getschema on acm yang module results in invalid version of the model

[joanlandry]

When I do a get schema on ietf-netconf-acm@2012-02-22.yang I get a bad version of the yang model. It is much different from the one I installed and that exists in the /etc/sysrepo/yang directory.
I have no idea where it is coming from.

you can see that the one that is correct and was loaded has prefex "nacm" the one that gets sent has prefix nacm. however this is not the only difference as the are missing extension statements and other things.

I have searched everywhere and have not been able to determine where this invalid version of the acm yang model is. I tried uninstalling and installing the module - and nothing works.

/etc/sysrepo/yang directory contains the following yang model

[root@Florida yang]# ls -l ietf-netconf-acm*
-rw-r--r--. 1 root root 12711 Nov 30 12:45 ietf-netconf-acm@2012-02-22.yang

root@156-23 yang]# more ietf-netconf-acm\@2012-02-22.yang 
module ietf-netconf-acm {
  namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
  prefix "nacm";
  import ietf-yang-types {
    prefix yang;
  }
  organization
    "IETF NETCONF (Network Configuration) Working Group";
  contact
    "WG Web:   <http://tools.ietf.org/wg/netconf/>
     WG List:  <mailto:netconf@ietf.org>
     WG Chair: Mehmet Ersue
               <mailto:mehmet.ersue@nsn.com>
     WG Chair: Bert Wijnen
               <mailto:bertietf@bwijnen.net>
     Editor:   Andy Bierman
               <mailto:andy@yumaworks.com>
     Editor:   Martin Bjorklund
               <mailto:mbj@tail-f.com>";
  description
    "NETCONF Access Control Model.
     Copyright (c) 2012 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.
     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the Simplified BSD
     License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (http://trustee.ietf.org/license-info).
     This version of this YANG module is part of RFC 6536; see
     the RFC itself for full legal notices.";
  revision "2012-02-22" {
    description
      "Initial version";
    reference
      "RFC 6536: Network Configuration Protocol (NETCONF)
                 Access Control Model";
  }
  /*
   * Extension statements
   */
  extension default-deny-write {
    description
      "Used to indicate that the data model node
       represents a sensitive security system parameter.
       If present, and the NACM module is enabled (i.e.,
       /nacm/enable-nacm object equals 'true'), the NETCONF server
       will only allow the designated 'recovery session' to have
--More--(14%)

which is not what gets sent via get schema.

netopeer2

netopeer2-server[25067]: Session 1: received message:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6">
    <get-schema xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">
  <identifier>ietf-netconf-acm</identifier>
  <version>2012-02-22</version>
  <format>yang</format>
</get-schema>
</rpc>

netopeer2-server[25067]: DICT: inserting "rpc" with collision 
netopeer2-server[25067]: DICT: inserting (refcount) "urn:ietf:params:xml:ns:netconf:base:1.0"
netopeer2-server[25067]: DICT: inserting "message-id" with collision 
netopeer2-server[25067]: DICT: inserting "6" with collision 
netopeer2-server[25067]: DICT: inserting (refcount) "get-schema"
netopeer2-server[25067]: DICT: inserting (refcount) "urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"
netopeer2-server[25067]: DICT: inserting (refcount) "identifier"
netopeer2-server[25067]: DICT: inserting (refcount) "ietf-netconf-acm"
netopeer2-server[25067]: DICT: inserting (refcount) "version"
netopeer2-server[25067]: DICT: inserting "2012-02-22" with collision 
netopeer2-server[25067]: DICT: inserting (refcount) "format"
netopeer2-server[25067]: DICT: inserting (refcount) "yang"
netopeer2-server[25067]: DICT: inserting (refcount) ""
netopeer2-server[25067]: DICT: inserting (refcount) ""
netopeer2-server[25067]: DICT: inserting (refcount) "yang"
netopeer2-server[25067]: Resolving unresolved data nodes and their constraints...
netopeer2-server[25067]: All data nodes and constraints resolved.
netopeer2-server[25067]: DICT: inserting "module ietf-netconf-acm {
  namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
  prefix nacm;

  import ietf-yang-types {
    prefix yang;
  }

  organization
    "IETF NETCONF (Network Configuration) Working Group";
  contact
    "WG Web:   <http://tools.ietf.org/wg/netconf/>
     WG List:  <mailto:netconf@ietf.org>
     WG Chair: Mehmet Ersue
               <mailto:mehmet.ersue@nsn.com>
     WG Chair: Bert Wijnen
               <mailto:bertietf@bwijnen.net>
     Editor:   Andy Bierman
               <mailto:andy@yumaworks.com>
     Editor:   Martin Bjorklund
               <mailto:mbj@tail-f.com>";
  description
    "NETCONF Access Control Model.
     Copyright (c) 2012 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.
     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the Simplified BSD
     License set forth in Section 4.c of
netopeer2-server[25067]: Session 1: sending message:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6"><data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-netconf-acm {
  namespace &quot;urn:ietf:params:xml:ns:yang:ietf-netconf-acm&quot;;
  prefix nacm;

  import ietf-yang-types {
    prefix yang;
  }

  organization
    &quot;IETF NETCONF (Network Configuration) Working Group&quot;;
  contact
    &quot;WG Web:   &lt;http://tools.ietf.org/wg/netconf/&gt;
     WG List:  &lt;mailto:netconf@ietf.org&gt;
     WG Chair: Mehmet Ersue
               &lt;mailto:mehmet.ersue@nsn.com&gt;
     WG Chair: Bert Wijnen
               &lt;mailto:bertietf@bwijnen.net&gt;
     Editor:   Andy Bierman
               &lt;mailto:andy@yumaworks.com&gt;
     Editor:   Martin Bjorklund
               &lt;mailto:mbj@tail-f.com&gt;&quot;;
  description
    &quot;NETCONF Access Control Model.
     Copyright (c) 2012 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.
     Redistribution and use in sourc
[2016/11/30 13:28:34.392473, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2016/11/30 13:28:34.392588, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.392680, 3] channel_write_common:  channel_write wrote 1024 bytes
netopeer2-server[25067]: Session 1: sending message:
e and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the Simplified BSD
     License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (http://trustee.ietf.org/license-info).
     This version of this YANG module is part of RFC 6536; see
     the RFC itself for full legal notices.&quot;;

  revision &quot;2012-02-22&quot; {
    description
      &quot;Initial version&quot;;
    reference
      &quot;RFC 6536: Network Configuration Protocol (NETCONF)
                 Access Control Model&quot;;
  }

  typedef user-name-type {
    description
      &quot;General Purpose Username string.&quot;;
    type string {
      length &quot;1..max&quot;;
    }
  }

  typedef matchall-string-type {
    description
      &quot;The string containing a single asterisk '*' is used
       to conceptually represent all possible values
       for the particular leaf using this data type.&quot;;
    type
[2016/11/30 13:28:34.394399, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.394498, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.394608, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
 string {
      pattern &quot;\\*&quot;;
    }
  }

  typedef access-operations-type {
    description
      &quot;NETCONF Access Operation.&quot;;
    type bits {
      bit create {
        description
          &quot;Any protocol operation that creates a
           new data node.&quot;;
      }
      bit read {
        description
          &quot;Any protocol operation or notification that
           returns the value of a data node.&quot;;
      }
      bit update {
        description
          &quot;Any protocol operation that alters an existing
           data node.&quot;;
      }
      bit delete {
        description
          &quot;Any protocol operation that removes a data node.&quot;;
      }
      bit exec {
        description
          &quot;Execution access to the specified protocol operation.&quot;;
      }
    }
  }

  typedef group-name-type {
    description
      &quot;Name of administrative group to which
       users can be assigned.&quot;;
    type string {
      length &quot;1..max
[2016/11/30 13:28:34.397058, 3] packet_send2:  packet: wrote [len=1036,padding=6,comp=1029,payload=1029]
[2016/11/30 13:28:34.397176, 3] channel_write_common:  channel_write wrote 1020 bytes
[2016/11/30 13:28:34.397303, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
&quot;;
      pattern &quot;[^\\*].*&quot;;
    }
  }

  typedef action-type {
    description
      &quot;Action taken by the server when a particular
       rule matches.&quot;;
    type enumeration {
      enum &quot;permit&quot; {
        description
          &quot;Requested action is permitted.&quot;;
      }
      enum &quot;deny&quot; {
        description
          &quot;Requested action is denied.&quot;;
      }
    }
  }

  typedef node-instance-identifier {
    description
      &quot;Path expression used to represent a special
       data node instance identifier string.
       A node-instance-identifier value is an
       unrestricted YANG instance-identifier expression.
       All the same rules as an instance-identifier apply
       except predicates for keys are optional.  If a key
       predicate is missing, then the node-instance-identifier
       represents all possible server instances for that key.
       This XPath expression is evaluated in the following context:
        o  The set of
[2016/11/30 13:28:34.399457, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.399686, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.399791, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
 namespace declarations are those in scope on
           the leaf element where this type is used.
        o  The set of variable bindings contains one variable,
           'USER', which contains the name of the user of the current
            session.
        o  The function library is the core function library, but
           note that due to the syntax restrictions of an
           instance-identifier, no functions are allowed.
        o  The context node is the root node in the data tree.&quot;;
    type yang:xpath1.0;
  }

  container nacm {
    nacm:default-deny-all;
    description
      &quot;Parameters for NETCONF Access Control Model.&quot;;
    leaf enable-nacm {
      description
        &quot;Enables or disables all NETCONF access control
         enforcement.  If 'true', then enforcement
         is enabled.  If 'false', then enforcement
         is disabled.&quot;;
      type boolean;
      default &quot;true&quot;;
    }
    leaf read-default {
      description
        &quot;Controls whether 
[2016/11/30 13:28:34.401762, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.401905, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.402020, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
read access is granted if
         no appropriate rule is found for a
         particular read request.&quot;;
      type action-type;
      default &quot;permit&quot;;
    }
    leaf write-default {
      description
        &quot;Controls whether create, update, or delete access
         is granted if no appropriate rule is found for a
         particular write request.&quot;;
      type action-type;
      default &quot;deny&quot;;
    }
    leaf exec-default {
      description
        &quot;Controls whether exec access is granted if no appropriate
         rule is found for a particular protocol operation request.&quot;;
      type action-type;
      default &quot;permit&quot;;
    }
    leaf enable-external-groups {
      description
        &quot;Controls whether the server uses the groups reported by the
         NETCONF transport layer when it assigns the user to a set of
         NACM groups.  If this leaf has the value 'false', any group
         names reported by the transport layer are ignored by 
[2016/11/30 13:28:34.403562, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.403683, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.403782, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
the
         server.&quot;;
      type boolean;
      default &quot;true&quot;;
    }
    leaf denied-operations {
      config false;
      mandatory true;
      description
        &quot;Number of times since the server last restarted that a
         protocol operation request was denied.&quot;;
      type yang:zero-based-counter32;
    }
    leaf denied-data-writes {
      config false;
      mandatory true;
      description
        &quot;Number of times since the server last restarted that a
         protocol operation request to alter
         a configuration datastore was denied.&quot;;
      type yang:zero-based-counter32;
    }
    leaf denied-notifications {
      config false;
      mandatory true;
      description
        &quot;Number of times since the server last restarted that
         a notification was dropped for a subscription because
         access to the event type was denied.&quot;;
      type yang:zero-based-counter32;
    }
    container groups {
      description
        &quot;NETCO
[2016/11/30 13:28:34.404862, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.405011, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.405158, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
NF Access Control Groups.&quot;;
      list group {
        key &quot;name&quot;;
        description
          &quot;One NACM Group Entry.  This list will only contain
           configured entries, not any entries learned from
           any transport protocols.&quot;;
        leaf name {
          description
            &quot;Group name associated with this entry.&quot;;
          type group-name-type;
        }
        leaf-list user-name {
          description
            &quot;Each entry identifies the username of
             a member of the group associated with
             this entry.&quot;;
          type user-name-type;
        }
      }
    }
    list rule-list {
      key &quot;name&quot;;
      description
        &quot;An ordered collection of access control rules.&quot;;
      ordered-by user;
      leaf name {
        description
          &quot;Arbitrary name assigned to the rule-list.&quot;;
        type string {
          length &quot;1..max&quot;;
        }
      }
      leaf-list grou
[2016/11/30 13:28:34.406871, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.406990, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.407093, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
p {
        description
          &quot;List of administrative groups that will be
           assigned the associated access rights
           defined by the 'rule' list.
           The string '*' indicates that all groups apply to the
           entry.&quot;;
        type union {
          type matchall-string-type;
          type group-name-type;
        }
      }
      list rule {
        key &quot;name&quot;;
        description
          &quot;One access control rule.
           Rules are processed in user-defined order until a match is
           found.  A rule matches if 'module-name', 'rule-type', and
           'access-operations' match the request.  If a rule
           matches, the 'action' leaf determines if access is granted
           or not.&quot;;
        ordered-by user;
        leaf name {
          description
            &quot;Arbitrary name assigned to the rule.&quot;;
          type string {
            length &quot;1..max&quot;;
          }
        }
        leaf module-name {
         
[2016/11/30 13:28:34.408217, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.408329, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.408485, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
 description
            &quot;Name of the module associated with this rule.
             This leaf matches if it has the value '*' or if the
             object being accessed is defined in the module with the
             specified module name.&quot;;
          type union {
            type matchall-string-type;
            type string;
          }
          default &quot;*&quot;;
        }
        choice rule-type {
          description
            &quot;This choice matches if all leafs present in the rule
             match the request.  If no leafs are present, the
             choice matches all requests.&quot;;
          case protocol-operation {
            leaf rpc-name {
              description
                &quot;This leaf matches if it has the value '*' or if
                 its value equals the requested protocol operation
                 name.&quot;;
              type union {
                type matchall-string-type;
                type string;
              }
            }
          }
[2016/11/30 13:28:34.409575, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.409730, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.409830, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:

          case notification {
            leaf notification-name {
              description
                &quot;This leaf matches if it has the value '*' or if its
                 value equals the requested notification name.&quot;;
              type union {
                type matchall-string-type;
                type string;
              }
            }
          }
          case data-node {
            leaf path {
              mandatory true;
              description
                &quot;Data Node Instance Identifier associated with the
                 data node controlled by this rule.
                 Configuration data or state data instance
                 identifiers start with a top-level data node.  A
                 complete instance identifier is required for this
                 type of path value.
                 The special value '/' refers to all possible
                 datastore contents.&quot;;
              type node-instance-identifier;
            }
          }
        
[2016/11/30 13:28:34.410884, 3] packet_send2:  packet: wrote [len=1052,padding=18,comp=1033,payload=1033]
[2016/11/30 13:28:34.411006, 3] channel_write_common:  channel_write wrote 1024 bytes
[2016/11/30 13:28:34.411128, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
}
        leaf access-operations {
          description
            &quot;Access operations associated with this rule.
             This leaf matches if it has the value '*' or if the
             bit corresponding to the requested operation is set.&quot;;
          type union {
            type matchall-string-type;
            type access-operations-type;
          }
          default &quot;*&quot;;
        }
        leaf action {
          mandatory true;
          description
            &quot;The access control action associated with the
             rule.  If a rule is determined to match a
             particular request, then this object is used
             to determine whether to permit or deny the
             request.&quot;;
          type action-type;
        }
        leaf comment {
          description
            &quot;A textual description of the access rule.&quot;;
          type string;
        }
      }
    }
  }
}
</data></rpc-reply>
[2016/11/30 13:28:34.412314, 3] packet_send2:  packet: wrote [len=988,padding=8,comp=979,payload=979]
[2016/11/30 13:28:34.412441, 3] channel_write_common:  channel_write wrote 970 bytes
[2016/11/30 13:28:34.412540, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
netopeer2-server[25067]: Session 1: sending message:
]]>]]>
[2016/11/30 13:28:34.412911, 3] packet_send2:  packet: wrote [len=28,padding=12,comp=15,payload=15]
[2016/11/30 13:28:34.413008, 3] channel_write_common:  channel_write wrote 6 bytes
[2016/11/30 13:28:34.413131, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2016/11/30 13:28:34.613718, 3] ssh_packet_socket_callback:  packet: read type 93 [len=28,padding=18,comp=9,payload=9]
[2016/11/30 13:28:34.613772, 3] ssh_packet_process:  Dispatching handler for packet type 93
[2016/11/30 13:28:34.613900, 2] channel_rcv_change_window:  Adding 15260 bytes to channel (43:100) (from 14740 bytes)

[joanlandry]

I see the exact same issue with ietf-network-monitoring.yang

[rkrejci]

Hi, this is actually the expected result. What you see is how the libyang prints the module. YANG extensions are not currently supported, but we are already working on it. But all other things should be correct. Remember that YANG allows you to write a statement (especially strings) in a several ways, e.g. the following 3 statements (and there are more) are equivalent:

namespace urn:yang:company:xxx;
namespace "urn:yang:company:xxx";
namespace "urn:" + "yang:" + "company:xxx";

In which exact part, except the extensions, the modules differs? Also remember, that because of XML encoding, you may see some characters differently in sending message messages than in the resulting (received and processed by client) data.

[joanlandry]

the file I get back is missing sections and results in errors - which makes ietf-system not usable.

So get schema results in errors in this module as well as the ietf system module which uses it.

pyang -f yang ietf-netconf-acm@2012-02-22.yang > tmp.yang
ietf-netconf-acm@2012-02-22.yang:141: error: extension "default-deny-all" is not defined in module ietf-netconf-acm

[joanlandry]

Is there a way to send you the two files?

[rkrejci]

github allows you to attach files.

I've already answered regarding the extensions. They will be supported within a few weeks.