Skip to content

Implement translib backend logic for the gNSI Authz #184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kanchanavelusamy wants to merge 2 commits into
base: master
Choose a base branch
from
+1,615 −6
Open

Implement translib backend logic for the gNSI Authz #184

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
71b3577
Add gNSI Authz, Certz, Pathz and Credentialz YANG models
kanchanavelusamy Sep 23, 2025
b9e4436
Implement translib backend logic for the gNSI Authz
kanchanavelusamy Sep 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions config/transformer/models_list
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,8 @@ openconfig-if-aggregate.yang
openconfig-mclag.yang
openconfig-mclag-annot.yang
openconfig-vlan.yang
gnsi-authz.yang
gnsi-pathz.yang
gnsi-certz.yang
gnsi-credentialz.yang
openconfig-system-annot.yang
25 changes: 25 additions & 0 deletions models/yang/annotations/openconfig-system-annot.yang
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
module openconfig-system-annot {

   yang-version "1";

   namespace "http://openconfig.net/yang/openconfig-system-annot";
   prefix "oc-sys-annot";

   import openconfig-system { prefix oc-sys; }
   import sonic-extensions {prefix sonic-ext; }
import openconfig-system-grpc { prefix oc-sys-grpc; }

   deviation /oc-sys:system/oc-sys:aaa/oc-sys:authorization/oc-sys:state {
     deviate add {
       sonic-ext:db-name "STATE_DB";
       sonic-ext:subtree-transformer "authz_policy_xfmr";
     }
   }

deviation /oc-sys:system/oc-sys-grpc:grpc-servers {
deviate add {
sonic-ext:key-transformer "grpc_server_key_xfmr";
sonic-ext:subtree-transformer "grpc_server_xfmr";
}
}
}
155 changes: 155 additions & 0 deletions models/yang/gnsi-authz.yang
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
module gnsi-authz {
yang-version 1.1;
namespace "https://github.com/openconfig/gnsi/authz/yang";
prefix gnsi-authz;
import openconfig-system {
prefix oc-sys;
}
import openconfig-system-grpc {
prefix oc-sys-grpc;
}
import openconfig-types {
prefix oc-types;
}
import openconfig-yang-types {
prefix oc-yang;
}
organization
"Google LLC";
contact
"Google LLC";
description
"This module provides a data model for the metadata of the gRPC
authorization policies installed on a networking device.";
revision 2022-10-30 {
description
"Adds success/failure counters.";
reference "0.3.0";
}
revision 2022-08-01 {
description
"Single authz policy.";
reference "0.2.0";
}
revision 2022-01-17 {
description
"Initial revision.";
reference "0.1.0";
}
typedef version {
type string;
description
"The version ID of the gRPC authorization policy as provided by
the gRPC Authorization Policy Manager when the policy was pushed.
This leaf persists through a reboot.";
}
typedef created-on {
type oc-types:timeticks64;
description
"The creation time of the gRPC authorization policy as reported by
the gRPC Authorization Policy manager when the policy was pushed
to the device. This value is reported as nanoseconds since epoch
(January 1st, 1970 00:00:00 GMT). This leaf persists through
a reboot.";
}
// gRPC server authorization policy related definitions.
grouping counters {
description
"A collection of counters that were collected by the gNSI.authz
module while evaluating access to a RPC.";
leaf access-rejects {
type oc-yang:counter64;
description
"The total number of times the gNSI.authz module denied access
to a RPC.";
}
leaf last-access-reject {
type oc-types:timeticks64;
description
"A timestamp of the last time the gNSI.authz denied access to
a RPC.";
}
leaf access-accepts {
type oc-yang:counter64;
description
"The total number of times the gNSI.authz module allowed access
to a RPC.";
}
leaf last-access-accept {
type oc-types:timeticks64;
description
"A timestamp of the last time the gNSI.authz allowed access to
a RPC.";
}
}
grouping grpc-server-user-authz-policy-success-failure-counters {
description
"A collection of counters collected by the gNSI.authz module.";
container rpcs {
description
"A collection of counters collected by the gNSI.authz module
for each RPC separately.";
list rpc {
description
"A collection of counters collected by the gNSI.authz module
for a RPC identified by the `name`.";
key name;
leaf name {
type leafref {
path "../state/name";
}
description
"The name of the RPC the counters were collected for.";
}
container state {
leaf name {
type string;
description
"The name of the RPC the counters were collected
for.";
}
uses counters;
}
}
}
}
grouping grpc-server-authz-policy-success-failure-counters {
description
"A collection of counters collected by the gNSI.authz module.";
container authz-policy-counters {
description
"A collection of counters collected by the gNSI.authz module.";
config false;
uses grpc-server-user-authz-policy-success-failure-counters;
}
}
grouping grpc-server-authz-policy-state {
description
"gNMI server's gRPC authorization policy freshness-related data.";
leaf grpc-authz-policy-version {
type version;
description
"The version of the gRPC authorization policy that is used by
this system.";
}
leaf grpc-authz-policy-created-on {
type created-on;
description
"The timestamp of the moment when the gRPC authorization policy
that is currently used by this system was created.";
}
}
// Augments section.
augment "/oc-sys:system/oc-sys:aaa/oc-sys:authorization/" +
"oc-sys:state" {
description
"A system's gRPC authorization policy freshness information.";
uses grpc-server-authz-policy-state;
}
augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" {
description
"Counters collected while evaluating access to a gRPC server using
the gNSI.authz authorization policy.";
uses grpc-server-authz-policy-success-failure-counters;
}
}
187 changes: 187 additions & 0 deletions models/yang/gnsi-certz.yang
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,187 @@
module gnsi-certz {
yang-version 1.1;
namespace "https://github.com/openconfig/gnsi/certz/yang";
prefix gnsi-certz;

import openconfig-system {
prefix oc-sys;
}
import openconfig-system-grpc {
prefix oc-sys-grpc;
}
import openconfig-types {
prefix oc-types;
}
import openconfig-yang-types {
prefix oc-yang;
}
organization
"Google LLC";

contact
"Google LLC";

description
"This module provides a data model for the metadata of gRPC credentials
installed on a networking device.";

revision 2023-02-13 {
description
"rename access/reject counters";
reference "0.5.0";
}

revision 2023-08-24 {
description
"Adds ssl-profile-id leaf";
reference "0.4.0";
}

revision 2023-05-10 {
description
"Adds authentication policy freshness information.";
reference "0.3.0";
}

revision 2022-10-30 {
description
"Adds success/failure counters.";
reference "0.2.0";
}

revision 2022-09-20 {
description
"Initial revision.";
reference "0.1.0";
}

typedef version {
type string;
description
"The version ID of the credential as provided by the credential
manager when the credential was pushed. This leaf persists through
a reboot.";
}

typedef created-on {
type oc-types:timeticks64;
description
"The creation time of the credential as reported by the credential
manager when the credential was pushed to the device. This value is
reported as nanoseconds since epoch (January 1st, 1970 00:00:00 GMT).
This leaf persists through a reboot.";
}
// gRPC server related definitions.
// Success/failure counters.
grouping counters {
description
"A collection of counters that were collected while attempting
to establish connections to the gRPC server.";

container counters {
config false;
description
"A collection of counters that were collected by the gRPC during
the authentication process.";

leaf connection-rejects {
type oc-yang:counter64;
description
"The total number of times that gRPC clients have failed
in establishing a connection to the server.";
}
leaf last-connection-reject {
type oc-types:timeticks64;
description
"A timestamp of the last time a gRPC client failed
in establishing a connection to the server.";
}
leaf connection-accepts {
type oc-yang:counter64;
description
"The total number of times that gRPC clients have succeeded
in establishing a connection to the server.";
}
leaf last-connection-accept {
type oc-types:timeticks64;
description
"A timestamp of the last time a gRPC client succeeded
in establishing a connection to the server.";
}
}
}

grouping grpc-server-credentials-state {
description
"gRPC server credentials freshness-related data.";

leaf certificate-version {
type version;
description
"The version of the certificate (and associated
private key) that is used by this gRPC server.";
}
leaf certificate-created-on {
type created-on;
description
"The timestamp of the moment when the certificate
(and associated private key) that is currently used
by this gRPC server was created.";
}
leaf ca-trust-bundle-version {
type version;
description
"The version of the bundle of the Certificate
Authority certificates a.k.a. trust bundle used by
this gRPC server.";
}
leaf ca-trust-bundle-created-on {
type created-on;
description
"The timestamp of the moment when the bundle of
the Certificate Authority certificates (a.k.a.
trust bundle) was created.";
}
leaf certificate-revocation-list-bundle-version {
type version;
description
"The version of the Certificate Revocation List bundle used by
this gRPC server.";
}
leaf certificate-revocation-list-bundle-created-on {
type created-on;
description
"The timestamp of the moment when the Certificate Revocation
List bundle was created.";
}
leaf authentication-policy-version {
type version;
description
"The version of the authentication policy that is used by
this gRPC server.";
}
leaf authentication-policy-created-on {
type created-on;
description
"The timestamp of the moment when the authentication policy
that is currently used by this gRPC server was created.";
}
leaf ssl-profile-id {
type string;
description
"The ID of this gRPC server's SSL profile
as used by the gNSI Certz service";
}
}

// Augments section.

augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server/" +
"oc-sys-grpc:state" {
description
"A gRPC server credentials freshness information.";

uses grpc-server-credentials-state;
uses counters;
}
}
Loading