module authorization-schema { yang-version 1; namespace "urn:aaa:yang:authz:ds"; prefix "authz"; organization "TBD"; contact "wdec@cisco.com"; revision 2014-07-22 { description "Initial revision."; } //Main module begins //TODO: Refactor service type as URI //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly //the naming will derive from the OSGi bundle name of the AuthZ requesting party. typedef service-type { type string; } //Resource denotes the actual resource that is the subject of the AuthZ request. typedef resource-type { type string; default "*"; //Examples of resources: //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1 //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/* //RPC: /operations/example-ops:reboot //Wildcarded RPC: /operations/example-ops:* //Notification: /notifications/example-ops:startup } //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin" typedef role-type { type string; } //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com typedef domain-type { type string; } //Action denotes the requested AuthZ action on the resource //TODO: Refactor as identities to allow for augmentation. typedef action-type { type enumeration { enum put; enum commit; enum exists; enum getIdentifier; enum read; enum cancel; enum submit; enum delete; enum merge; enum any; } default "any"; } typedef authorization-response-type { type enumeration { enum not-authorized { value 0; } enum authorized { value 1; } } } typedef authorization-duration-type { type uint32; } // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action. // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both? grouping authorization-grp { list policies { key "service"; leaf service { type service-type; } leaf action { type action-type; } leaf resource { type resource-type; mandatory true; } leaf role { type role-type; mandatory true; } leaf authorization { type authorization-response-type; } } } // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action. container simple-authorization { uses authorization-grp; } // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain, // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain. // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com. container domain-authorization { list domains { key "domain-name"; leaf domain-name { type domain-type; } uses authorization-grp; list authz-domain-chain { key "priority"; leaf priority { type uint32; } leaf domain-name { type leafref { path "/additional-domain-authz/domains/domain-name"; } } } } } container additional-domain-authz { list domains { key "domain-name"; leaf domain-name { type domain-type; } uses authorization-grp; } } /* The following is the AuthZ RPC definition */ rpc req-authorization { description "Check Authorization for a given combination of action and role. A not-authorized will be returned if unsuccessful."; input { leaf domain-name { type domain-type; } leaf service { type service-type; } leaf action { type action-type; mandatory true; } leaf resource { type resource-type; mandatory true; } leaf role { type role-type; mandatory true; } } output { leaf authorization-response { type authorization-response-type; mandatory true; } } } }