module openconfig-aaa-types {
  yang-version 1;
  namespace "http://openconfig.net/yang/aaa/types";
  prefix oc-aaa-types;

  import openconfig-extensions {
    prefix oc-ext;
  }

  organization
    "OpenConfig working group";
  contact
    "OpenConfig working group
     www.openconfig.net";
  description
    "This module defines shared types for data related to AAA
     (authentication, authorization, accounting).";

  revision 2018-11-21 {
    description
      "Add OpenConfig module metadata extensions.";
    reference
      "0.4.1";
  }
  revision 2018-04-12 {
    description
      "Add when conditions, correct identities";
    reference
      "0.4.0";
  }
  revision 2017-09-18 {
    description
      "Updated to use OpenConfig types modules";
    reference
      "0.3.0";
  }
  revision 2017-07-06 {
    description
      "Move to oc-inet types, add IETF attribution, add RADIUS
       counters, changed password leaf names to indicate hashed";
    reference
      "0.2.0";
  }
  revision 2017-01-29 {
    description
      "Initial public release";
    reference
      "0.1.0";
  }

  oc-ext:openconfig-version "0.4.1";
  oc-ext:regexp-posix;
  oc-ext:catalog-organization "openconfig";
  oc-ext:origin "openconfig";

  identity AAA_SERVER_TYPE {
    description
      "Base identity for types of AAA servers";
  }

  identity SYSTEM_DEFINED_ROLES {
    description
      "Base identity for system_defined roles that can be assigned
       to users.";
  }

  identity SYSTEM_ROLE_ADMIN {
    base SYSTEM_DEFINED_ROLES;
    description
      "Built-in role that allows the equivalent of superuser
       permission for all configuration and operational commands
       on the device.";
  }

  identity AAA_ACCOUNTING_EVENT_TYPE {
    description
      "Base identity for specifying events types that should be
       sent to AAA server for accounting";
  }

  identity AAA_ACCOUNTING_EVENT_COMMAND {
    base AAA_ACCOUNTING_EVENT_TYPE;
    description
      "Specifies interactive command events for AAA accounting";
  }

  identity AAA_ACCOUNTING_EVENT_LOGIN {
    base AAA_ACCOUNTING_EVENT_TYPE;
    description
      "Specifies login events for AAA accounting";
  }

  identity AAA_AUTHORIZATION_EVENT_TYPE {
    description
      "Base identity for specifying activities that should be
       sent to AAA server for authorization";
  }

  identity AAA_AUTHORIZATION_EVENT_COMMAND {
    base AAA_AUTHORIZATION_EVENT_TYPE;
    description
      "Specifies interactive command events for AAA authorization";
  }

  identity AAA_AUTHORIZATION_EVENT_CONFIG {
    base AAA_AUTHORIZATION_EVENT_TYPE;
    description
      "Specifies configuration (e.g., EXEC) events for AAA
       authorization";
  }

  identity AAA_METHOD_TYPE {
    description
      "Base identity to define well-known methods for AAA
       operations";
  }

  identity TACACS_ALL {
    base AAA_METHOD_TYPE;
    description
      "The group of all TACACS+ servers.";
  }

  identity RADIUS_ALL {
    base AAA_METHOD_TYPE;
    description
      "The group of all RADIUS servers.";
  }

  identity LOCAL {
    base AAA_METHOD_TYPE;
    description
      "Locally configured method for AAA operations.";
  }

  typedef crypt-password-type {
    type string;
    description
      "A password that is hashed based on the hash algorithm
       indicated by the prefix in the string.  The string
       takes the following form, based on the Unix crypt function:

       $<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]]

       Common hash functions include:

       id  | hash function
       ---+---------------
        1 | MD5
        2a| Blowfish
        2y| Blowfish (correct handling of 8-bit chars)
        5 | SHA-256
        6 | SHA-512

       These may not all be supported by a target device.";
  }
}