled by
this rule.
Configuration data or state data instance Configuration data or state data
identifiers start with a top-level data node. A instance-identifiers start with a top-level
complete instance identifier is required for this data node. A complete instance-identifier is
type of path value. required for this type of path value.
The special value '/' refers to all possible The special value '/' refers to all possible
datastore contents."; datastore contents.";
@ -428,7 +449,7 @@ module ietf-netconf-acm {
mandatory true; mandatory true;
description description
"The access control action associated with the "The access control action associated with the
rule. If a rule is determined to match a rule. If a rule has been determined to match a
particular request, then this object is used particular request, then this object is used
to determine whether to permit or deny the to determine whether to permit or deny the
request."; request.";
@ -442,4 +463,4 @@ module ietf-netconf-acm {
} }
} }
} }
} }