Using YANG Module Tags in YumaPro SDK : YumaWorks

What are Module Tags?

Module tags are strings that are used to select a set of YANG modules.
They allow administrators to simplify access to YANG-based content by mapping module names to module tags.
This work is being standardized in the NETMOD WG in the IETF as YANG Module Tags.

How Does netconfd-pro Support Module Tags?

The server allows module tags to be configured statically with CLI or configuration file parameters.
(Dynamic configuration via a YANG module is pending a stable IETF draft).
The set of module name to module tag mappings can be retrieved with an RPC operation.
A "module tag filter" can be specified for the <get> and <get-config> operations
A "module tag rule" can be configured in NACM access control rules
The server does not enforce the strict syntax for module tags found in the IETF YANG module

Configuring Module Tags

The --with-modtags parameter is used to enable or disable the module tags feature:

with-modtags true

The YANG definition for the with-modtags parameter:

      leaf with-modtags {
        description
          "If set to 'true', then the module tags feature will be
           enabled. Otherwise, this feature will be disabled.
           If disabled, the module-tagmap parameter will be ignored
           and the ietf-module-tags module will not be loaded.";
        type boolean;
        default true;
      }

The --module-tagmap parameter is used to configure a module name to module tag mapping.

The following example configured 3 module-tags:

netconf (contains ietf-netconf-monitoring)
restconf (contains ietf-restconf-monitoring)
test (contains test, test1, and test2)

module-tagmap ietf-netconf-monitoring@netconf
module-tagmap ietf-restconf-monitoring@restconf
module-tagmap test@test
module-tagmap test1@test
module-tagmap test2@test

The YANG definition for the module-tagmap parameter:

      leaf-list module-tagmap {
        description
          "Specifies a module tag mapping for use in module tags registry.
           The format is <modname>@<tag-string>.
           Examples:
              ietf-system@ietf:system-management
              openconfig-system@vendor:openconfig:system-management
              example-system@vendor:example.com:system-management
          ";
        type string;
      }

Retrieving the Module Tag Mappings

The <get-module-tags> operation provides the list of module tag mappings configured on the server.

This operation is defined in the module yumaworks-system.

Request:

<rpc message-id="2"
 xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
 <get-module-tags xmlns="http://yumaworks.com/ns/yumaworks-system"/>
</rpc>


Response:

<rpc-reply message-id="2"
 xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
 <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">
  <tag>netconf</tag>
  <module>ietf-netconf-monitoring</module>
 </module-tag>
 <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">
  <tag>restconf</tag>
  <module>ietf-restconf-monitoring</module>
 </module-tag>
 <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">
  <tag>test</tag>
  <module>test</module>
  <module>test1</module>
  <module>test2</module>
 </module-tag>
</rpc-reply>

Retrieving YANG Content Filtered by Module Tags

A --module-tag parameter has been added to the <get> and <get-config> operations.
This parameter allows YANG data to be retrieved only if it matches the YANG module(s) that are mapped to the specified module tag.
It is not an error to provide an unknown module tag. The server will skip unknown module tags.

In this example, the "restconf" module tag is used as a filter:

Request:

<rpc message-id="4"
 xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
 <get>
  <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">restconf</module-tag>
 </get>
</rpc>

Response:

<rpc-reply message-id="4"
 xmlns:ncx="http://netconfcentral.org/ns/yuma-ncx"
 ncx:last-modified="2018-05-25T00:21:39Z" ncx:etag="3843"
 xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
 <data>
  <restconf-state xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring">
   <capabilities>
    <capability>urn:ietf:params:restconf:capability:depth:1.0</capability>
    <capability>urn:ietf:params:restconf:capability:with-defaults:1.0</capability>
    <capability>urn:ietf:params:restconf:capability:defaults:1.0?basic-mode=explicit</capability>
    <capability>urn:ietf:params:restconf:capability:fields:1.0</capability>
    <capability>urn:ietf:params:restconf:capability:replay:1.0</capability>
    <capability>urn:ietf:params:restconf:capability:filter:1.0</capability>
    <capability>urn:ietf:params:restconf:capability:yang-patch:1.0</capability>
   </capabilities>
   <streams>
    <stream>
     <name>RESTCONF</name>
     <description>default RESTCONF event stream</description>
     <replay-support>true</replay-support>
     <replay-log-creation-time>2018-05-25T00:21:39Z</replay-log-creation-time>
     <access>
      <encoding>xml</encoding>
      <location>http://localhost/restconf/stream</location>
     </access>
    </stream>
   </streams>
  </restconf-state>
 </data>
</rpc-reply>

The YANG definition for the module-tag parameter:

      leaf-list module-tag {
        type string {
          length "1 .. 1023";
        }
        description
          "Include only data nodes that match the module-tag.

           Multiple module-tag parameters are combined as a
           logical OR expression. Matching any tag value will
           cause the data node to be included.

           It is not an error to include an unknown module-tag.
           Such tag values will simply be treated as a 'false'
           match result, when evaluating the filter.

           If any module-tag parameters are provided at all,
           and there are no matches found, then no data will be
           returned in the response.";
      }

Configuring NACM Access Control Rules with Module Tags

The module-tag parameter can be used within the NACM "rule" list
The "module-tags" case is added to the "rule-type" choice
The module tags select all content from the mapped modules, and can apply to all types of NACM rules

In this example, a rule is configured to allow the "test" group all access to the module tag "test":

This will allow all access to the modules named "test", "test1", and "test2".

 <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
   <groups>
    <group>
     <name>admin</name>
     <user-name>admin</user-name>
    </group>
    <group>
     <name>test</name>
     <user-name>andy</user-name>
     <user-name>diag</user-name>
    </group>
   </groups>
   <rule-list>
    <name>test-write-ok</name>
    <group>test</group>
    <rule>
     <name>r1</name>
     <module-name>*</module-name>
     <access-operations>*</access-operations>
     <action>permit</action>
     <comment>allow full access to test modules</comment>
     <module-tag xmlns="http://yumaworks.com/ns/yumaworks-system">test</module-tag>
    </rule>
   </rule-list>
  </nacm>

YumaWorks

Please try our Online Documentation first.

How can we help you today?

Using Module Tags Print

Please try our Online Documentation first.

How can we help you today?

Using Module Tags Print

Related Articles