1 files changed, 190 insertions, 0 deletions
diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
new file mode 100644
index 00000000..2e0cf9cb
--- /dev/null
+++ b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
@@ -0,0 +1,190 @@
+module authorization-schema {
+  yang-version 1;
+  namespace "urn:aaa:yang:authz:ds";
+  prefix "authz";
+  organization "TBD";
+
+  contact "wdec@cisco.com";
+
+  revision 2014-07-22 {
+    description
+      "Initial revision.";
+  }
+
+  //Main module begins
+
+  //TODO: Refactor service type as URI
+
+  //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly
+  //the naming will derive from the OSGi bundle name of the AuthZ requesting party.
+
+  typedef service-type {
+    type string;
+  }
+
+  //Resource denotes the actual resource that is the subject of the AuthZ request.
+
+  typedef resource-type {
+    type string;
+    default "*";
+
+    //Examples of resources:
+    //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1
+    //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/*
+    //RPC: /operations/example-ops:reboot
+    //Wildcarded RPC: /operations/example-ops:*
+    //Notification: /notifications/example-ops:startup
+  }
+
+  //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin"
+
+  typedef role-type {
+    type string;
+  }
+
+  //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com
+
+  typedef domain-type {
+    type string;
+  }
+
+  //Action denotes the requested AuthZ action on the resource
+  //TODO: Refactor as identities to allow for augmentation.
+
+  typedef action-type {
+    type enumeration {
+      enum put;
+      enum commit;
+      enum exists;
+      enum getIdentifier;
+      enum read;
+      enum cancel;
+      enum submit;
+      enum delete;
+      enum merge;
+      enum any;
+    }
+    default "any";
+  }
+
+  typedef authorization-response-type {
+    type enumeration {
+        enum not-authorized { value 0; }
+        enum authorized { value 1; }
+    }
+  }
+
+  typedef authorization-duration-type {
+    type uint32;
+  }
+
+  // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action.
+  // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both?
+
+  grouping authorization-grp {
+    list policies {
+      key "service";
+      leaf service {
+        type service-type;
+      }
+      leaf action {
+        type action-type;
+      }
+      leaf resource {
+        type resource-type;
+        mandatory true;
+      }
+      leaf role {
+        type role-type;
+        mandatory true;
+      }
+      leaf authorization {
+        type authorization-response-type;
+      }
+    }
+  }
+
+  // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action.
+
+  container simple-authorization {
+    uses authorization-grp;
+  }
+
+  // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain,
+  // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain.
+  // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com.
+
+
+  container domain-authorization {
+    list domains {
+      key "domain-name";
+      leaf domain-name {
+        type domain-type;
+      }
+      uses authorization-grp;
+      list authz-domain-chain {
+        key "priority";
+        leaf priority {
+        type uint32;
+      }
+      leaf domain-name {
+        type leafref  {
+          path "/additional-domain-authz/domains/domain-name";
+        }
+      }
+    }
+  }
+}
+
+container additional-domain-authz {
+  list domains {
+    key "domain-name";
+    leaf domain-name {
+      type domain-type;
+       }
+      uses authorization-grp;
+     }
+  }
+
+
+
+  /* The following is the AuthZ RPC definition */
+
+  rpc req-authorization {
+    description
+      "Check Authorization for a given combination of action and role.
+      A not-authorized  will be returned if unsuccessful.";
+
+    input {
+      leaf domain-name {
+        type domain-type;
+      }
+      leaf service {
+        type service-type;
+      }
+      leaf action {
+        type action-type;
+        mandatory true;
+      }
+
+      leaf resource {
+        type resource-type;
+        mandatory true;
+      }
+      leaf role {
+        type role-type;
+        mandatory true;
+      }
+
+    }
+
+    output {
+
+      leaf authorization-response {
+        type authorization-response-type;
+        mandatory true;
+      }
+
+    }
+  }
+}