From 063f5a7a249f3f0566f695f220628556572d3156 Mon Sep 17 00:00:00 2001 From: Wen Bo Li <50884368+wenovus@users.noreply.github.com> Date: Mon, 4 Mar 2024 13:52:49 -0500 Subject: [PATCH] Add gNSI models (#1037) * Add gNSI models --------- Co-authored-by: Darren Loher --- release/models/gnsi/.spec.yml | 10 + .../models/gnsi/openconfig-gnsi-acctz.yang | 245 +++++++++++++ .../models/gnsi/openconfig-gnsi-authz.yang | 212 +++++++++++ .../models/gnsi/openconfig-gnsi-certz.yang | 209 +++++++++++ .../gnsi/openconfig-gnsi-credentialz.yang | 302 ++++++++++++++++ .../models/gnsi/openconfig-gnsi-pathz.yang | 331 ++++++++++++++++++ release/models/gnsi/openconfig-gnsi.yang | 40 +++ release/models/system/.spec.yml | 5 + 8 files changed, 1354 insertions(+) create mode 100644 release/models/gnsi/.spec.yml create mode 100644 release/models/gnsi/openconfig-gnsi-acctz.yang create mode 100644 release/models/gnsi/openconfig-gnsi-authz.yang create mode 100644 release/models/gnsi/openconfig-gnsi-certz.yang create mode 100644 release/models/gnsi/openconfig-gnsi-credentialz.yang create mode 100644 release/models/gnsi/openconfig-gnsi-pathz.yang create mode 100644 release/models/gnsi/openconfig-gnsi.yang diff --git a/release/models/gnsi/.spec.yml b/release/models/gnsi/.spec.yml new file mode 100644 index 000000000..d8c79b235 --- /dev/null +++ b/release/models/gnsi/.spec.yml @@ -0,0 +1,10 @@ +- name: openconfig-system-gnsi + build: + - yang/system/openconfig-system.yang + - yang/gnsi/openconfig-gnsi.yang + - yang/gnsi/openconfig-gnsi-acctz.yang + - yang/gnsi/openconfig-gnsi-authz.yang + - yang/gnsi/openconfig-gnsi-certz.yang + - yang/gnsi/openconfig-gnsi-credentialz.yang + - yang/gnsi/openconfig-gnsi-pathz.yang + run-ci: true diff --git a/release/models/gnsi/openconfig-gnsi-acctz.yang b/release/models/gnsi/openconfig-gnsi-acctz.yang new file mode 100644 index 000000000..d95ccccfb --- /dev/null +++ b/release/models/gnsi/openconfig-gnsi-acctz.yang @@ -0,0 +1,245 @@ +module openconfig-gnsi-acctz { + yang-version 1; + namespace "https://github.com/openconfig/yang/gnsi/acctz"; + prefix oc-gnsi-acctz; + + import openconfig-extensions { prefix oc-ext; } + import openconfig-system { + prefix oc-sys; + } + import openconfig-system-grpc { + prefix oc-sys-grpc; + } + import openconfig-types { + prefix oc-types; + } + import openconfig-yang-types { + prefix oc-yang; + } + import openconfig-gnsi { + prefix oc-gnsi; + } + organization + "OpenConfig Working Group"; + + contact + "OpenConfig working group + netopenconfig@googlegroups.com"; + + description + "This module provides counters of gNSI accountZ requests and responses and + the quantity of data transferred."; + + oc-ext:openconfig-version "0.2.0"; + + revision 2024-02-13 { + description + "Major style updates and move to openconfig/public from openconfig/gnsi. + Last commit at + https://github.com/openconfig/gnsi/commit/347935aac66135d5649dadb9583ed0914578aab0"; + reference "0.2.0"; + } + + revision 2023-12-01 { + description + "Initial revision."; + reference "0.1.0"; + } + + typedef cmd-service { + description "enum CommandService.CmdServiceType"; + type enumeration { + enum UNSPECIFIED { + value 0; + } + enum SHELL { + value 1; + } + enum CLI { + value 2; + } + enum WEBUI { + value 3; + } + enum RESTCONF { + value 4; + } + enum NETCONF { + value 5; + } + } + } + typedef grpc-service { + description "enum GrpcService.GrpcServiceType"; + type enumeration { + enum UNSPECIFIED { + value 0; + } + enum GNMI { + value 1; + } + enum GNOI { + value 2; + } + enum GNSI { + value 3; + } + enum GRIBI { + value 4; + } + enum P4RT { + value 5; + } + } + } + typedef service-request { + description "enum RecordResponse.service_request"; + type enumeration { + enum CMD_SERVICE { + value 4; + } + enum GRPC_SERVICE { + value 5; + } + } + } + typedef service-type { + description "enum cmd or grpc service type"; + type union { + type cmd-service; + type grpc-service; + } + } + + // gnsi.acctz client statistics + grouping client-counters { + description + "A collection of counters that were collected by the gNSI.acctz + module while servicing acctz clients."; + + container client-counters { + description + "A collection of counters that were collected by the gNSI.acctz + module while servicing acctz clients."; + leaf history-istruncated { + type oc-yang:counter64; + description + "The total number of times that a RecordRequest resulted in + a RecordResponse being marked history-istruncated. ie: a + request was made for a timestamp that did not exist in the + history."; + } + leaf idle-timeouts { + type oc-yang:counter64; + description + "The total number of times that a client was disconnected + due to missing keepalives (ie: RecordRequests)."; + } + leaf record-requests { + type oc-yang:counter64; + description + "The total number of RecordRequest RPCs that have been received."; + } + leaf record-responses { + type oc-yang:counter64; + description + "The total number of RecordResponse RPCs that have been sent."; + } + } + } + + // gnsi.acctz producer statistics + grouping source-counters { + description + "A collection of counters for gNSI.acctz record production per + service request type."; + + container source-counters { + description + "A collection of counters for gNSI.acctz record production per + service request type."; + list source-records { + key "service type"; + // unique "service type"; + description + "The total number of times the gNSI.authz module denied access + to a RPC."; + + leaf service { + type leafref { + path "../state/service"; + } + description + "service request type for the gNSI.acctz record."; + } + leaf type { + type leafref { + path "../state/type"; + } + description + "service request application enum for the gNSI.acctz record."; + } + + container state { + description + "Operational state for gNSI.acctz counters of record production per + service request type."; + leaf service { + type service-request; + description + "service request type for the gNSI.acctz record."; + } + leaf type { + type service-type; + description + "service request application enum for the gNSI.acctz record."; + } + leaf records { + type oc-yang:counter64; + description + "The total number of records produced for the service-request + type."; + } + } + } + } + } + + grouping grpc-server-acctz-counters { + description + "A collection of counters from the gNSI.acctz module."; + + container acctz-counters { + config false; + description + "A collection of counters from the gNSI.acctz module + for acctz clients and sources."; + + container state { + description + "Operational state relating to acctz-counters."; + + leaf counters-last-cleared { + type oc-types:timeticks64; + description + "The last time that the counters were cleared (reset to + zero). This value is reported as nanoseconds since epoch + (January 1st, 1970 00:00:00 GMT)."; + } + + uses client-counters; + } + + uses source-counters; + } + } + + // Augments section. + augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" { + when "config[contains(services, 'oc-gnsi:GNSI')]/enable = 'true'"; + description + "Counters collected by the gNSI.acctz module."; + + uses grpc-server-acctz-counters; + } +} diff --git a/release/models/gnsi/openconfig-gnsi-authz.yang b/release/models/gnsi/openconfig-gnsi-authz.yang new file mode 100644 index 000000000..870fcac2b --- /dev/null +++ b/release/models/gnsi/openconfig-gnsi-authz.yang @@ -0,0 +1,212 @@ +module openconfig-gnsi-authz { + yang-version 1; + namespace "https://github.com/openconfig/yang/gnsi/authz"; + prefix oc-gnsi-authz; + + import openconfig-extensions { prefix oc-ext; } + import openconfig-system { + prefix oc-sys; + } + import openconfig-system-grpc { + prefix oc-sys-grpc; + } + import openconfig-types { + prefix oc-types; + } + import openconfig-yang-types { + prefix oc-yang; + } + import openconfig-gnsi { + prefix oc-gnsi; + } + organization + "OpenConfig Working Group"; + + contact + "OpenConfig working group + netopenconfig@googlegroups.com"; + + description + "This module provides a data model for the metadata of the gRPC + authorization policies installed on a networking device."; + + oc-ext:openconfig-version "0.4.0"; + + revision 2024-02-13 { + description + "Major style updates and move to openconfig/public from openconfig/gnsi. + Last commit at + https://github.com/openconfig/gnsi/commit/347935aac66135d5649dadb9583ed0914578aab0"; + reference "0.4.0"; + } + + revision 2022-10-30 { + description + "Adds success/failure counters."; + reference "0.3.0"; + } + + revision 2022-08-01 { + description + "Single authz policy."; + reference "0.2.0"; + } + + revision 2022-01-17 { + description + "Initial revision."; + reference "0.1.0"; + } + + typedef version { + type string; + description + "The version ID of the gRPC authorization policy as provided by + the gRPC Authorization Policy Manager when the policy was pushed. + This leaf persists through a reboot."; + } + + typedef created-on { + type oc-types:timeticks64; + description + "The creation time of the gRPC authorization policy as reported by + the gRPC Authorization Policy manager when the policy was pushed + to the device. This value is reported as nanoseconds since epoch + (January 1st, 1970 00:00:00 GMT). This leaf persists through + a reboot."; + } + + // gRPC server authorization policy related definitions. + grouping counters { + description + "A collection of counters that were collected by the gNSI.authz + module while evaluating access to a RPC."; + + leaf access-rejects { + type oc-yang:counter64; + description + "The total number of times the gNSI.authz module denied access + to a RPC."; + } + leaf last-access-reject { + type oc-types:timeticks64; + description + "A timestamp of the last time the gNSI.authz denied access to + a RPC."; + } + leaf access-accepts { + type oc-yang:counter64; + description + "The total number of times the gNSI.authz module allowed access + to a RPC."; + } + leaf last-access-accept { + type oc-types:timeticks64; + description + "A timestamp of the last time the gNSI.authz allowed access to + a RPC."; + } + } + + grouping grpc-server-user-authz-policy-success-failure-counters { + description + "A collection of counters collected by the gNSI.authz module."; + + container rpcs { + description + "A collection of counters collected by the gNSI.authz module + for each RPC separately."; + + list rpc { + description + "A collection of counters collected by the gNSI.authz module + for a RPC identified by the `name`."; + + key "name"; + leaf name { + type leafref { + path "../state/name"; + } + description + "The name of the RPC the counters were collected for. + + The name MUST match the HTTP/2 Path header value in + https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md#requests + + For example, + /gnmi.gNMI/Subscribe + /gnoi.healthz.Healthz/Get + "; + } + container state { + description + "operational state for authz policy success/failure counters."; + leaf name { + type string; + description + "The name of the RPC the counters were collected for. + + The name MUST match the HTTP/2 Path header value in + https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md#requests + + For example, + /gnmi.gNMI/Subscribe + /gnoi.healthz.Healthz/Get + "; + } + uses counters; + } + } + } + } + + grouping grpc-server-authz-policy-success-failure-counters { + description + "A collection of counters collected by the gNSI.authz module."; + + container authz-policy-counters { + description + "A collection of counters collected by the gNSI.authz module."; + config false; + + uses grpc-server-user-authz-policy-success-failure-counters; + } + } + + grouping grpc-server-authz-policy-state { + description + "gNMI server's gRPC authorization policy freshness-related data."; + + leaf grpc-authz-policy-version { + type version; + description + "The version of the gRPC authorization policy that is used by + this system."; + } + leaf grpc-authz-policy-created-on { + type created-on; + description + "The timestamp of the moment when the gRPC authorization policy + that is currently used by this system was created."; + } + } + + // Augments section. + + augment "/oc-sys:system/oc-sys:aaa/oc-sys:authorization/" + + "oc-sys:state" { + description + "A system's gRPC authorization policy freshness information."; + + uses grpc-server-authz-policy-state; + } + + augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" { + when "config[contains(services, 'oc-gnsi:GNSI')]/enable = 'true'"; + description + "Counters collected while evaluating access to a gRPC server using + the gNSI.authz authorization policy."; + + uses grpc-server-authz-policy-success-failure-counters; + } +} diff --git a/release/models/gnsi/openconfig-gnsi-certz.yang b/release/models/gnsi/openconfig-gnsi-certz.yang new file mode 100644 index 000000000..9b5e9a1ca --- /dev/null +++ b/release/models/gnsi/openconfig-gnsi-certz.yang @@ -0,0 +1,209 @@ +module openconfig-gnsi-certz { + yang-version 1; + namespace "https://github.com/openconfig/yang/gnsi/certz"; + prefix oc-gnsi-certz; + + import openconfig-extensions { prefix oc-ext; } + import openconfig-system { + prefix oc-sys; + } + import openconfig-system-grpc { + prefix oc-sys-grpc; + } + import openconfig-types { + prefix oc-types; + } + import openconfig-yang-types { + prefix oc-yang; + } + import openconfig-gnsi { + prefix oc-gnsi; + } + organization + "OpenConfig Working Group"; + + contact + "OpenConfig working group + netopenconfig@googlegroups.com"; + + description + "This module provides a data model for the metadata of gRPC credentials + installed on a networking device."; + + oc-ext:openconfig-version "0.5.0"; + + revision 2024-02-13 { + description + "Major style updates and move to openconfig/public from openconfig/gnsi. + Last commit at + https://github.com/openconfig/gnsi/commit/347935aac66135d5649dadb9583ed0914578aab0"; + reference "0.5.0"; + } + + revision 2023-08-24 { + description + "Adds ssl-profile-id leaf"; + reference "0.4.0"; + } + + revision 2023-05-10 { + description + "Adds authentication policy freshness information."; + reference "0.3.0"; + } + + revision 2022-10-30 { + description + "Adds success/failure counters."; + reference "0.2.0"; + } + + revision 2022-09-20 { + description + "Initial revision."; + reference "0.1.0"; + } + + typedef version { + type string; + description + "The version ID of the credential as provided by the credential + manager when the credential was pushed. This leaf persists through + a reboot."; + } + + typedef created-on { + type oc-types:timeticks64; + description + "The creation time of the credential as reported by the credential + manager when the credential was pushed to the device. This value is + reported as nanoseconds since epoch (January 1st, 1970 00:00:00 GMT). + This leaf persists through a reboot."; + } + // gRPC server related definitions. + // Success/failure counters. + grouping grpc-server-certz-counters { + description + "A collection of counters that were collected while evaluating + access to the gRPC server."; + + container certz-counters { + config false; + description + "A collection of counters that were collected by the gRPC during + the authentication process."; + + leaf access-rejects { + type oc-yang:counter64; + description + "The total number of times a TLS handshake failure has occurred and + the gRPC server denied access a client."; + } + leaf last-access-reject { + type oc-types:timeticks64; + description + "A timestamp of the last time the gRPC denied access to + the server."; + } + leaf access-accepts { + type oc-yang:counter64; + description + "The total number of times a successful TLS handshake is completed + and the gPRC server allows access to a client."; + } + leaf last-access-accept { + type oc-types:timeticks64; + description + "A timestamp of the last time the gRPC allowed access to + the server."; + } + } + } + + // TODO(earies): move to a system-wide subtree: + // https://github.com/openconfig/public/issues/1049 + grouping grpc-server-credentials-state { + description + "gRPC server credentials freshness-related data."; + + leaf certificate-version { + type version; + description + "The version of the certificate (and associated + private key) that is used by this gRPC server."; + } + leaf certificate-created-on { + type created-on; + description + "The timestamp of the moment when the certificate + (and associated private key) that is currently used + by this gRPC server was created."; + } + leaf ca-trust-bundle-version { + type version; + description + "The version of the bundle of the Certificate + Authority certificates a.k.a. trust bundle used by + this gRPC server."; + } + leaf ca-trust-bundle-created-on { + type created-on; + description + "The timestamp of the moment when the bundle of + the Certificate Authority certificates (a.k.a. + trust bundle) was created."; + } + leaf certificate-revocation-list-bundle-version { + type version; + description + "The version of the Certificate Revocation List bundle used by + this gRPC server."; + } + leaf certificate-revocation-list-bundle-created-on { + type created-on; + description + "The timestamp of the moment when the Certificate Revocation + List bundle was created."; + } + leaf authentication-policy-version { + type version; + description + "The version of the authentication policy that is used by + this gRPC server."; + } + leaf authentication-policy-created-on { + type created-on; + description + "The timestamp of the moment when the authentication policy + that is currently used by this gRPC server was created."; + } + // TODO(earies): Consider aligning this with grpc-server key after moving + // to a system-wide subtree: + // https://github.com/openconfig/public/issues/1050 + leaf ssl-profile-id { + type string; + description + "The ID of this gRPC server's SSL profile + as used by the gNSI Certz service"; + } + } + + // Augments section. + + augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server/" + + "oc-sys-grpc:state" { + when "../config[contains(services, 'oc-gnsi:GNSI')]/enable = 'true'"; + description + "A gRPC server credentials freshness information."; + + uses grpc-server-credentials-state; + } + + augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server/" + + "oc-sys-grpc:state" { + when "../config[contains(services, 'oc-gnsi:GNSI')]/enable = 'true'"; + uses grpc-server-certz-counters; + description + "gNSI certz server access counters."; + } +} diff --git a/release/models/gnsi/openconfig-gnsi-credentialz.yang b/release/models/gnsi/openconfig-gnsi-credentialz.yang new file mode 100644 index 000000000..0e4392a7a --- /dev/null +++ b/release/models/gnsi/openconfig-gnsi-credentialz.yang @@ -0,0 +1,302 @@ +module openconfig-gnsi-credentialz { + yang-version 1; + namespace "https://github.com/openconfig/yang/gnsi/credentialz"; + prefix oc-gnsi-credz; + + import openconfig-extensions { prefix oc-ext; } + import openconfig-system { + prefix oc-sys; + } + import openconfig-types { + prefix oc-types; + } + import openconfig-yang-types { + prefix oc-yang; + } + import openconfig-system-grpc { + prefix oc-sys-grpc; + } + import openconfig-gnsi { + prefix oc-gnsi; + } + organization + "OpenConfig Working Group"; + + contact + "OpenConfig working group + netopenconfig@googlegroups.com"; + + description + "This module provides a data model for the metadata of SSH and console + credentials installed on a networking device. + + The following leaves MUST be treated as invalid when the gNSI server is + enabled and credentialz is supported by the implementation: + /system/aaa/authentication/users/user/config/ssh-key + /system/aaa/authentication/users/user/state/ssh-key + /system/aaa/authentication/users/user/config/password + /system/aaa/authentication/users/user/state/password + /system/aaa/authentication/users/user/config/password-hashed + /system/aaa/authentication/users/user/state/password-hashed"; + + oc-ext:openconfig-version "0.6.0"; + + revision 2024-02-13 { + description + "Major style updates and move to openconfig/public from openconfig/gnsi. + Last commit at + https://github.com/openconfig/gnsi/commit/347935aac66135d5649dadb9583ed0914578aab0"; + reference "0.6.0"; + } + + revision 2024-01-05 { + description + "Fix typo in YANG leaves"; + reference "0.5.0"; + } + + revision 2023-10-03 { + description + "Added state leaves for admin-user"; + reference "0.4.0"; + } + + revision 2023-08-18 { + description + "Fixed the canonical order of config field."; + reference "0.3.0"; + } + + revision 2022-10-30 { + description + "Adds success/failure counters."; + reference "0.2.0"; + } + + revision 2022-08-22 { + description + "Initial revision."; + reference "0.1.0"; + } + + typedef version { + type string; + description + "The version ID of the credential as provided by the credential + manager when the credential was pushed. This leaf persists through + a reboot."; + } + + typedef created-on { + type oc-types:timeticks64; + description + "The creation time of the credential as reported by the credential + manager when the credential was pushed to the device. This value is + reported as nanoseconds since epoch (January 1st, 1970 00:00:00 GMT). + This leaf persists through a reboot."; + } + + // SSH server related definitions. + + grouping ssh-server-credentials-version { + description + "SSH server credentials freshness-related data."; + + leaf active-trusted-user-ca-keys-version { + type version; + description + "The version of the Certificate Authority keys."; + } + + leaf active-trusted-user-ca-keys-created-on { + type created-on; + description + "The timestamp of the moment when the trusted user CA keys + were created."; + } + + leaf active-host-certificate-version { + type version; + description + "The version of the host certificate."; + } + + leaf active-host-certificate-created-on { + type created-on; + description + "The timestamp of the moment when the host certificate + was created."; + } + + leaf active-host-key-version { + type version; + description + "The version of the host public key."; + } + + leaf active-host-key-created-on { + type created-on; + description + "The timestamp of the moment when the host key was + created."; + } + } + + // Success/failure counters. + grouping counters { + description + "A collection of counters that were collected while evaluating + access to the target."; + + container counters { + config false; + description + "A collection of counters collected while authorizing users + accessing the target."; + leaf access-rejects { + type oc-yang:counter64; + description + "The total number of times access to the target has been + denied."; + } + leaf last-access-reject { + type oc-types:timeticks64; + description + "A timestamp of the last time access to the target has been + denied."; + } + leaf access-accepts { + type oc-yang:counter64; + description + "The total number of times access to the target has been + allowed."; + } + leaf last-access-accept { + type oc-types:timeticks64; + description + "A timestamp of the last time access to the target has been + allowed."; + } + } + } + // System role SSH related definitions. + + grouping user-ssh-credentials-version { + description + "System role credentials freshness-related data."; + + leaf authorized-principals-list-version { + type version; + description + "The version of the list of authorized principals currently + associated with this system role."; + } + + leaf authorized-principals-list-created-on { + type created-on; + description + "The timestamp of the moment the currently used list of + authorized principals has been created."; + } + + leaf authorized-keys-list-version { + type version; + description + "The version of the list of authorized keys that is currently + associated with this system role."; + } + + leaf authorized-keys-list-created-on { + type created-on; + description + "The timestamp of the moment the currently used list of + authorized keys has been created."; + } + } + + grouping console-config-state { + description + "Console-related configuration and state."; + container console { + description + "Console-related configuration and state."; + + container config { + description + "Console-related configuration."; + } + + container state { + config false; + description + "Console-related state."; + + uses counters; + } + } + } + // System role console related definitions. + + grouping user-console-credentials-version { + description + "System role credentials freshness-related data."; + + leaf password-version { + type version; + description + "The version of the password that is currently used to + authenticate this user account."; + } + + leaf password-created-on { + type created-on; + description + "The timestamp of the moment the currently used password has + been created."; + } + } + + // Augments section. + + augment "/oc-sys:system" { + when "oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + + "/oc-sys-grpc:enable = 'true'"; + description + "Console credentials freshness data."; + + uses console-config-state; + } + augment "/oc-sys:system/oc-sys:ssh-server/oc-sys:state" { + when "../../oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + + "/oc-sys-grpc:enable = 'true'"; + description + "SSH server credentials freshness data."; + + uses ssh-server-credentials-version; + uses counters; + } + augment "/oc-sys:system/oc-sys:aaa/oc-sys:authentication/oc-sys:users/" + + "oc-sys:user/oc-sys:state" { + when "../../../../../oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + + "/oc-sys-grpc:enable = 'true'"; + description + "A system role credentials freshness information."; + + uses user-console-credentials-version; + uses user-ssh-credentials-version; + } + augment "/oc-sys:system/oc-sys:aaa/oc-sys:authentication/oc-sys:admin-user/" + + "oc-sys:state" { + when "../../../../oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + + "/oc-sys-grpc:enable = 'true'"; + description + "A system role credentials freshness information."; + + uses user-console-credentials-version; + uses user-ssh-credentials-version; + } +} diff --git a/release/models/gnsi/openconfig-gnsi-pathz.yang b/release/models/gnsi/openconfig-gnsi-pathz.yang new file mode 100644 index 000000000..962ea79c4 --- /dev/null +++ b/release/models/gnsi/openconfig-gnsi-pathz.yang @@ -0,0 +1,331 @@ +module openconfig-gnsi-pathz { + yang-version 1; + namespace "https://github.com/openconfig/yang/gnsi/pathz"; + prefix oc-gnsi-pathz; + + import openconfig-extensions { prefix oc-ext; } + import openconfig-system { + prefix oc-sys; + } + import openconfig-system-grpc { + prefix oc-sys-grpc; + } + import openconfig-types { + prefix oc-types; + } + import openconfig-yang-types { + prefix oc-yang; + } + import openconfig-gnsi { + prefix oc-gnsi; + } + + organization + "OpenConfig Working Group"; + + contact + "OpenConfig working group + netopenconfig@googlegroups.com"; + + description + "This module provides a data model for the metadata of + OpenConfig-path-based authorization policies installed on a networking + device."; + + oc-ext:openconfig-version "0.3.0"; + + revision 2024-02-13 { + description + "Major style updates and move to openconfig/public from openconfig/gnsi. + Last commit at + https://github.com/openconfig/gnsi/commit/347935aac66135d5649dadb9583ed0914578aab0"; + reference "0.3.0"; + } + + revision 2022-10-30 { + description + "Adds success/failure counters."; + reference "0.2.0"; + } + + revision 2022-01-17 { + description + "Initial revision."; + reference "0.1.0"; + } + + typedef version { + type string; + description + "The version ID of the OpenConfig-path-based authorization policy + as provided by the OpenConfig-path-based Authorization Policy + Manager when the policy was pushed. This leaf persists through + a reboot."; + } + + typedef created-on { + type oc-types:timeticks64; + description + "The creation time of the OpenConfig-path-based authorization policy + as reported by the OpenConfig-path-based Authorization Policy + manager when the policy was pushed to the device. This value is + reported as nanoseconds since epoch (January 1st, 1970 00:00:00 GMT). + This leaf persists through a reboot."; + } + + // gRPC server related definitions. + grouping counters { + description + "A collection of counters that were collected by the gNSI.pathz + module while evaluating access to an OpenConfig path."; + + leaf access-rejects { + type oc-yang:counter64; + description + "The total number of times the gNSI.pathz module denied access + to an OpenConfig path."; + } + leaf last-access-reject { + type oc-types:timeticks64; + description + "A timestamp of the last time the gNSI.pathz denied access to + an OpenConfig path"; + } + leaf access-accepts { + type oc-yang:counter64; + description + "The total number of times the gNSI.pathz module allowed access + to an OpenConfig path."; + } + leaf last-access-accept { + type oc-types:timeticks64; + description + "A timestamp of the last time the gNSI.pathz allowed access to + an OpenConfig path"; + } + } + + grouping gnmi-pathz-policy-success-failure-counters { + description + "A collection of counters collected by the gNSI.pathz module."; + + container gnmi-pathz-policy-counters { + config false; + description + "A collection of per-OpenConfig path counters."; + + uses gnmi-pathz-policy-xpath-success-failure-counters; + } + } + + grouping gnmi-pathz-policy-xpath-success-failure-counters { + description + "A collection of per-OpenConfig path counters."; + + container paths { + description + "Container for a collection of per-OpenConfig path counters."; + + list path { + description + "List for a collection of per-OpenConfig path counters."; + key "name"; + leaf name { + type leafref { + path "../state/name"; + } + description + "A OpenConfig schema path the counter were + collected for. + + For documentation on the naming of paths, see + https://github.com/openconfig/reference/blob/master/rpc/gnmi/gnmi-path-conventions.md"; + } + container state { + description + "Operational state for per-OpenConfig path counters."; + leaf name { + type string; + description + "A OpenConfig schema path the counter were + collected for. + + For documentation on the naming of paths, see + https://github.com/openconfig/reference/blob/master/rpc/gnmi/gnmi-path-conventions.md"; + } + container reads { + description + "The counter were collected while + performing a read operation on the + schema path."; + uses counters; + } + container writes { + description + "The counter were collected while + performing a write operation on the + schema path."; + uses counters; + } + } + } + } + } + + grouping grpc-server-gnmi-pathz-policy-state { + description + "gNMI server OpenConfig-path-based authorization policy + freshness-related data."; + + leaf gnmi-pathz-policy-version { + type version; + description + "The version of the OpenConfig-path-based authorization policy + that is used by this gNMI server."; + } + leaf gnmi-pathz-policy-created-on { + type created-on; + description + "The timestamp of the moment when the OpenConfig-path-based + authorization policy that is currently used by this gNMI server + was created."; + } + } + + grouping gnmi-pathz-policy-state { + description + "Operational state data for a gNMI OpenConfig-path-based + authorization policy."; + leaf instance { + type enumeration { + enum ACTIVE { + value 1; + description + "The policy that is currently used by the gNMI service + to authorize access."; + } + enum SANDBOX { + value 2; + description + "The most recent policy that has been uploaded during + the Rotation() RPC. If there is no Rotate() RPC in + progress, then referring to this instance of the policy + will result in an error."; + } + } + description + "The instance identifier of the gNMI OpenConfig-path-based + authorization policy."; + } + leaf version { + type version; + description + "The version of the gNMI OpenConfig-path-based authorization + policy."; + } + leaf created-on { + type created-on; + description + "The timestamp of the moment when the policy was + created."; + } + } + + grouping gnmi-pathz-policies { + description + "Collection of OpenConfig-path-based authorization policies that + have been installed on the device using the gNSI OpenConfig-path- + based authorization policy management service. + Each OpenConfig-path-based authorization policy listed here is + identified by its status (either ACTIVE or SANDBOX) and has its + version and creation date/time listed."; + + container policies { + config false; + description + "Information about freshness of an OpenConfig-path-based + authorization policy that have been installed + on the device using the gNSI OpenConfig-path-based + authorization policy management service."; + + list policy { + key "instance"; + ordered-by system; + description + "Information about the OpenConfig-path-based authorization + policy that is identified by the `instance`."; + leaf instance { + type leafref { + path "../state/instance"; + } + description + "The ID of the OpenConfig-path-based authorization + policy."; + } + container state { + description + "Operational state data for an OpenConfig-path-based + authorization policies."; + + uses gnmi-pathz-policy-state; + } + } + } + } + + grouping system-gnmi-pathz-policies { + description + "Collection of OpenConfig-path-based authorization policies that + have been installed on the device using the gNSI OpenConfig-path- + based authorization policy management service. + Each policy listed here is identified by its status (either ACTIVE + or SANDBOX) and has its version and creation date/time listed."; + + container gnmi-pathz-policies { + config false; + description + "Collection of OpenConfig-path-based authorization policies that + have been installed on the device using the gNSI OpenConfig- + path-based authorization policy management service. + Each policy listed here is identified by its status (either + ACTIVE or SANDBOX) and has its version and creation date/time + listed."; + + uses gnmi-pathz-policies; + } + } + + // Augments section. + + augment "/oc-sys:system" { + when "oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + + "/oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + + "/oc-sys-grpc:enable = 'true'"; + description + "Collection of OpenConfig-path-based authorization policies that + have been installed on the device using the gNSI OpenConfig-path- + based authorization policy management service. + Each policy listed here is identified by its status (either ACTIVE + or SANDBOX) and has its version and creation date/time listed."; + + uses system-gnmi-pathz-policies; + } + augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" + + "/oc-sys-grpc:state" { + when "../config[contains(services, 'oc-gnsi:GNSI')]/enable = 'true'"; + description + "A gNMI server OpenConfig-path-based authorization policy freshness + information."; + + uses grpc-server-gnmi-pathz-policy-state; + } + augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" { + when "oc-sys-grpc:config[contains(oc-sys-grpc:services, 'oc-gnsi:GNSI')]" + + "/oc-sys-grpc:enable = 'true'"; + description + "A gNMI server OpenConfig-path-based authorization policy + success/failure counters."; + + uses gnmi-pathz-policy-success-failure-counters; + } +} diff --git a/release/models/gnsi/openconfig-gnsi.yang b/release/models/gnsi/openconfig-gnsi.yang new file mode 100644 index 000000000..0c10a2a0b --- /dev/null +++ b/release/models/gnsi/openconfig-gnsi.yang @@ -0,0 +1,40 @@ +module openconfig-gnsi { + yang-version "1"; + + prefix "oc-gnsi"; + + namespace "http://openconfig.net/yang/gnsi"; + + import openconfig-extensions { prefix oc-ext; } + import openconfig-system-grpc { prefix oc-grpc; } + + organization + "OpenConfig Working Group"; + + contact + "OpenConfig working group + netopenconfig@googlegroups.com"; + + description + "This module defines a set of extensions that provide gNSI (the gRPC + Network Security Interface) specific extensions to the OpenConfig data models. + Specifically, the parameters for the configuration of the service, and + configuration and state are added. + + The gNSI protobufs and documentation are published at + https://github.com/openconfig/gnsi."; + + oc-ext:openconfig-version "0.1.0"; + + revision 2024-02-13 { + description + "Initial revision."; + reference "0.1.0"; + } + + identity GNSI { + base "oc-grpc:GRPC_SERVICE"; + description + "gNSI: gRPC Network Security Interface"; + } +} diff --git a/release/models/system/.spec.yml b/release/models/system/.spec.yml index de5ecc001..92061e9bf 100644 --- a/release/models/system/.spec.yml +++ b/release/models/system/.spec.yml @@ -17,6 +17,11 @@ - yang/system/openconfig-system-logging.yang - yang/system/openconfig-system-terminal.yang - yang/system/openconfig-system-utilization.yang + - yang/gnsi/openconfig-gnsi-acctz.yang + - yang/gnsi/openconfig-gnsi-authz.yang + - yang/gnsi/openconfig-gnsi-certz.yang + - yang/gnsi/openconfig-gnsi-credentialz.yang + - yang/gnsi/openconfig-gnsi-pathz.yang build: - yang/system/openconfig-system.yang - yang/system/openconfig-system-utilization.yang