aboutsummaryrefslogtreecommitdiffstats
path: root/odl-aaa-moon/aaa-authz/aaa-authz-model/src
diff options
context:
space:
mode:
Diffstat (limited to 'odl-aaa-moon/aaa-authz/aaa-authz-model/src')
-rw-r--r--odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang190
1 files changed, 190 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
new file mode 100644
index 00000000..2e0cf9cb
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
@@ -0,0 +1,190 @@
+module authorization-schema {
+ yang-version 1;
+ namespace "urn:aaa:yang:authz:ds";
+ prefix "authz";
+ organization "TBD";
+
+ contact "wdec@cisco.com";
+
+ revision 2014-07-22 {
+ description
+ "Initial revision.";
+ }
+
+ //Main module begins
+
+ //TODO: Refactor service type as URI
+
+ //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly
+ //the naming will derive from the OSGi bundle name of the AuthZ requesting party.
+
+ typedef service-type {
+ type string;
+ }
+
+ //Resource denotes the actual resource that is the subject of the AuthZ request.
+
+ typedef resource-type {
+ type string;
+ default "*";
+
+ //Examples of resources:
+ //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1
+ //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/*
+ //RPC: /operations/example-ops:reboot
+ //Wildcarded RPC: /operations/example-ops:*
+ //Notification: /notifications/example-ops:startup
+ }
+
+ //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin"
+
+ typedef role-type {
+ type string;
+ }
+
+ //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com
+
+ typedef domain-type {
+ type string;
+ }
+
+ //Action denotes the requested AuthZ action on the resource
+ //TODO: Refactor as identities to allow for augmentation.
+
+ typedef action-type {
+ type enumeration {
+ enum put;
+ enum commit;
+ enum exists;
+ enum getIdentifier;
+ enum read;
+ enum cancel;
+ enum submit;
+ enum delete;
+ enum merge;
+ enum any;
+ }
+ default "any";
+ }
+
+ typedef authorization-response-type {
+ type enumeration {
+ enum not-authorized { value 0; }
+ enum authorized { value 1; }
+ }
+ }
+
+ typedef authorization-duration-type {
+ type uint32;
+ }
+
+ // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action.
+ // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both?
+
+ grouping authorization-grp {
+ list policies {
+ key "service";
+ leaf service {
+ type service-type;
+ }
+ leaf action {
+ type action-type;
+ }
+ leaf resource {
+ type resource-type;
+ mandatory true;
+ }
+ leaf role {
+ type role-type;
+ mandatory true;
+ }
+ leaf authorization {
+ type authorization-response-type;
+ }
+ }
+ }
+
+ // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action.
+
+ container simple-authorization {
+ uses authorization-grp;
+ }
+
+ // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain,
+ // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain.
+ // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com.
+
+
+ container domain-authorization {
+ list domains {
+ key "domain-name";
+ leaf domain-name {
+ type domain-type;
+ }
+ uses authorization-grp;
+ list authz-domain-chain {
+ key "priority";
+ leaf priority {
+ type uint32;
+ }
+ leaf domain-name {
+ type leafref {
+ path "/additional-domain-authz/domains/domain-name";
+ }
+ }
+ }
+ }
+}
+
+container additional-domain-authz {
+ list domains {
+ key "domain-name";
+ leaf domain-name {
+ type domain-type;
+ }
+ uses authorization-grp;
+ }
+ }
+
+
+
+ /* The following is the AuthZ RPC definition */
+
+ rpc req-authorization {
+ description
+ "Check Authorization for a given combination of action and role.
+ A not-authorized will be returned if unsuccessful.";
+
+ input {
+ leaf domain-name {
+ type domain-type;
+ }
+ leaf service {
+ type service-type;
+ }
+ leaf action {
+ type action-type;
+ mandatory true;
+ }
+
+ leaf resource {
+ type resource-type;
+ mandatory true;
+ }
+ leaf role {
+ type role-type;
+ mandatory true;
+ }
+
+ }
+
+ output {
+
+ leaf authorization-response {
+ type authorization-response-type;
+ mandatory true;
+ }
+
+ }
+ }
+}