aboutsummaryrefslogtreecommitdiffstats
path: root/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang
diff options
context:
space:
mode:
Diffstat (limited to 'odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang')
-rw-r--r--odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang190
1 files changed, 0 insertions, 190 deletions
diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
deleted file mode 100644
index 2e0cf9cb..00000000
--- a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
+++ /dev/null
@@ -1,190 +0,0 @@
-module authorization-schema {
- yang-version 1;
- namespace "urn:aaa:yang:authz:ds";
- prefix "authz";
- organization "TBD";
-
- contact "wdec@cisco.com";
-
- revision 2014-07-22 {
- description
- "Initial revision.";
- }
-
- //Main module begins
-
- //TODO: Refactor service type as URI
-
- //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly
- //the naming will derive from the OSGi bundle name of the AuthZ requesting party.
-
- typedef service-type {
- type string;
- }
-
- //Resource denotes the actual resource that is the subject of the AuthZ request.
-
- typedef resource-type {
- type string;
- default "*";
-
- //Examples of resources:
- //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1
- //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/*
- //RPC: /operations/example-ops:reboot
- //Wildcarded RPC: /operations/example-ops:*
- //Notification: /notifications/example-ops:startup
- }
-
- //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin"
-
- typedef role-type {
- type string;
- }
-
- //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com
-
- typedef domain-type {
- type string;
- }
-
- //Action denotes the requested AuthZ action on the resource
- //TODO: Refactor as identities to allow for augmentation.
-
- typedef action-type {
- type enumeration {
- enum put;
- enum commit;
- enum exists;
- enum getIdentifier;
- enum read;
- enum cancel;
- enum submit;
- enum delete;
- enum merge;
- enum any;
- }
- default "any";
- }
-
- typedef authorization-response-type {
- type enumeration {
- enum not-authorized { value 0; }
- enum authorized { value 1; }
- }
- }
-
- typedef authorization-duration-type {
- type uint32;
- }
-
- // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action.
- // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both?
-
- grouping authorization-grp {
- list policies {
- key "service";
- leaf service {
- type service-type;
- }
- leaf action {
- type action-type;
- }
- leaf resource {
- type resource-type;
- mandatory true;
- }
- leaf role {
- type role-type;
- mandatory true;
- }
- leaf authorization {
- type authorization-response-type;
- }
- }
- }
-
- // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action.
-
- container simple-authorization {
- uses authorization-grp;
- }
-
- // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain,
- // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain.
- // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com.
-
-
- container domain-authorization {
- list domains {
- key "domain-name";
- leaf domain-name {
- type domain-type;
- }
- uses authorization-grp;
- list authz-domain-chain {
- key "priority";
- leaf priority {
- type uint32;
- }
- leaf domain-name {
- type leafref {
- path "/additional-domain-authz/domains/domain-name";
- }
- }
- }
- }
-}
-
-container additional-domain-authz {
- list domains {
- key "domain-name";
- leaf domain-name {
- type domain-type;
- }
- uses authorization-grp;
- }
- }
-
-
-
- /* The following is the AuthZ RPC definition */
-
- rpc req-authorization {
- description
- "Check Authorization for a given combination of action and role.
- A not-authorized will be returned if unsuccessful.";
-
- input {
- leaf domain-name {
- type domain-type;
- }
- leaf service {
- type service-type;
- }
- leaf action {
- type action-type;
- mandatory true;
- }
-
- leaf resource {
- type resource-type;
- mandatory true;
- }
- leaf role {
- type role-type;
- mandatory true;
- }
-
- }
-
- output {
-
- leaf authorization-response {
- type authorization-response-type;
- mandatory true;
- }
-
- }
- }
-}