diff options
Diffstat (limited to 'odl-aaa-moon/aaa/aaa-authz/aaa-authz-model')
-rw-r--r-- | odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml | 95 | ||||
-rw-r--r-- | odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang | 190 |
2 files changed, 285 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml new file mode 100644 index 00000000..ee6108bd --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml @@ -0,0 +1,95 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.opendaylight.aaa</groupId> + <artifactId>aaa-parent</artifactId> + <version>0.3.2-Beryllium-SR2</version> + <relativePath>../../parent</relativePath> + </parent> + + <artifactId>aaa-authz-model</artifactId> + <name>${project.artifactId}</name> + + <dependencies> + <dependency> + <groupId>org.opendaylight.mdsal</groupId> + <artifactId>yang-binding</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.mdsal.model</groupId> + <artifactId>ietf-inet-types</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.mdsal.model</groupId> + <artifactId>ietf-yang-types</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.mdsal.model</groupId> + <artifactId>yang-ext</artifactId> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-bundle-plugin</artifactId> + <extensions>true</extensions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-javadoc-plugin</artifactId> + <configuration> + <stylesheet>maven</stylesheet> + </configuration> + <executions> + <execution> + <goals> + <goal>aggregate</goal> + </goals> + <phase>site</phase> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.opendaylight.yangtools</groupId> + <artifactId>yang-maven-plugin</artifactId> + <version>${yangtools.version}</version> + <executions> + <execution> + <goals> + <goal>generate-sources</goal> + </goals> + <configuration> + <yangFilesRootDir>src/main/yang</yangFilesRootDir> + <codeGenerators> + <generator> + <codeGeneratorClass> + org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl + </codeGeneratorClass> + <outputBaseDir>${salGeneratorPath}</outputBaseDir> + </generator> + </codeGenerators> + <inspectDependencies>true</inspectDependencies> + </configuration> + </execution> + </executions> + + <dependencies> + <dependency> + <groupId>org.opendaylight.mdsal</groupId> + <artifactId>maven-sal-api-gen-plugin</artifactId> + <version>${yangtools.version}</version> + <type>jar</type> + </dependency> + </dependencies> + </plugin> + </plugins> + </build> + <packaging>bundle</packaging> + +</project> diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang new file mode 100644 index 00000000..2e0cf9cb --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang @@ -0,0 +1,190 @@ +module authorization-schema { + yang-version 1; + namespace "urn:aaa:yang:authz:ds"; + prefix "authz"; + organization "TBD"; + + contact "wdec@cisco.com"; + + revision 2014-07-22 { + description + "Initial revision."; + } + + //Main module begins + + //TODO: Refactor service type as URI + + //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly + //the naming will derive from the OSGi bundle name of the AuthZ requesting party. + + typedef service-type { + type string; + } + + //Resource denotes the actual resource that is the subject of the AuthZ request. + + typedef resource-type { + type string; + default "*"; + + //Examples of resources: + //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1 + //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/* + //RPC: /operations/example-ops:reboot + //Wildcarded RPC: /operations/example-ops:* + //Notification: /notifications/example-ops:startup + } + + //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin" + + typedef role-type { + type string; + } + + //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com + + typedef domain-type { + type string; + } + + //Action denotes the requested AuthZ action on the resource + //TODO: Refactor as identities to allow for augmentation. + + typedef action-type { + type enumeration { + enum put; + enum commit; + enum exists; + enum getIdentifier; + enum read; + enum cancel; + enum submit; + enum delete; + enum merge; + enum any; + } + default "any"; + } + + typedef authorization-response-type { + type enumeration { + enum not-authorized { value 0; } + enum authorized { value 1; } + } + } + + typedef authorization-duration-type { + type uint32; + } + + // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action. + // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both? + + grouping authorization-grp { + list policies { + key "service"; + leaf service { + type service-type; + } + leaf action { + type action-type; + } + leaf resource { + type resource-type; + mandatory true; + } + leaf role { + type role-type; + mandatory true; + } + leaf authorization { + type authorization-response-type; + } + } + } + + // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action. + + container simple-authorization { + uses authorization-grp; + } + + // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain, + // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain. + // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com. + + + container domain-authorization { + list domains { + key "domain-name"; + leaf domain-name { + type domain-type; + } + uses authorization-grp; + list authz-domain-chain { + key "priority"; + leaf priority { + type uint32; + } + leaf domain-name { + type leafref { + path "/additional-domain-authz/domains/domain-name"; + } + } + } + } +} + +container additional-domain-authz { + list domains { + key "domain-name"; + leaf domain-name { + type domain-type; + } + uses authorization-grp; + } + } + + + + /* The following is the AuthZ RPC definition */ + + rpc req-authorization { + description + "Check Authorization for a given combination of action and role. + A not-authorized will be returned if unsuccessful."; + + input { + leaf domain-name { + type domain-type; + } + leaf service { + type service-type; + } + leaf action { + type action-type; + mandatory true; + } + + leaf resource { + type resource-type; + mandatory true; + } + leaf role { + type role-type; + mandatory true; + } + + } + + output { + + leaf authorization-response { + type authorization-response-type; + mandatory true; + } + + } + } +} |