aboutsummaryrefslogtreecommitdiffstats
path: root/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
blob: 2e0cf9cb1bfe7e5325554bcf9e58a9cab5b8be49 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
module authorization-schema {
  yang-version 1;
  namespace "urn:aaa:yang:authz:ds";
  prefix "authz";
  organization "TBD";

  contact "wdec@cisco.com";

  revision 2014-07-22 {
    description
      "Initial revision.";
  }

  //Main module begins

  //TODO: Refactor service type as URI

  //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly
  //the naming will derive from the OSGi bundle name of the AuthZ requesting party.

  typedef service-type {
    type string;
  }

  //Resource denotes the actual resource that is the subject of the AuthZ request.

  typedef resource-type {
    type string;
    default "*";

    //Examples of resources:
    //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1
    //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/*
    //RPC: /operations/example-ops:reboot
    //Wildcarded RPC: /operations/example-ops:*
    //Notification: /notifications/example-ops:startup
  }

  //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin"

  typedef role-type {
    type string;
  }

  //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com

  typedef domain-type {
    type string;
  }

  //Action denotes the requested AuthZ action on the resource
  //TODO: Refactor as identities to allow for augmentation.

  typedef action-type {
    type enumeration {
      enum put;
      enum commit;
      enum exists;
      enum getIdentifier;
      enum read;
      enum cancel;
      enum submit;
      enum delete;
      enum merge;
      enum any;
    }
    default "any";
  }

  typedef authorization-response-type {
    type enumeration {
        enum not-authorized { value 0; }
        enum authorized { value 1; }
    }
  }

  typedef authorization-duration-type {
    type uint32;
  }

  // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action.
  // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both?

  grouping authorization-grp {
    list policies {
      key "service";
      leaf service {
        type service-type;
      }
      leaf action {
        type action-type;
      }
      leaf resource {
        type resource-type;
        mandatory true;
      }
      leaf role {
        type role-type;
        mandatory true;
      }
      leaf authorization {
        type authorization-response-type;
      }
    }
  }

  // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action.

  container simple-authorization {
    uses authorization-grp;
  }

  // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain,
  // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain.
  // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com.


  container domain-authorization {
    list domains {
      key "domain-name";
      leaf domain-name {
        type domain-type;
      }
      uses authorization-grp;
      list authz-domain-chain {
        key "priority";
        leaf priority {
        type uint32;
      }
      leaf domain-name {
        type leafref  {
          path "/additional-domain-authz/domains/domain-name";
        }
      }
    }
  }
}

container additional-domain-authz {
  list domains {
    key "domain-name";
    leaf domain-name {
      type domain-type;
       }
      uses authorization-grp;
     }
  }



  /* The following is the AuthZ RPC definition */

  rpc req-authorization {
    description
      "Check Authorization for a given combination of action and role.
      A not-authorized  will be returned if unsuccessful.";

    input {
      leaf domain-name {
        type domain-type;
      }
      leaf service {
        type service-type;
      }
      leaf action {
        type action-type;
        mandatory true;
      }

      leaf resource {
        type resource-type;
        mandatory true;
      }
      leaf role {
        type role-type;
        mandatory true;
      }

    }

    output {

      leaf authorization-response {
        type authorization-response-type;
        mandatory true;
      }

    }
  }
}