Add gNSI Authz, Certz, and Pathz YANG models

kanchanavelusamy · kanchanavelusamy · commit 4934e7120f3e · 2025-11-05T18:04:45.000Z
This PR introduces the new YANG models for gNSI Authz, Certz, and Pathz.
And, updates the list to include the new models.
diff --git a/config/transformer/models_list b/config/transformer/models_list
@@ -11,3 +11,7 @@ openconfig-if-aggregate.yang
 openconfig-mclag.yang
 openconfig-mclag-annot.yang
 openconfig-vlan.yang
+gnsi-authz.yang
+gnsi-pathz.yang
+gnsi-certz.yang
+openconfig-system-annot.yang
diff --git a/models/yang/annotations/openconfig-system-annot.yang b/models/yang/annotations/openconfig-system-annot.yang
@@ -0,0 +1,26 @@
+module openconfig-system-annot {
+
+    yang-version "1";
+
+    namespace "http://openconfig.net/yang/openconfig-system-annot";
+    prefix "oc-sys-annot";
+
+    import openconfig-system { prefix oc-sys; }
+    import sonic-extensions {prefix sonic-ext; }
+    import openconfig-system-grpc { prefix oc-sys-grpc; }
+
+    deviation /oc-sys:system/oc-sys:aaa/oc-sys:authorization/oc-sys:state {
+      deviate add {
+        sonic-ext:db-name "STATE_DB";
+        sonic-ext:subtree-transformer "authz_policy_xfmr";
+      }
+    }
+ 
+    deviation /oc-sys:system/oc-sys-grpc:grpc-servers {
+        deviate add {
+            sonic-ext:key-transformer "grpc_server_key_xfmr";
+            sonic-ext:subtree-transformer "grpc_server_xfmr";
+        }
+    }
+}
+
diff --git a/models/yang/gnsi-authz.yang b/models/yang/gnsi-authz.yang
@@ -0,0 +1,155 @@
+module gnsi-authz {
+    yang-version 1.1;
+    namespace "https://github.com/openconfig/gnsi/authz/yang";
+    prefix gnsi-authz;
+    import openconfig-system {
+        prefix oc-sys;
+    }
+    import openconfig-system-grpc {
+        prefix oc-sys-grpc;
+    }
+    import openconfig-types {
+        prefix oc-types;
+    }
+    import openconfig-yang-types {
+        prefix oc-yang;
+    }
+    organization
+        "Google LLC";
+    contact
+        "Google LLC";
+    description
+        "This module provides a data model for the metadata of the gRPC
+         authorization policies installed on a networking device.";
+    revision 2022-10-30 {
+        description
+            "Adds success/failure counters.";
+        reference "0.3.0";
+    }
+    revision 2022-08-01 {
+        description
+            "Single authz policy.";
+        reference "0.2.0";
+    }
+    revision 2022-01-17 {
+        description
+            "Initial revision.";
+        reference "0.1.0";
+    }
+    typedef version {
+        type string;
+        description
+            "The version ID of the gRPC authorization policy as provided by
+             the gRPC Authorization Policy Manager when the policy was pushed.
+             This leaf persists through a reboot.";
+    }
+    typedef created-on {
+        type oc-types:timeticks64;
+        description
+            "The creation time of the gRPC authorization policy as reported by
+             the gRPC Authorization Policy manager when the policy was pushed
+             to the device. This value is reported as nanoseconds since epoch
+             (January 1st, 1970 00:00:00 GMT). This leaf persists through
+             a reboot.";
+    }
+    // gRPC server authorization policy related definitions.
+    grouping counters {
+        description
+          "A collection of counters that were collected by the gNSI.authz
+           module while evaluating access to a RPC.";
+        leaf access-rejects {
+            type oc-yang:counter64;
+            description
+              "The total number of times the gNSI.authz module denied access
+               to a RPC.";
+        }
+        leaf last-access-reject {
+            type oc-types:timeticks64;
+            description
+              "A timestamp of the last time the gNSI.authz denied access to
+               a RPC.";
+        }
+        leaf access-accepts {
+            type oc-yang:counter64;
+            description
+              "The total number of times the gNSI.authz module allowed access
+               to a RPC.";
+        }
+        leaf last-access-accept {
+            type oc-types:timeticks64;
+            description
+              "A timestamp of the last time the gNSI.authz allowed access to
+               a RPC.";
+        }
+    }
+    grouping grpc-server-user-authz-policy-success-failure-counters {
+        description
+          "A collection of counters collected by the gNSI.authz module.";
+        container rpcs {
+            description
+              "A collection of counters collected by the gNSI.authz module
+               for each RPC separately.";
+            list rpc {
+                description
+                  "A collection of counters collected by the gNSI.authz module
+                   for a RPC identified by the `name`.";
+                key name;
+                leaf name {
+                    type leafref {
+                        path "../state/name";
+                    }
+                    description
+                      "The name of the RPC the counters were collected for.";
+                }
+                container state {
+                    leaf name {
+                        type string;
+                        description
+                            "The name of the RPC the counters were collected
+                             for.";
+                    }
+                    uses counters;
+                }
+            }
+        }
+    }
+    grouping grpc-server-authz-policy-success-failure-counters {
+        description
+          "A collection of counters collected by the gNSI.authz module.";
+        container authz-policy-counters {
+            description
+              "A collection of counters collected by the gNSI.authz module.";
+            config false;
+            uses grpc-server-user-authz-policy-success-failure-counters;
+        }
+    }
+    grouping grpc-server-authz-policy-state {
+        description
+            "gNMI server's gRPC authorization policy freshness-related data.";
+        leaf grpc-authz-policy-version {
+            type version;
+            description
+                "The version of the gRPC authorization policy that is used by
+                 this system.";
+        }
+        leaf grpc-authz-policy-created-on {
+            type created-on;
+            description
+                "The timestamp of the moment when the gRPC authorization policy
+                that is currently used by this system was created.";
+        }
+    }
+    // Augments section.
+    augment "/oc-sys:system/oc-sys:aaa/oc-sys:authorization/" +
+            "oc-sys:state" {
+        description
+            "A system's gRPC authorization policy freshness information.";
+        uses grpc-server-authz-policy-state;
+    }
+    augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" {
+        description
+            "Counters collected while evaluating access to a gRPC server using
+             the gNSI.authz authorization policy.";
+        uses grpc-server-authz-policy-success-failure-counters;
+    }
+}
diff --git a/models/yang/gnsi-certz.yang b/models/yang/gnsi-certz.yang
@@ -0,0 +1,187 @@
+module gnsi-certz {
+    yang-version 1.1;
+    namespace "https://github.com/openconfig/gnsi/certz/yang";
+    prefix gnsi-certz;
+
+    import openconfig-system {
+        prefix oc-sys;
+    }
+    import openconfig-system-grpc {
+        prefix oc-sys-grpc;
+    }
+    import openconfig-types {
+        prefix oc-types;
+    }
+    import openconfig-yang-types {
+        prefix oc-yang;
+    }
+    organization
+        "Google LLC";
+
+    contact
+        "Google LLC";
+
+    description
+        "This module provides a data model for the metadata of gRPC credentials
+        installed on a networking device.";
+
+    revision 2023-02-13 {
+        description
+            "rename access/reject counters";
+        reference "0.5.0";
+    }
+
+    revision 2023-08-24 {
+        description
+            "Adds ssl-profile-id leaf";
+        reference "0.4.0";
+    }
+
+    revision 2023-05-10 {
+        description
+            "Adds authentication policy freshness information.";
+        reference "0.3.0";
+    }
+
+    revision 2022-10-30 {
+        description
+            "Adds success/failure counters.";
+        reference "0.2.0";
+    }
+
+    revision 2022-09-20 {
+        description
+            "Initial revision.";
+        reference "0.1.0";
+    }
+
+    typedef version {
+        type string;
+        description
+            "The version ID of the credential as provided by the credential
+            manager when the credential was pushed. This leaf persists through
+            a reboot.";
+    }
+
+    typedef created-on {
+        type oc-types:timeticks64;
+        description
+            "The creation time of the credential as reported by the credential
+            manager when the credential was pushed to the device. This value is
+            reported as nanoseconds since epoch (January 1st, 1970 00:00:00 GMT).
+            This leaf persists through a reboot.";
+    }
+    // gRPC server related definitions.
+    // Success/failure counters.
+    grouping counters {
+        description
+            "A collection of counters that were collected while attempting
+            to establish connections to the gRPC server.";
+
+        container counters {
+            config false;
+            description
+            "A collection of counters that were collected by the gRPC during
+            the authentication process.";
+
+            leaf connection-rejects {
+                type oc-yang:counter64;
+                description
+               "The total number of times that gRPC clients have failed
+               in establishing a connection to the server.";
+            }
+            leaf last-connection-reject {
+                type oc-types:timeticks64;
+                description
+                "A timestamp of the last time a gRPC client failed
+                in establishing a connection to the server.";
+            }
+            leaf connection-accepts {
+                type oc-yang:counter64;
+                description
+                "The total number of times that gRPC clients have succeeded
+                in establishing a connection to the server.";
+            }
+            leaf last-connection-accept {
+                type oc-types:timeticks64;
+                description
+                "A timestamp of the last time a gRPC client succeeded
+                in establishing a connection to the server.";
+            }
+        }
+    }
+
+    grouping grpc-server-credentials-state {
+        description
+            "gRPC server credentials freshness-related data.";
+
+        leaf certificate-version {
+            type version;
+            description
+                "The version of the certificate (and associated
+                private key) that is used by this gRPC server.";
+        }
+        leaf certificate-created-on {
+            type created-on;
+            description
+                "The timestamp of the moment when the certificate
+                (and associated private key) that is currently used
+                by this gRPC server was created.";
+        }
+        leaf ca-trust-bundle-version {
+            type version;
+            description
+                "The version of the bundle of the Certificate
+                Authority certificates a.k.a. trust bundle used by
+                this gRPC server.";
+        }
+        leaf ca-trust-bundle-created-on {
+            type created-on;
+            description
+                "The timestamp of the moment when the bundle of
+                the Certificate Authority certificates (a.k.a.
+                trust bundle) was created.";
+        }
+        leaf certificate-revocation-list-bundle-version {
+            type version;
+            description
+                "The version of the Certificate Revocation List bundle used by
+                this gRPC server.";
+        }
+        leaf certificate-revocation-list-bundle-created-on {
+            type created-on;
+            description
+                "The timestamp of the moment when the Certificate Revocation
+                List bundle was created.";
+        }
+        leaf authentication-policy-version {
+            type version;
+            description
+                "The version of the authentication policy that is used by
+                this gRPC server.";
+        }
+        leaf authentication-policy-created-on {
+            type created-on;
+            description
+                "The timestamp of the moment when the authentication policy
+                that is currently used by this gRPC server was created.";
+        }
+        leaf ssl-profile-id {
+            type string;
+            description
+                "The ID of this gRPC server's SSL profile
+                as used by the gNSI Certz service";
+        }
+    }
+
+    // Augments section.
+
+    augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server/" +
+            "oc-sys-grpc:state" {
+        description
+            "A gRPC server credentials freshness information.";
+
+        uses grpc-server-credentials-state;
+        uses counters;
+    }
+}
diff --git a/models/yang/gnsi-pathz.yang b/models/yang/gnsi-pathz.yang
