1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
|
module openconfig-aaa {
yang-version "1";
// namespace
namespace "http://openconfig.net/yang/aaa";
prefix "oc-aaa";
// import some basic types
import openconfig-extensions { prefix oc-ext; }
import openconfig-inet-types { prefix oc-inet; }
import openconfig-yang-types { prefix oc-yang; }
import openconfig-aaa-types { prefix oc-aaa-types; }
include openconfig-aaa-tacacs;
include openconfig-aaa-radius;
// meta
organization "OpenConfig working group";
contact
"OpenConfig working group
www.openconfig.net";
description
"This module defines configuration and operational state data
related to authorization, authentication, and accounting (AAA)
management.
Portions of this model reuse data definitions or structure from
RFC 7317 - A YANG Data Model for System Management";
oc-ext:openconfig-version "0.4.0";
revision "2018-04-12" {
description
"Add when conditions, correct identities";
reference "0.4.0";
}
revision "2017-09-18" {
description
"Updated to use OpenConfig types modules";
reference "0.3.0";
}
revision "2017-07-06" {
description
"Move to oc-inet types, add IETF attribution, add RADIUS
counters, changed password leaf names to indicate hashed";
reference "0.2.0";
}
revision "2017-01-29" {
description
"Initial public release";
reference "0.1.0";
}
// identity statements
// grouping statements
grouping aaa-servergroup-common-config {
description
"Configuration data for AAA server groups";
leaf name {
type string;
description
"Name for the server group";
}
leaf type {
type identityref {
base oc-aaa-types:AAA_SERVER_TYPE;
}
description
"AAA server type -- all servers in the group must be of this
type";
}
}
grouping aaa-servergroup-common-state {
description
"Operational state data for AAA server groups";
//TODO: add list of group members as opstate
}
grouping aaa-servergroup-common-top {
description
"Top-level grouping for AAA server groups";
container server-groups {
description
"Enclosing container for AAA server groups";
list server-group {
key "name";
description
"List of AAA server groups. All servers in a group
must have the same type as indicated by the server
type.";
leaf name {
type leafref {
path "../config/name";
}
description
"Reference to configured name of the server group";
}
container config {
description
"Configuration data for each server group";
uses aaa-servergroup-common-config;
}
container state {
config false;
description
"Operational state data for each server group";
uses aaa-servergroup-common-config;
uses aaa-servergroup-common-state;
}
uses aaa-server-top;
}
}
}
grouping aaa-server-config {
description
"Common configuration data for AAA servers";
leaf name {
type string;
description
"Name assigned to the server";
}
leaf address {
type oc-inet:ip-address;
description "Address of the authentication server";
}
leaf timeout {
type uint16;
units seconds;
description
"Set the timeout in seconds on responses from the AAA
server";
}
}
grouping aaa-server-state {
description
"Common operational state data for AAA servers";
leaf connection-opens {
type oc-yang:counter64;
description
"Number of new connection requests sent to the server, e.g.
socket open";
}
leaf connection-closes {
type oc-yang:counter64;
description
"Number of connection close requests sent to the server, e.g.
socket close";
}
leaf connection-aborts {
type oc-yang:counter64;
description
"Number of aborted connections to the server. These do
not include connections that are close gracefully.";
}
leaf connection-failures {
type oc-yang:counter64;
description
"Number of connection failures to the server";
}
leaf connection-timeouts {
type oc-yang:counter64;
description
"Number of connection timeouts to the server";
}
leaf messages-sent {
type oc-yang:counter64;
description
"Number of messages sent to the server";
}
leaf messages-received {
type oc-yang:counter64;
description
"Number of messages received by the server";
}
leaf errors-received {
type oc-yang:counter64;
description
"Number of error messages received from the server";
}
}
grouping aaa-server-top {
description
"Top-level grouping for list of AAA servers";
container servers {
description
"Enclosing container the list of servers";
list server {
key "address";
description
"List of AAA servers";
leaf address {
type leafref {
path "../config/address";
}
description
"Reference to the configured address of the AAA server";
}
container config {
description
"Configuration data ";
uses aaa-server-config;
}
container state {
config false;
description
"Operational state data ";
uses aaa-server-config;
uses aaa-server-state;
}
uses aaa-tacacs-server-top {
when "../../config/type = 'oc-aaa-types:TACACS'";
}
uses aaa-radius-server-top {
when "../../config/type = 'oc-aaa-types:RADIUS'";
}
}
}
}
grouping aaa-admin-config {
description
"Configuration data for the system built-in
administrator / root user account";
leaf admin-password {
type string;
oc-ext:openconfig-hashed-value;
description
"The admin/root password, supplied as a cleartext string.
The system should hash and only store the password as a
hashed value.";
}
leaf admin-password-hashed {
type oc-aaa-types:crypt-password-type;
description
"The admin/root password, supplied as a hashed value
using the notation described in the definition of the
crypt-password-type.";
}
}
grouping aaa-admin-state {
description
"Operational state data for the root user";
leaf admin-username {
type string;
description
"Name of the administrator user account, e.g., admin, root,
etc.";
}
}
grouping aaa-authentication-admin-top {
description
"Top-level grouping for root user configuration and state
data";
container admin-user {
description
"Top-level container for the system root or admin user
configuration and operational state";
container config {
description
"Configuration data for the root user account";
uses aaa-admin-config;
}
container state {
config false;
description
"Operational state data for the root user account";
uses aaa-admin-config;
uses aaa-admin-state;
}
}
}
grouping aaa-authentication-user-config {
description
"Configuration data for local users";
leaf username {
type string;
description
"Assigned username for this user";
}
leaf password {
type string;
oc-ext:openconfig-hashed-value;
description
"The user password, supplied as cleartext. The system
must hash the value and only store the hashed value.";
}
leaf password-hashed {
type oc-aaa-types:crypt-password-type;
description
"The user password, supplied as a hashed value
using the notation described in the definition of the
crypt-password-type.";
}
leaf ssh-key {
type string;
description
"SSH public key for the user (RSA or DSA)";
}
leaf role {
type union {
type string;
type identityref {
base oc-aaa-types:SYSTEM_DEFINED_ROLES;
}
}
description
"Role assigned to the user. The role may be supplied
as a string or a role defined by the SYSTEM_DEFINED_ROLES
identity.";
}
}
grouping aaa-authentication-user-state {
description
"Operational state data for local users";
}
grouping aaa-authentication-user-top {
description
"Top-level grouping for local users";
container users {
description
"Enclosing container list of local users";
list user {
key "username";
description
"List of local users on the system";
leaf username {
type leafref {
path "../config/username";
}
description
"References the configured username for the user";
}
container config {
description
"Configuration data for local users";
uses aaa-authentication-user-config;
}
container state {
config false;
description
"Operational state data for local users";
uses aaa-authentication-user-config;
uses aaa-authentication-user-state;
}
}
}
}
grouping aaa-accounting-methods-common {
description
"Common definitions for accounting methods";
leaf-list accounting-method {
type union {
type identityref {
base oc-aaa-types:AAA_METHOD_TYPE;
}
type string;
//TODO: in YANG 1.1 this should be converted to a leafref to
//point to the server group name.
}
ordered-by user;
description
"An ordered list of methods used for AAA accounting for this
event type. The method is defined by the destination for
accounting data, which may be specified as the group of
all TACACS+/RADIUS servers, a defined server group, or
the local system.";
}
}
grouping aaa-accounting-events-config {
description
"Configuration data for AAA accounting events";
leaf event-type {
type identityref {
base oc-aaa-types:AAA_ACCOUNTING_EVENT_TYPE;
}
description
"The type of activity to record at the AAA accounting
server";
}
leaf record {
type enumeration {
enum START_STOP {
description
"Send START record to the accounting server at the
beginning of the activity, and STOP record at the
end of the activity.";
}
enum STOP {
description
"Send STOP record to the accounting server when the
user activity completes";
}
}
description
"Type of record to send to the accounting server for this
activity type";
}
}
grouping aaa-accounting-events-state {
description
"Operational state data for accounting events";
}
grouping aaa-accounting-events-top {
description
"Top-level grouping for accounting events";
container events {
description
"Enclosing container for defining handling of events
for accounting";
list event {
key "event-type";
description
"List of events subject to accounting";
leaf event-type {
type leafref {
path "../config/event-type";
}
description
"Reference to the event-type being logged at the
accounting server";
}
container config {
description
"Configuration data for accounting events";
uses aaa-accounting-events-config;
}
container state {
config false;
description
"Operational state data for accounting events";
uses aaa-accounting-events-config;
uses aaa-accounting-events-state;
}
}
}
}
grouping aaa-accounting-config {
description
"Configuration data for event accounting";
uses aaa-accounting-methods-common;
}
grouping aaa-accounting-state {
description
"Operational state data for event accounting services";
}
grouping aaa-accounting-top {
description
"Top-level grouping for user activity accounting";
container accounting {
description
"Top-level container for AAA accounting";
container config {
description
"Configuration data for user activity accounting.";
uses aaa-accounting-config;
}
container state {
config false;
description
"Operational state data for user accounting.";
uses aaa-accounting-config;
uses aaa-accounting-state;
}
uses aaa-accounting-events-top;
}
}
grouping aaa-authorization-methods-config {
description
"Common definitions for authorization methods for global
and per-event type";
leaf-list authorization-method {
type union {
type identityref {
base oc-aaa-types:AAA_METHOD_TYPE;
}
type string;
}
ordered-by user;
description
"Ordered list of methods for authorizing commands. The first
method that provides a response (positive or negative) should
be used. The list may contain a well-defined method such
as the set of all TACACS or RADIUS servers, or the name of
a defined AAA server group. The system must validate
that the named server group exists.";
}
}
grouping aaa-authorization-events-config {
description
"Configuration data for AAA authorization events";
leaf event-type {
type identityref {
base oc-aaa-types:AAA_AUTHORIZATION_EVENT_TYPE;
}
description
"The type of event to record at the AAA authorization
server";
}
}
grouping aaa-authorization-events-state {
description
"Operational state data for AAA authorization events";
}
grouping aaa-authorization-events-top {
description
"Top-level grouping for authorization events";
container events {
description
"Enclosing container for the set of events subject
to authorization";
list event {
key "event-type";
description
"List of events subject to AAA authorization";
leaf event-type {
type leafref {
path "../config/event-type";
}
description
"Reference to the event-type list key";
}
container config {
description
"Configuration data for each authorized event";
uses aaa-authorization-events-config;
}
container state {
config false;
description
"Operational state data for each authorized activity";
uses aaa-authorization-events-config;
uses aaa-authorization-events-state;
}
}
}
}
grouping aaa-authorization-config {
description
"Configuration data for AAA authorization";
uses aaa-authorization-methods-config;
}
grouping aaa-authorization-state {
description
"Operational state data for AAA authorization";
}
grouping aaa-authorization-top {
description
"Top-level grouping for AAA authorization";
container authorization {
description
"Top-level container for AAA authorization configuration
and operational state data";
container config {
description
"Configuration data for authorization based on AAA
methods";
uses aaa-authorization-config;
}
container state {
config false;
description
"Operational state data for authorization based on AAA";
uses aaa-authorization-config;
uses aaa-authorization-state;
}
uses aaa-authorization-events-top;
}
}
grouping aaa-authentication-config {
description
"Configuration data for global authentication";
leaf-list authentication-method {
type union {
type identityref {
base oc-aaa-types:AAA_METHOD_TYPE;
}
type string;
//TODO: string should be a leafref to a defined
//server group. this will be possible in YANG 1.1
//type leafref {
//path "/aaa/server-groups/server-group/config/name";
//}
}
ordered-by user;
description
"Ordered list of authentication methods for users. This
can be either a reference to a server group, or a well-
defined designation in the AAA_METHOD_TYPE identity. If
authentication fails with one method, the next defined
method is tried -- failure of all methods results in the
user being denied access.";
}
}
grouping aaa-authentication-state {
description
"Operational state data for global authentication";
}
grouping aaa-authentication-top {
description
"Top-level grouping for top-level authentication";
container authentication {
description
"Top-level container for global authentication data";
container config {
description
"Configuration data for global authentication services";
uses aaa-authentication-config;
}
container state {
config false;
description
"Operational state data for global authentication
services";
uses aaa-authentication-config;
uses aaa-authentication-state;
}
uses aaa-authentication-admin-top;
uses aaa-authentication-user-top;
}
}
grouping aaa-config {
description
"Configuration data for top level AAA";
}
grouping aaa-state {
description
"Operational state data for top level AAA";
}
grouping aaa-top {
description
"Top-level grouping for AAA services";
container aaa {
description
"Top-level container for AAA services";
container config {
description
"Configuration data for top level AAA services";
uses aaa-config;
}
container state {
config false;
description
"Operational state data for top level AAA services ";
uses aaa-config;
uses aaa-state;
}
uses aaa-authentication-top;
uses aaa-authorization-top;
uses aaa-accounting-top;
uses aaa-servergroup-common-top;
}
}
// data definition statements
}
|