aboutsummaryrefslogtreecommitdiffstats
path: root/odl-aaa-moon/aaa-authz/aaa-authz-model
diff options
context:
space:
mode:
Diffstat (limited to 'odl-aaa-moon/aaa-authz/aaa-authz-model')
-rw-r--r--odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml95
-rw-r--r--odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang190
2 files changed, 285 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml b/odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml
new file mode 100644
index 00000000..a1d3a28f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.opendaylight.aaa</groupId>
+ <artifactId>aaa-parent</artifactId>
+ <version>0.3.1-Beryllium-SR1</version>
+ <relativePath>../../parent</relativePath>
+ </parent>
+
+ <artifactId>aaa-authz-model</artifactId>
+ <name>${project.artifactId}</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.opendaylight.mdsal</groupId>
+ <artifactId>yang-binding</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.opendaylight.mdsal.model</groupId>
+ <artifactId>ietf-inet-types</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.opendaylight.mdsal.model</groupId>
+ <artifactId>ietf-yang-types</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.opendaylight.mdsal.model</groupId>
+ <artifactId>yang-ext</artifactId>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+ <extensions>true</extensions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-javadoc-plugin</artifactId>
+ <configuration>
+ <stylesheet>maven</stylesheet>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>site</phase>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.opendaylight.yangtools</groupId>
+ <artifactId>yang-maven-plugin</artifactId>
+ <version>${yangtools.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>generate-sources</goal>
+ </goals>
+ <configuration>
+ <yangFilesRootDir>src/main/yang</yangFilesRootDir>
+ <codeGenerators>
+ <generator>
+ <codeGeneratorClass>
+ org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl
+ </codeGeneratorClass>
+ <outputBaseDir>${salGeneratorPath}</outputBaseDir>
+ </generator>
+ </codeGenerators>
+ <inspectDependencies>true</inspectDependencies>
+ </configuration>
+ </execution>
+ </executions>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.opendaylight.mdsal</groupId>
+ <artifactId>maven-sal-api-gen-plugin</artifactId>
+ <version>${yangtools.version}</version>
+ <type>jar</type>
+ </dependency>
+ </dependencies>
+ </plugin>
+ </plugins>
+ </build>
+ <packaging>bundle</packaging>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
new file mode 100644
index 00000000..2e0cf9cb
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
@@ -0,0 +1,190 @@
+module authorization-schema {
+ yang-version 1;
+ namespace "urn:aaa:yang:authz:ds";
+ prefix "authz";
+ organization "TBD";
+
+ contact "wdec@cisco.com";
+
+ revision 2014-07-22 {
+ description
+ "Initial revision.";
+ }
+
+ //Main module begins
+
+ //TODO: Refactor service type as URI
+
+ //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly
+ //the naming will derive from the OSGi bundle name of the AuthZ requesting party.
+
+ typedef service-type {
+ type string;
+ }
+
+ //Resource denotes the actual resource that is the subject of the AuthZ request.
+
+ typedef resource-type {
+ type string;
+ default "*";
+
+ //Examples of resources:
+ //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1
+ //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/*
+ //RPC: /operations/example-ops:reboot
+ //Wildcarded RPC: /operations/example-ops:*
+ //Notification: /notifications/example-ops:startup
+ }
+
+ //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin"
+
+ typedef role-type {
+ type string;
+ }
+
+ //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com
+
+ typedef domain-type {
+ type string;
+ }
+
+ //Action denotes the requested AuthZ action on the resource
+ //TODO: Refactor as identities to allow for augmentation.
+
+ typedef action-type {
+ type enumeration {
+ enum put;
+ enum commit;
+ enum exists;
+ enum getIdentifier;
+ enum read;
+ enum cancel;
+ enum submit;
+ enum delete;
+ enum merge;
+ enum any;
+ }
+ default "any";
+ }
+
+ typedef authorization-response-type {
+ type enumeration {
+ enum not-authorized { value 0; }
+ enum authorized { value 1; }
+ }
+ }
+
+ typedef authorization-duration-type {
+ type uint32;
+ }
+
+ // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action.
+ // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both?
+
+ grouping authorization-grp {
+ list policies {
+ key "service";
+ leaf service {
+ type service-type;
+ }
+ leaf action {
+ type action-type;
+ }
+ leaf resource {
+ type resource-type;
+ mandatory true;
+ }
+ leaf role {
+ type role-type;
+ mandatory true;
+ }
+ leaf authorization {
+ type authorization-response-type;
+ }
+ }
+ }
+
+ // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action.
+
+ container simple-authorization {
+ uses authorization-grp;
+ }
+
+ // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain,
+ // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain.
+ // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com.
+
+
+ container domain-authorization {
+ list domains {
+ key "domain-name";
+ leaf domain-name {
+ type domain-type;
+ }
+ uses authorization-grp;
+ list authz-domain-chain {
+ key "priority";
+ leaf priority {
+ type uint32;
+ }
+ leaf domain-name {
+ type leafref {
+ path "/additional-domain-authz/domains/domain-name";
+ }
+ }
+ }
+ }
+}
+
+container additional-domain-authz {
+ list domains {
+ key "domain-name";
+ leaf domain-name {
+ type domain-type;
+ }
+ uses authorization-grp;
+ }
+ }
+
+
+
+ /* The following is the AuthZ RPC definition */
+
+ rpc req-authorization {
+ description
+ "Check Authorization for a given combination of action and role.
+ A not-authorized will be returned if unsuccessful.";
+
+ input {
+ leaf domain-name {
+ type domain-type;
+ }
+ leaf service {
+ type service-type;
+ }
+ leaf action {
+ type action-type;
+ mandatory true;
+ }
+
+ leaf resource {
+ type resource-type;
+ mandatory true;
+ }
+ leaf role {
+ type role-type;
+ mandatory true;
+ }
+
+ }
+
+ output {
+
+ leaf authorization-response {
+ type authorization-response-type;
+ mandatory true;
+ }
+
+ }
+ }
+}