module aaa {
    yang-version 1;
    namespace "urn:opendaylight:params:xml:ns:yang:aaa";
    prefix "aaa";

    revision "2016-12-14" {
        description "Initial revision of aaa model";
    }

    grouping user {
        leaf userid {
            type string;
            description "An internal wiring detail in the form 'name@domain'.";
        }
        leaf name {
            type string;
            description "The name of the user.";
        }
        leaf description {
            type string;
            default "";
            description "A description for the user;  defaults to the empty string.";
        }
        leaf enabled {
            type boolean;
            default true;
            description "Whether or not the user is enabled;  defaults to true.";
        }
        leaf email {
            type string;
            default "";
            description "An email address for the user;  defaults to the empty string.";
        }
        leaf password {
            type string;
            description "A one-way hashed and salted version of the users password.";
        }
        leaf salt {
            type string;
            description "A user-specific salt used for password hashing.";
        }
        leaf domainid {
            type string;
            description "The domain to which the user belongs.";
        }
    }

    grouping domain {
        leaf domainid {
            type string;
            description "An internal wiring detail in the form 'name'.";
        }
        leaf name {
            type string;
            description "The name of the domain.";
        }
        leaf description {
            type string;
            default "";
            description "A description for the domain;  defaults to the empty string.";
        }
    }

    grouping role {
        leaf roleid {
            type string;
            description "An internal wiring detail in the form 'name'.";
        }
        leaf name {
            type string;
            description "The name for the role.";
        }
        leaf description {
            type string;
            default "";
            description "A description of the role;  defaults to the empty string.";
        }
        leaf domainid {
            type string;
            description "The domain associated with the role.";
        }
    }

    grouping grant {
        leaf grantid {
            type string;
            description "An internal wiring detail in the form 'userid@roleid@domainid'.";
        }
        leaf domainid {
            type string;
            description "A reference to the domain.";
        }
        leaf userid {
            type string;
            description "A reference to the user.";
        }
        leaf roleid {
            type string;
            description "A reference to the role.";
        }
    }

    container authentication {

        container domains {
            list domains {
                key domainid;
                uses domain;
            }
        }

        container users {
            list users {
                key userid;
                uses user;
            }
        }

        container roles {
            list roles {
                key roleid;
                uses role;
            }
        }

        container grants {
            list grants {
                key grantid;
                uses grant;
            }
        }
    }

    grouping http-permission {
        leaf resource {
            type string;
            default "*";
        }
        leaf index {
            type uint32;
            mandatory true;
        }
        list permissions {
            leaf-list actions {
                type enumeration {
                    enum get;
                    enum put;
                    enum post;
                    enum patch;
                    enum delete;
                }
            }
            leaf role {
                type string;
            }
        }
        leaf description {
            type string;
            default "";
        }
    }

    container http-authorization {

        container policies {
            list policies {
                key "resource";
                unique "index";
                uses http-permission;
                ordered-by user;
            }
        }
    }
}