The RESTCONF API - Network Services Orchestrator (NSO) v6.2

Introduction

RESTCONF is an HTTP based protocol as defined in RFC 8040. RESTCONF standardizes a mechanism to allow Web applications to access the configuration data, state data, data-model-specific Remote Procedure Call (RPC) operations, and event notifications within a networking device.

RESTCONF uses HTTP methods to provide Create, Read, Update, Delete (CRUD) operations on a conceptual datastore containing YANG-defined data, which is compatible with a server that implements NETCONF datastores as defined in RFC 6241

Configuration data and state data are exposed as resources that can be retrieved with the GET method. Resources representing configuration data can be modified with the DELETE, PATCH, POST, and PUT methods. Data is encoded with either XML (W3C.REC-xml-20081126) or JSON (RFC 7159)

This chapter describes the NSO implementation and extension to or deviation from RFC 8040 respectively.

As of this writing, the server supports the following specifications:

RFC 6020 - YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)
RFC 6021 - Common YANG Data Types
RFC 6470 - NETCONF Base Notifications
RFC 6536 - NETCONF Access Control Model
RFC 6991 - Common YANG Data Types
RFC 7950 - The YANG 1.1 Data Modeling Language
RFC 7951 - JSON Encoding of Data Modeled with YANG
RFC 7952 - Defining and Using metadata with YANG
RFC 8040 - RESTCONF Protocol
RFC 8072 - YANG Patch Media Type
RFC 8341 - Network Configuration Access Control Model
RFC 8525 - YANG Library
RFC 8528 - YANG Schema Mount

Getting started

In order to enable RESTCONF in NSO, RESTCONF must be enabled in the ncs.conf configuration file. The web server configuration for RESTCONF is shared with the WebUI's config, but you may define a separate RESTCONF transport section. The WebUI does not have to be enabled for RESTCONF to work.

Here is a minimal example of what is needed in the ncs.conf.

Example 1. NSO configuration for RESTCONF

<restconf>
  <enabled>true</enabled>
</restconf>

<webui>
  <transport>
    <tcp>
      <enabled>true</enabled>
      <ip>0.0.0.0</ip>
      <port>8080</port>
    </tcp>
  </transport>
</webui>

If you want to run RESTCONF with a different transport configuration than what the WebUI is using, you can specify a separate RESTCONF transport section.

Example 2. NSO separate transport configuration for RESTCONF

<restconf>
  <enabled>true</enabled>
  <transport>
    <tcp>
      <enabled>true</enabled>
      <ip>0.0.0.0</ip>
      <port>8090</port>
    </tcp>
  </transport>
</restconf>

<webui>
  <enabled>false</enabled>
  <transport>
    <tcp>
      <enabled>true</enabled>
      <ip>0.0.0.0</ip>
      <port>8080</port>
    </tcp>
  </transport>
</webui>

It is now possible to do a RESTCONF requests towards NSO. Any HTTP client can be used, in the following examples curl will be used. The example below will show how a typical RESTCONF request could look like.

Example 3. A RESTCONF request using 'curl'

# Note that the command is wrapped in several lines in order to fit.
#
# The switch '-i' will include any HTTP reply headers in the output
# and the '-s' will suppress some superflous output.
#
# The '-u' switch specify the User:Password for login authentication.
#
# The '-H' switch will add a HTTP header to the request; in this case
# an 'Accept' header is added, requesting the preferred reply format.
#
# Finally, the complete URL to the wanted resource is specified,
# in this case the top of the configuration tree.
#
curl -is -u admin:admin \
-H "Accept: application/yang-data+xml" \
http://localhost:8080/restconf/data

In the rest of the document, in order to simplify the presentation, the example above will be expressed as:

Example 4. A RESTCONF request, simplified

GET /restconf/data
Accept: application/yang-data+xml

# Any reply with relevant headers will be displayed here!
HTTP/1.1 200 OK

Note the HTTP return code (200 OK) in the example, which will be displayed together with any relevant HTTP headers returned and a possible body of content.

Top-level GET request

Send a RESTCONF query to get a representation of the top-level resource, which is accessible through the path: /restconf.

Example 5. A top-level RESTCONF request

GET /restconf
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<restconf xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
  <data/>
  <operations/>
  <yang-library-version>2019-01-04</yang-library-version>
</restconf>

As can be seen from the result, the server exposes three additional resources:

data : this mandatory resource represents the combined configuration and state data resources that can be accessed by a client.
operations : this optional resource is a container that provides access to the data-model-specific RPC operations supported by the server.
yang-library-version : this mandatory leaf identifies the revision date of the "ietf-yang-library" YANG module that is implemented by this server. This resource exposes which YANG modules are in use by NSO system.

Get resources under the data resource

To fetch configuration, operational data, or both, from the server, a request to the data resource is made. In order to restrict the amount of returned data, the following example will prune the amount of output to only consist of the top most nodes. This is achieved by using the depth query argument as shown in the example below:

Example 6. Get the top most resources under the data

GET /restconf/data?depth=1
Accept: application/yang-data+xml

<data xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
  <yang-library xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library"/>
  <modules-state xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library"/>
  <dhcp xmlns="http://yang-central.org/ns/example/dhcp"/>
  <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"/>
  <netconf-state xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"/>
  <restconf-state xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring"/>
  <aaa xmlns="http://tail-f.com/ns/aaa/1.1"/>
  <confd-state xmls="http://tail-f.com/yang/confd-monitoring"/>
  <last-logins xmlns="http://tail-f.com/yang/last-login"/>
</data>

Manipulating config data with RESTCONF

Let's assume we are interested in the dhcp/subnet resource in our configuration. In the following examples, assume it is defined by a corresponding Yang module that we have named dhcp.yang, looking like this:

Example 7. The dhcp.yang resource

> yanger -f tree examples.confd/restconf/basic/dhcp.yang
module: dhcp
  +--rw dhcp
  +--rw max-lease-time?       uint32
  +--rw default-lease-time?   uint32
  +--rw subnet* [net]
  |  +--rw net               inet:ip-prefix
  |  +--rw range!
  |  |  +--rw dynamic-bootp?   empty
  |  |  +--rw low              inet:ip-address
  |  |  +--rw high             inet:ip-address
  |  +--rw dhcp-options
  |  |  +--rw router*        inet:host
  |  |  +--rw domain-name?   inet:domain-name
  |  +--rw max-lease-time?   uint32

We can issue a HTTP GET request to retrieve the value content of the resource. In this case we find that there is no such data, which is indicated by the HTTP return code 204 No Content.

Note also how we have prefixed the dhcp:dhcp resource. This is how RESTCONF handle namespaces, where the prefix is the YANG module name and the namespace is as defined by the namespace statement in the YANG module.

Example 8. Get the dhcp/subnet resource

GET /restconf/data/dhcp:dhcp/subnet

HTTP/1.1 204 No Content

We can now create the dhcp/subnet resource by sending a HTTP POST request + the data that we want to store. Note the Content-Type HTTP header, which indicates the format of the provided body. Two formats is supported: XML or JSON. In this example we are using XML, which is indicated by the Content-Type value: application/yang-data+xml.

Example 9. Create a new dhcp/subnet resource

POST /restconf/data/dhcp:dhcp
Content-Type: application/yang-data+xml

<subnet xmlns="http://yang-central.org/ns/example/dhcp"
          xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
  <net>10.254.239.0/27</net>
  <range>
    <dynamic-bootp/>
    <low>10.254.239.10</low>
    <high>10.254.239.20</high>
  </range>
  <dhcp-options>
    <router>rtr-239-0-1.example.org</router>
    <router>rtr-239-0-2.example.org</router>
  </dhcp-options>
  <max-lease-time>1200</max-lease-time>
</subnet>

# If the resource is created, the server might respond as follows:

HTTP/1.1 201 Created
Location: http://localhost:8080/restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27

Note the HTTP return code (201 Created) indicating that the resource was successfully created. We also got a Location header, which always is returned in a reply to a successful creation of a resource, stating the resulting URI leading to the created resource.

If we now want to modify a part of our dhcp/subnet config, we can use the HTTP PATCH method, as shown below. Note that the URI used in the request need to be URL-encoded, such that the key value: 10.254.239.0/27 is URL-encoded as: 10.254.239.0%2F27.

Also, note the difference of the PATCH URI compared to the earlier POST request. With the latter, since the resource does not yet exist, we POST to the parent resource (dhcp:dhcp), while with the PATCH request we address the (existing) resource (10.254.239.0%2F27).

Example 10. Modify a part of the dhcp/subnet resource

PATCH /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27

<subnet>
  <max-lease-time>3333</max-lease-time>
</subnet>

# If our modification is successful, the server might respond as follows:

HTTP/1.1 204 No Content

We can also replace the subnet with some new configuration. To do this we make use of the PUT HTTP method as shown below. Since the operation was successful and no body was returned, we will get a 204 No Content return code.

Example 11. Replace a dhcp/subnet resource

PUT /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27
Content-Type: application/yang-data+xml

<subnet xmlns="http://yang-central.org/ns/example/dhcp"
          xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
  <net>10.254.239.0/27</net>

  <!-- ...config left out here... -->

</subnet>

# At success, the server will respond as follows:

HTTP/1.1 204 No Content

To delete the subnet we make use of the DELETE HTTP method as shown below. Since the operation was successful and no body was returned, we will get a 204 No Content return code.

Example 12. Delete a dhcp/subnet resource

DELETE /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27

HTTP/1.1 204 No Content

Root resource discovery

RESTCONF makes it possible to specify where the RESTCONF API is located, as described in the RESTCONF RFC 8040.

As per default, the RESTCONF API root is /restconf. Typically there is no need to change the default value although it is possible to change this by configuring the RESTCONF API root in the ncs.conf file as:

Example 13. NSO configuration for RESTCONF

<restconf>
  <enabled>true</enabled>
  <root-resource>my_own_restconf_root</root-resource>
</restconf>

The RESTCONF API root will now be /my_own_restconf_root.

A client may discover the root resource by getting the /.well-known/host-meta resource as shown in the example below:

Example 14. Example returning /restconf

   The client might send the following:

      GET /.well-known/host-meta
      Accept: application/xrd+xml

   The server might respond as follows:

      HTTP/1.1 200 OK

      <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'>
          <Link rel='restconf' href='/restconf'/>
      </XRD>

Note

In this document, all examples will assume the RESTCONF API root to be /restconf.

Capabilities

A RESTCONF capability is a set of functionality that supplements the base RESTCONF specification. The capability is identified by a uniform resource identifier (URI). The RESTCONF server includes a capability URI leaf-list entry identifying each supported protocol feature. This include the basic-mode default-handling mode, optional query parameters and may also include other, NSO specific, capability URIs.

How to view the capabilities of the RESTCONF server

To view currently enabled capabilities, use the ietf-restconf-monitoring YANG model, which is available as: /restconf/data/ietf-restconf-monitoring:restconf-state .

Example 15. NSO RESTCONF capabilities

GET /restconf/data/ietf-restconf-monitoring:restconf-state
Host: example.com
Accept: application/yang-data+xml

<restconf-state xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring"
  xmlns:rcmon="urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring">
<capabilities>
  <capability>
    urn:ietf:params:restconf:capability:defaults:1.0?basic-mode=explicit
  </capability>
  <capability>urn:ietf:params:restconf:capability:depth:1.0</capability>
  <capability>urn:ietf:params:restconf:capability:fields:1.0</capability>
  <capability>urn:ietf:params:restconf:capability:with-defaults:1.0</capability>
  <capability>urn:ietf:params:restconf:capability:filter:1.0</capability>
  <capability>urn:ietf:params:restconf:capability:replay:1.0</capability>
  <capability>http://tail-f.com/ns/restconf/collection/1.0</capability>
  <capability>http://tail-f.com/ns/restconf/query-api/1.0</capability>
  <capability>http://tail-f.com/ns/restconf/partial-response/1.0</capability>
  <capability>http://tail-f.com/ns/restconf/unhide/1.0</capability>
</capabilities>
</restconf-state>

The defaults capability

This Capability identifies the basic-mode default-handling mode that is used by the server for processing default leafs in requests for data resources.

Example 16. The default capability URI

          urn:ietf:params:restconf:capability:defaults:1.0

The capability URL will contain a query parameter named basic-mode which value tells us what the default behaviour of the RESTCONF server is when it returns a leaf. The possible values are shown in the table below:

Table 1. basic-mode values

Value	Description
report-all	Values set to the YANG default value are reported.
trim	Values set to the YANG default value are not reported.
explicit	Values that has been set by a client to the YANG default value will be reported.

The values presented in the table above can also be used by the Client together with the with-defaults query parameter in order to override the default RESTCONF server behaviour. Added to these values, the Client can also use the report-all-tagged value.

Table 2. Additional with-defaults value

Value	Description
report-all-tagged	Works as the report-all but a default value will include a XML/JSON attribute to indicate that the value is in fact a default value.

Refering back to the example: Example 15, “NSO RESTCONF capabilities”, where the RESTCONF server returned the default capability:

urn:ietf:params:restconf:capability:defaults:1.0?basic-mode=explicit

It tells us that values that has been set by a client to the YANG default value will be reported but default values that has not been set by the Client will not be returned. Again, note that this is the default RESTCONF server behaviour which can be overridden by the Client by using the with-defaults query argument.

Query parameter capabilities

A set of optional RESTCONF Capability URIs are defined to identify the specific query parameters that are supported by the server. They are defined as:

Table 3. Query parameter capabilities

Name	URI
depth	urn:ietf:params:restconf:capability:depth:1.0
fields	urn:ietf:params:restconf:capability:fields:1.0
filter	urn:ietf:params:restconf:capability:filter:1.0
replay	urn:ietf:params:restconf:capability:replay:1.0
with.defaults	urn:ietf:params:restconf:capability:with.defaults:1.0

For a description of the query parameter functionality see the chapter the section called “Query Parameters” .

Query Parameters

Each RESTCONF operation allows zero or more query parameters to be present in the request URI. Query parameters can be given in any order, but can appear at most once. Supplying query parameters when invoking RPCs and actions is not supported, if supplied the response will be 400 (Bad Request) and the error-app-tag will be set to invalid-value. However, the query parameters trace-id and unhide are exempted from this rule and supported for RPC and action invocation. The defined query parameters and in what type of HTTP request they can be used are shown in the table below:

Table 4. Query parameters

Name	Method	Description
content	GET,HEAD	Select config and/or non-config data resources.
depth	GET,HEAD	Request limited subtree depth in the reply content.
fields	GET,HEAD	Request a subset of the target resource contents.
exclude	GET,HEAD	Exclude a subset of the target resource contents.
filter	GET,HEAD	Boolean notification filter for event stream resources.
insert	POST,PUT	Insertion mode for ordered-by user data resources
point	POST,PUT	Insertion point for ordered-by user data resources
start-time	GET,HEAD	Replay buffer start time for event stream resources.
stop-time	GET,HEAD	Replay buffer stop time for event stream resources.
with-defaults	GET,HEAD	Control the retrieval of default values.
with-origin	GET	Include the "origin" metadata annotations, as detailed in the NMDA.

The content Query Parameter

The content query parameter controls if configuration, non-configuration or both types of data should be returned.

The allowed values are:

Table 5. The content query parameter values

Value	Description
config	Return only configuration descendant data nodes.
nonconfig	Return only non-configuration descendant data nodes.
all	Return all descendant data nodes.

The depth Query Parameter

The depth query parameter is used to limit the depth of subtrees returned by the server. Data nodes with a value greater than the depth parameter are not returned in a response for a GET request.

The value of the depth parameter is either an integer between 1 and 65535 or the string "unbounded". The default value is: "unbounded".

The fields Query Parameter

The fields query parameter is used to optionally identify data nodes within the target resource to be retrieved in a GET method. The client can use this parameter to retrieve a subset of all nodes in a resource.

For a full definition of the fields value can be constructed, refer to the RFC 8040, Section 4.8.3.

NOTE: The fields query parameter cannot be used together with the exclude query parameter. This will result in an error.

Example 17. Example of how to use the fields query parameter

GET /restconf/data/dhcp:dhcp?fields=subnet/range(low;high)
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<dhcp xmlns="http://yang-central.org/ns/example/dhcp" \
      xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
  <subnet>
    <range>
      <low>10.254.239.10</low>
      <high>10.254.239.20</high>
    </range>
  </subnet>
  <subnet>
    <range>
      <low>10.254.244.10</low>
      <high>10.254.244.20</high>
    </range>
  </subnet>
</dhcp>

The exclude Query Parameter

The exclude query parameter is used to optionally exclude data nodes within the target resource from being retrieved with a GET request. The client can use this parameter to exclude a subset of all nodes in a resource. Only nodes below the target resource can be excluded, not the target resource itself.

NOTE: The exclude query parameter cannot be used together with the fields query parameter. This will result in an error.

The exclude query parameter uses the same syntax and have the same restrictions as the fields query parameter, as defined in RFC 8040, Section 4.8.3.

Selecting multiple nodes to exclude can be done the same way as for the fields query parameter, as described in RFC 8040, Section 4.8.3.

exclude using wildcards (*) will exclude all child nodes of the node. For lists and presence containers the parent node will be visible in the output but not it's children, i.e. it will be displayed as an empty node. For non-presence containers the parent node will be excluded from the output as well.

exclude can be used together with the depth query parameter to limit the depth of the output. In contrast to fields, where depth is counted from the node selected by fields, for exclude the depth is counted from the target resource, and the nodes are excluded if depth is deep enough to encounter an excluded node.

Example 18. Example of how to use the exclude query parameter

When exclude is not used:

GET /restconf/data/dhcp:dhcp/subnet
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<subnet xmlns="http://yang-central.org/ns/example/dhcp"
          xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
  <net>10.254.239.0/27</net>
  <range>
    <dynamic-bootp/>
    <low>10.254.239.10</low>
    <high>10.254.239.20</high>
  </range>
  <dhcp-options>
    <router>rtr-239-0-1.example.org</router>
    <router>rtr-239-0-2.example.org</router>
  </dhcp-options>
  <max-lease-time>1200</max-lease-time>
</subnet>

Using exclude to exclude "low" and "high" from "range", note that these are absent in the output:

GET /restconf/data/dhcp:dhcp/subnet?exclude=range(low;high)
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<subnet xmlns="http://yang-central.org/ns/example/dhcp"
          xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
  <net>10.254.239.0/27</net>
  <range>
    <dynamic-bootp/>
  </range>
  <dhcp-options>
    <router>rtr-239-0-1.example.org</router>
    <router>rtr-239-0-2.example.org</router>
  </dhcp-options>
  <max-lease-time>1200</max-lease-time>
</subnet>

The filter, start-time and stop-time Query Parameters

These query parameters are only allowed on an event stream resource and is further described in the chapter: the section called “Streams” .

The insert Query Parameter

The insert query parameters is used to specify how a resource should be inserted within an ordered-by user list. The allowed values are as shown in the table below.

Table 6. The content query parameter values

Value	Description
first	Insert the new data as the new first entry.
last	Insert the new data as the new last entry. This is the default value.
before	Insert the new data before the insertion point, as specified by the value of the point parameter.
after	Insert the new data after the insertion point, as specified by the value of the point parameter.

This parameter is only valid if the target data represents a YANG list or leaf-list that is ordered-by user. In the example below we will insert a new router value, first, in the ordered-by user leaf-list of dhcp-options/router values. Remember that the default behaviour is for new entries to be inserted last in an ordered-by user leaf-list.

Example 19. Insert first into a ordered-by user leaf-list

# Note: we have to split the POST line in order to fit the page
POST /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27/dhcp-options?\
     insert=first
Content-Type: application/yang-data+xml

<router>one.acme.org</router>

# If the resource is created, the server might respond as follows:

HTTP/1.1 201 Created
Location /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27/dhcp-options/\
         router=one.acme.org

To verify that the router value really ended up first:

GET /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27/dhcp-options
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<dhcp-options xmlns="http://yang-central.org/ns/example/dhcp"
              xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
  <router>one.acme.org</router>
  <router>rtr-239-0-1.example.org</router>
  <router>rtr-239-0-2.example.org</router>
</dhcp-options>

The point Query Parameter

The point query parameters is used to specify the insertion point for a data resource that is being created or moved within an ordered-by user list or leaf-list. In the example below we will insert the new router value: two.acme.org, after the first value: one.acme.org in the ordered-by user leaf-list of dhcp-options/router values.

Example 20. Insert first into a ordered-by user leaf-list

# Note: we have to split the POST line in order to fit the page
POST /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27/dhcp-options?\
     insert=after&\
     point=/dhcp:dhcp/subnet=10.254.239.0%2F27/dhcp-options/router=one.acme.org
Content-Type: application/yang-data+xml

<router>two.acme.org</router>

# If the resource is created, the server might respond as follows:

HTTP/1.1 201 Created
Location /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27/dhcp-options/\
         router=one.acme.org

To verify that the router value really ended up after our insertion point:

GET /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27/dhcp-options
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<dhcp-options xmlns="http://yang-central.org/ns/example/dhcp"
              xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
  <router>one.acme.org</router>
  <router>two.acme.org</router>
  <router>rtr-239-0-1.example.org</router>
  <router>rtr-239-0-2.example.org</router>
</dhcp-options>

Additional query parameters

There are additional NSO query parameters available for the RESTCONF API. These additional query parameters are described below.

Table 7. Additional Query Parameters

Name	Methods	Description
dry-run	POST, PUT, PATCH, DELETE	Validate and display the configuration changes but do not perform the actual commit. Neither CDB nor the devices are affected. Instead the effects that would have taken place is showed in the returned output. Possible values are: xml, cli and native. The value used specify in what format we want the returned diff to be.
dry-run-reverse	POST, PUT, PATCH, DELETE	Used together with the dry-run=native parameter to display the device commands for getting back to the current running state in the network if the commit is successfully executed. Beware that if any changes are done later on the same data the reverse device commands returned are invalid.
no-networking	POST, PUT, PATCH, DELETE	Do not send any data to the devices. This is a way to manipulate CDB in NSO without generating any southbound traffic.
no-out-of-sync-check	POST, PUT, PATCH, DELETE	Continue with the transaction even if NSO detects that a device's configuration is out of sync. Can't be used together with no-overwrite.
no-overwrite	POST, PUT, PATCH, DELETE	NSO will check that the data that should be modified has not changed on the device compared to NSO's view of the data. Can't be used together with no-out-of-sync-check.
no-revision-drop	POST, PUT, PATCH, DELETE	NSO will not run its data model revision algorithm, which requires all participating managed devices to have all parts of the data models for all data contained in this transaction. Thus, this flag forces NSO to never silently drop any data set operations towards a device.
no-deploy	POST, PUT, PATCH, DELETE	Commit without invoking the service create method, i.e, write the service instance data without activating the service(s). The service(s) can later be re-deployed to write the changes of the service(s) to the network.
reconcile	POST, PUT, PATCH, DELETE	Reconcile the service data. All data which existed before the service was created will now be owned by the service. When the service is removed that data will also be removed. In technical terms the reference count will be decreased by one for everything which existed prior to the service. If manually configured data exists below in the configuration tree that data is kept unless the option discard-non-service-config is used.
use-lsa	POST, PUT, PATCH, DELETE	Force handling of the LSA nodes as such. This flag tells NSO to propagate applicable commit flags and actions to the LSA nodes without applying them on the upper NSO node itself. The commit flags affected are `dry-run`, `no-networking`, `no-out-of-sync-check`, `no-overwrite` and `no-revision-drop`.
no-lsa	POST, PUT, PATCH, DELETE	Do not handle any of the LSA nodes as such. These nodes will be handled as any other device.
commit-queue	POST, PUT, PATCH, DELETE	Commit the transaction data to the commit queue. Possible values are: async, sync and bypass. If the async value is set the operation returns successfully if the transaction data has been successfully placed in the queue. The sync value will cause the operation to not return until the transaction data has been sent to all devices, or a timeout occurs. The bypass value means that if `/devices/global-settings/commit-queue/enabled-by-default` is true the data in this transaction will bypass the commit queue. The data will be written directly to the devices.
commit-queue-atomic	POST, PUT, PATCH, DELETE	Sets the atomic behaviour of the resulting queue item. Possible values are: true and false. If this is set to false, the devices contained in the resulting queue item can start executing if the same devices in other non-atomic queue items ahead of it in the queue are completed. If set to true, the atomic integrity of the queue item is preserved.
commit-queue-block-others	POST, PUT, PATCH, DELETE	The resulting queue item will block subsequent queue items, which use any of the devices in this queue item, from being queued.
commit-queue-lock	POST, PUT, PATCH, DELETE	Place a lock on the resulting queue item. The queue item will not be processed until it has been unlocked, see the actions unlock and lock in `/devices/commit-queue/queue-item`. No following queue items, using the same devices, will be allowed to execute as long as the lock is in place.
commit-queue-tag	POST, PUT, PATCH, DELETE	The value is a user defined opaque tag. The tag is present in all notifications and events sent referencing the specific queue item.
commit-queue-timeout	POST, PUT, PATCH, DELETE	Specifies a maximum number of seconds to wait for completion. Possible values are infinity or a positive integer. If the timer expires, the transaction is kept in the commit-queue, and the operation returns successfully. If the timeout is not set, the operation waits until completion indefinitely.
commit-queue-error-option	POST, PUT, PATCH, DELETE	The error option to use. Depending on the selected error option NSO will store the reverse of the original transaction to be able to undo the transaction changes and get back to the previous state. This data is stored in the `/devices/commit-queue/completed` tree from where it can be viewed and invoked with the rollback action. When invoked the data will be removed. Possible values are: continue-on-error, rollback-on-error and stop-on-error. The continue-on-error value means that the commit queue will continue on errors. No rollback data will be created. The rollback-on-error value means that the commit queue item will roll back on errors. The commit queue will place a lock with `block-others` on the devices and services in the failed queue item. The rollback action will then automatically be invoked when the queue item has finished its execution. The lock will be removed as part of the rollback. The stop-on-error means that the commit queue will place a lock with `block-others` on the devices and services in the failed queue item. The lock must then either manually be released when the error is fixed or the rollback action under `/devices/commit-queue/completed` be invoked. Read about error recovery in the section called “Commit Queue” in User Guide for a more detailed explanation.
trace-id	POST, PUT, PATCH, DELETE	Use the provided trace id as part of the log messages emitted while processing. If no trace id is given, NSO is going to generate and assign a trace id to the processing. The trace-id query parameter can also be used with RPCs and actions to relay a trace-id from northbound requests. The trace-id will be included in the X-Cisco-NSO-Trace-ID header in the response.
limit	GET	Used by the client to specify a limited set of list entries to retrieve. See The value of the limit parameter is either an integer greater than or equal to 1, or the string unbounded. The string unbounded is the default value. the section called “Partial Responses” for an example.
offset	GET	Used by the client to specify the number of list elements to skip before returning the requested set of list entries. See The value of the "offset" parameter is an integer greater than or equal to 0. The default value is 0. the section called “Partial Responses” for an example.
rollback-comment	POST, PUT, PATCH, DELETE	Used to specify a comment to be attached to the Rollback File that will be created as a result of the POST operation. This assume that Rollback File handling is enabled.
rollback-label	POST, PUT, PATCH, DELETE	Used to specify a label to be attached to the Rollback File that will be created as a result of the POST operation. This assume that Rollback File handling is enabled.
rollback-id	POST, PUT, PATCH, DELETE	Return the rollback id in the response if a rollback file was created during this operation. This requires rollbacks to be enabled in the NSO to take effect.
with-service-meta-data	GET	Include FASTMAP attributes such as backpointers and reference counters in the reply. These are typically internal to NSO and thus not shown by default.

Edit Collision Prevention

Two edit collision detection and prevention mechanisms are provided in RESTCONF for the datastore resource: a timestamp and an entity-tag. Any change to configuration data resources will update the timestamp and entity-tag of the datastore resource. This makes it possible for a client to apply precondition HTTP headers to a request.

The NSO RESTCONF API honor the following HTTP response headers: Etag and Last-Modified, and the following request headers: If-Match, If-None-Match, If-Modified-Since and If-Unmodified-Since.

Response headers

Etag: This header will contain an entity-tag which is an opaque string representing the latest transaction identifier in the NSO database. This header is only available for the running datastore and hence, only relates to configuration data (non-operational).
Last-Modified: This header contains the timestamp for the last modification made to the NSO database. This timestamp can be used by a RESTCONF client in subsequent requests, within the If-Modified-Since and If-Unmodified-Since header fields. This header is only available for the running datastore and hence, only relates to configuration data (non-operational).

Request headers

If-None-Match: This header evaluates to true if the supplied value does not match the latest Etag entity-tag value. If evaluated to false an error response with status 304 (Not Modified) will be sent with no body. This header carry only meaning if the entity-tag of the Etag response header has previously been acquired.

The usage of this could for example be a HEAD operation to get information if the data has changed since last retrieval.
If-Modified-Since: This request-header field is used with a HTTP method to make it conditional, i.e if the requested resource has not been modified since the time specified in this field, the request will not be processed by the RESTCONF server; instead, a 304 (Not Modified) response will be returned without any message-body.

Usage of this is for instance for a GET operation to retrieve the information if (and only if) the data has changed since last retrieval. Thus, this header should use the value of a Last-Modified response header that has previously been acquired.
If-Match: This header evaluates to true if the supplied value matches the latest Etag value. If evaluated to false an error response with status 412 (Precondition Failed) will be sent with no body. This header carry only meaning if the entity-tag of the Etag response header has previously been acquired.

The usage of this can be in case of a PUT, where If-Match can be used to prevent the lost update problem. It can check if the modification of a resource that the user wants to upload will not override another change that has been done since the original resource was fetched.
If-Unmodified-Since: This header evaluates to true if the supplied value has not been last modified after the given date. If the resource has been modified after the given date, the response will be a 412 (Precondition Failed) error with no body. This header carry only meaning if the Last-Modified response header has previously been acquired.

The usage of this can be the case of a POST, where editions are rejected if the stored resource has been modified since the original value was retrieved.

Using Rollbacks

Rolling back configuration changes

If rollbacks have been enabled in the configuration using the rollback-id query parameter, the fixed id of the rollback file creating during an operation is returned in the results. The below examples shows creation of a new resource and removal of that resource using the rollback created in the first step.

Example 21. Create a new dhcp/subnet resource

POST /restconf/data/dhcp:dhcp?rollback-id=true
Content-Type: application/yang-data+xml

<subnet xmlns="http://yang-central.org/ns/example/dhcp">
  <net>10.254.239.0/27</net>
</subnet>

HTTP/1.1 201 Created
Location: http://localhost:8008/restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27

<result xmlns="http://tail-f.com/ns/tailf-restconf">
<rollback>
  <id>10002</id>
</rollback>
</result>

Then using the fixed id returned above as input to the apply-rollback-file action:

POST /restconf/data/tailf-rollback:rollback-files/apply-rollback-file
Content-Type: application/yang-data+xml

<input xmlns="http://tail-f.com/ns/rollback">
  <fixed-number>10002</fixed-number>
</input>

HTTP/1.1 204 No Content

Streams

Introduction

The RESTCONF protocol supports YANG-defined event notifications. The solution preserves aspects of NETCONF event notifications [RFC5277] while utilizing the Server-Sent Events, W3C.REC-eventsource-20150203, transport strategy.

RESTCONF event notification streams are described in Sections 6 and 9.2 of RFC 8040, where also notification examples can be found.

RESTCONF event notification is a way for RESTCONF clients to retrieve notifications for different event streams. Event streams configured in NSO can be subscribed to using different channels such as the RESTCONF or the NETCONF channel.

More information on how to define a new notification event using Yang is described in RFC 6020.

How to add and configure notifications support in NSO is described in the ncs.conf(3) man page.

The design of RESTCONF event notification is inspired by how NETCONF event notification is designed. More information on NETCONF event notification can be found in RFC 5277.

Configuration

For this example we will define a notification stream, named interface in the ncs.conf configuration file as shown below.

We also enable the builtin replay store which means that NSO automatically stores all notifications on disk, ready to be replayed should a RESTCONF event notification subscriber ask for logged notifications. The replay store uses a set of wrapping log files on disk (of a certain number and size) to store the notifications.

Example 22. Configure an example notification

<notifications>
  <eventStreams>
    <stream>
      <name>interface</name>
      <description>Example notifications</description>
      <replaySupport>true</replaySupport>
      <builtinReplayStore>
        <dir>./</dir>
        <maxSize>S1M</maxSize>
        <maxFiles>5</maxFiles>
      </builtinReplayStore>
    </stream>
  </eventStreams>
</notifications>

To view the currently enabled event streams, use the ietf-restconf-monitoring YANG model. The streams are available under the /restconf/data/ietf-restconf-monitoring:restconf-state/streams container.

Example 23. View the example RESTCONF stream

GET /restconf/data/ietf-restconf-monitoring:restconf-state/streams
Accept: application/yang-data+xml

HTTP/1.1 200 OK

<streams xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring"
         xmlns:rcmon="urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring">

  ...other streams info removed here for brewity reason...

  <stream>
    <name>interface</name>
    <description>Example notifications</description>
    <replay-support>true</replay-support>
    <replay-log-creation-time>
      2020-05-04T13:45:31.033817+00:00
    </replay-log-creation-time>
    <access>
      <encoding>xml</encoding>
      <location>https://localhost:8888/restconf/streams/interface/xml</location>
    </access>
    <access>
      <encoding>json</encoding>
      <location>https://localhost:8888/restconf/streams/interface/json</location>
    </access>
  </stream>
</streams>

Note the URL value we get in the location element in the example above. This URL should be used when subscribing to the notification events as is shown in the next example.

Subscribe to notification events

RESTCONF clients can determine the URL for the subscription resource (to receive notifications) by sending an HTTP GET request for the location leaf with the stream list entry. The value returned by the server can be used for the actual notification subscription.

The client will send an HTTP GET request for the (location) URL returned by the server with the Accept type text/event-stream as shown in the example below. Note that this request works like a long polling request which means that the request will not return. Instead, server side notifications will be sent to the client where each line of the notification will be prepended with data: .

Example 24. View the example RESTCONF stream

GET /restconf/streams/interface/xml
Accept: text/event-stream

   ...NOTE: we will be waiting here until a notification is generated...

HTTP/1.1 200 OK
Content-Type: text/event-stream

data: <notification xmlns='urn:ietf:params:xml:ns:netconf:notification:1.0'>
data:     <eventTime>2020-05-04T13:48:02.291816+00:00</eventTime>
data:     <link-up xmlns='http://tail-f.com/ns/test/notif'>
data:       <if-index>2</if-index>
data:       <link-property>
data:         <newly-added/>
data:         <flags>42</flags>
data:         <extensions>
data:           <name>1</name>
data:           <value>3</value>
data:         </extensions>
data:         <extensions>
data:           <name>2</name>
data:           <value>4668</value>
data:         </extensions>
data:       </link-property>
data:     </link-up>
data: </notification>

   ...NOTE: we will still be waiting here for more notifications to come...

Since we have enabled the replay store, we can ask the server to replay any notifications generated since the specific date we specify. After those notifications have been delivered we will continue waiting for new notifications to be generated.

Example 25. View the example RESTCONF stream

GET /restconf/streams/interface/xml?start-time=2007-07-28T15%3A23%3A36Z
Accept: text/event-stream

HTTP/1.1 200 OK
Content-Type: text/event-stream

data: ...any existing notification since given date will be delivered here...

   ...NOTE: when all notifications are delivered, we will be waiting here for more...

Errors

Errors occurring during streaming of events will be reported as Server-Sent Events (SSE) comments as described in W3C.REC-eventsource-20150203 as shown in the example below.

Example 26. NSO RESTCONF errors during streaming

: error: notification stream NETCONF temporarily unavailable

Schema resource

RFC 8040, Section 3.7 describes retrieval of YANG modules used by the server via the RPC operation get-schema. The YANG source is made available by NSO in two ways: compiled into the fxs file or put in the loadPath. See the section called “Monitoring of the NETCONF Server”.

The example below show how to list the available Yang modules. Since we are interested by the dhcp module we only show that part of the output:

Example 27. List the available Yang modules

GET /restconf/data/ietf-yang-library:modules-state
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<modules-state xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library"
               xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library">
  <module-set-id>f4709e88d3250bd84f2378185c2833c2</module-set-id>
  <module>
    <name>dhcp</name>
    <revision>2019-02-14</revision>
    <schema>http://localhost:8080/restconf/tailf/modules/dhcp/2019-02-14</schema>
    <namespace>http://yang-central.org/ns/example/dhcp</namespace>
    <conformance-type>implement</conformance-type>
  </module>

  ...rest of the output removed here...

</modules-state>

We can now retrieve the dhcp Yang module via the URL we got in the schema leaf of the reply. Note that the actual URL may point anywhere. The URL is configured by the schemaServerUrl setting in the ncs.conf file.

GET /restconf/tailf/modules/dhcp/2019-02-14

HTTP/1.1 200 OK
module dhcp {
  namespace "http://yang-central.org/ns/example/dhcp";
  prefix dhcp;

  import ietf-yang-types {

  ...the rest of the Yang module removed here...

YANG Patch Media Type

The NSO RESTCONF API also support the YANG Patch Media Type, as defined in RFC 8072.

A YANG Patch is an ordered list of edits that are applied to the target datastore by the RESTCONF server. A YANG Patch request is sent as a HTTP PATCH request containing a body describing the edit operations to be performed. The format of the body is defined in the RFC 8072.

Refering to the dhcp Yang model in our Getting Started chapter; we will show how to use YANG Patch to achieve the same result but with fewer amount of requests.

Create two new resources with YANG Patch

In order to create the resources, we send a HTTP PATCH request where the Content-Type indicates that the body in the request consists of a Yang-Patch message. Our Yang-Patch request will initiate two edit operations where each operation will create a new subnet. In contrast, compare this with using "plain" RESTCONF where we would have needed two POST requests to achieve the same result.

Example 28. Create a two new dhcp/subnet resources

PATCH /restconf/data/dhcp:dhcp
Accept: application/yang-data+xml
Content-Type: application/yang-patch+xml

<yang-patch xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-patch">
  <patch-id>add-subnets</patch-id>
  <edit>
    <edit-id>add-subnet-239</edit-id>
    <operation>create</operation>
    <target>/subnet=10.254.239.0%2F27</target>
    <value>
      <subnet xmlns="http://yang-central.org/ns/example/dhcp" \
              xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
        <net>10.254.239.0/27</net>
          ...content removed here for brevity...
        <max-lease-time>1200</max-lease-time>
      </subnet>
    </value>
  </edit>
  <edit>
    <edit-id>add-subnet-244</edit-id>
    <operation>create</operation>
    <target>/subnet=10.254.244.0%2F27</target>
    <value>
      <subnet xmlns="http://yang-central.org/ns/example/dhcp" \
              xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
        <net>10.254.244.0/27</net>
          ...content removed here for brevity...
        <max-lease-time>1200</max-lease-time>
      </subnet>
    </value>
  </edit>
</yang-patch>

# If the YANG Patch request was successful,
# the server might respond as follows:

HTTP/1.1 200 OK
<yang-patch-status xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-patch">
  <patch-id>add-subnets</patch-id>
  <ok/>
</yang-patch-status>

Modify and Delete in the same Yang-Patch request

Let us modify the 'max-lease-time' of one 'subnet' and delete the 'max-lease-time' value of the second 'subnet'. Note that the delete will cause the default value of 'max-lease-time' to take effect, which we will verify using a RESTCONF GET request.

Example 29. Modify and Delete in the same Yang-Patch request

PATCH /restconf/data/dhcp:dhcp
Accept: application/yang-data+xml
Content-Type: application/yang-patch+xml

<yang-patch xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-patch">
  <patch-id>modify-and-delete</patch-id>
  <edit>
    <edit-id>modify-max-lease-time-239</edit-id>
    <operation>merge</operation>
    <target>/dhcp:subnet=10.254.239.0%2F27</target>
    <value>
      <subnet xmlns="http://yang-central.org/ns/example/dhcp" \
              xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
        <net>10.254.239.0/27</net>
        <max-lease-time>1234</max-lease-time>
      </subnet>
    </value>
  </edit>
  <edit>
    <edit-id>delete-max-lease-time-244</edit-id>
    <operation>delete</operation>
    <target>/dhcp:subnet=10.254.244.0%2F27/max-lease-time</target>
  </edit>
</yang-patch>

# If the YANG Patch request was successful,
# the server might respond as follows:

HTTP/1.1 200 OK
<yang-patch-status xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-patch">
  <patch-id>modify-and-delete</patch-id>
  <ok/>
</yang-patch-status>

To verify that our modify and delete operations took place we make use of two RESTCONF GET request as shown below.

Example 30. Verify the modified max-release-time value

GET /restconf/data/dhcp:dhcp/subnet=10.254.239.0%2F27/max-lease-time
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<max-lease-time xmlns="http://yang-central.org/ns/example/dhcp"
                xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
                1234
</max-lease-time>

Example 31. Verify the default values after delete of the max-release-time value

GET /restconf/data/dhcp:dhcp/subnet=10.254.244.0%2F27/max-lease-time?\
      with-defaults=report-all-tagged
Accept: application/yang-data+xml

HTTP/1.1 200 OK
<max-lease-time wd:default="true"
                xmlns:wd="urn:ietf:params:restconf:capability:defaults:1.0"
                xmlns="http://yang-central.org/ns/example/dhcp"
                xmlns:dhcp="http://yang-central.org/ns/example/dhcp">
                7200
</max-lease-time>

Note how we in the last GET request make use of the with-defaults query parameter to request that a default value should be returned and also be tagged as such.

NMDA

Network Management Datastore Architecture (NMDA), as defined in RFC 8527, extends the RESTCONF protocol. This enable RESTCONF clients to discover which datastores are supported by the RESTCONF server, determine which modules are supported in each datastore, and interact with all the datastores supported by the NMDA.

A RESTCONF client can test if a server supports the NMDA by using either the HEAD or GET methods on /restconf/ds/ietf- datastores:operational, as shown below:

Example 32. Check if the RESTCONF server support NMDA

HEAD /restconf/ds/ietf-datastores:operational

HTTP/1.1 200 OK

A RESTCONF client can discover which datastores and YANG modules the server supports by reading the YANG library information from the operational state datastore. Note in the example below that, since the result consists of three top-nodes, it can't be represented in XML; hence we request the returned content to be in JSON format. See also: the section called “Collections”.

Example 33. Check what datastores the RESTCONF server support

GET /restconf/ds/ietf-datastores:operational/datastore
Accept: application/yang-data+json

HTTP/1.1 200 OK
{
  "ietf-yang-library:datastore": [
    {
      "name": "ietf-datastores:running",
      "schema": "common"
    },
    {
      "name": "ietf-datastores:intended",
      "schema": "common"
    },
    {
      "name": "ietf-datastores:operational",
      "schema": "common"
    }
  ]
}

Extensions

To avoid any potential future conflict with the RESTCONF standard, any extensions made to the NSO implementation of RESTCONF is located under the URL path: /restconf/tailf, or is controlled by means of a vendor specific media type.

Note

There is no index of extensions under /restconf/tailf. To list extensions, access /restconf/data/ietf-yang-library:modules-state and follow published links for schemas.

Collections

The RESTCONF specification states that a result containing multiple instances (e.g a number of list entries) is not allowed if XML encoding is used. The reason for this is that an XML document can only have one root node.

This functionality is supported if the http://tail-f.com/ns/restconf/collection/1.0 capability is presented. See also: the section called “How to view the capabilities of the RESTCONF server”.

To remedy this, a HTTP GET request can make use of the Accept: media type: application/vnd.yang.collection+xml as shown in the following example. The result will then be wrapped within a collection element.

Example 34. Use of collections

GET /restconf/ds/ietf-datastores:operational/\
    ietf-yang-library:yang-library/datastore
Accept: application/vnd.yang.collection+xml

<collection xmlns="http://tail-f.com/ns/restconf/collection/1.0">
  <datastore xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library"
            xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library">
    <name xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
       ds:running
    </name>
    <schema>common</schema>
  </datastore>
  <datastore xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library"
             xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library">
    <name xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
      ds:intended
    </name>
    <schema>common</schema>
  </datastore>
  <datastore xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library
             xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library">
    <name xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
      ds:operational
    </name>
    <schema>common</schema>
  </datastore>
</collection>

The RESTCONF Query API

The NSO RESTCONF Query API consists of a number of operation to start a query which may live over several RESTCONF request, where data can be fetch in suitable chunks. The data to be returned is produced by applying an XPath expression where the data also may be sorted.

The RESTCONF client can check if the NSO RESTCONF server support this functionality by looking for the http://tail-f.com/ns/restconf/query-api/1.0 capability. See also: the section called “How to view the capabilities of the RESTCONF server”.

The tailf-rest-query.yang and the tailf-common-query.yang YANG models describe the structure of the RESTCONF Query API messages. By using the Schema Resource functionality, as described in the section called “Schema resource” , you can get hold of them.

Request and Replies

The API consists of the following Requests:

start-query : Start a query and return a query handle.
fetch-query-result : Use a query handle to repeatedly fetch chunks of the result.
immediate-query : Start a query and return the entire result immediately.
reset-query : (Re)set where the next fetched result will begin from.
stop-query : Stop (and close) the query.

The API consists of the following Replies:

start-query-result : Reply to the start-query request.
query-result : Reply to the fetch-query-result and immediate-query requests.

In the following examples, we'll use this data model:

Example 35. example.yang : model for the Query API example

container x {
  list host {
    key number;
    leaf number {
      type int32;
    }
    leaf enabled {
      type boolean;
    }
    leaf name {
      type string;
    }
    leaf address {
      type inet:ip-address;
    }
  }
}]

The actual format of the payload should be represented either in XML or JSON. Note how we indicate the type of content using the Content-Type HTTP header. For XML it could look like this:

Example 36. Example of a start-query request

POST /restconf/tailf/query
Content-Type: application/yang-data+xml

<start-query xmlns="http://tail-f.com/ns/tailf-rest-query">
  <foreach>
    /x/host[enabled = 'true']
  </foreach>
  <select>
    <label>Host name</label>
    <expression>name</expression>
    <result-type>string</result-type>
  </select>
  <select>
    <expression>address</expression>
    <result-type>string</result-type>
  </select>
  <sort-by>name</sort-by>
  <limit>100</limit>
  <offset>1</offset>
  <timeout>600</timeout>
</start-query>]

The same request in JSON format would look like:

Example 37. JSON example of a start-query request

POST /restconf/tailf/query
Content-Type: application/yang-data+json

{
 "start-query": {
   "foreach": "/x/host[enabled = 'true']",
   "select": [
     {
       "label": "Host name",
       "expression": "name",
       "result-type": ["string"]
     },
     {
       "expression": "address",
       "result-type": ["string"]
     }
   ],
   "sort-by": ["name"],
   "limit": 100,
   "offset": 1,
   "timeout": 600
 }
}]

An informal interpretation of this query is:

For each /x/host where enabled is true, select its name, and address, and return the result sorted by name, in chunks of 100 result items at a time.

Let us discuss the various pieces of this request. To start with, when using XML, we need to specify the name space as shown:

<start-query xmlns="http://tail-f.com/ns/tailf-rest-query">

The actual XPath query to run is specified by the foreach element. In the example below will search for all /x/host nodes that has the enabled node set to true:

<foreach>
  /x/host[enabled = 'true']
</foreach>

Now we need to define what we want to have returned from the node set by using one or more select sections. What to actually return is defined by the XPath expression.

Choose how the result should be represented. Basically, it can be the actual value or the path leading to the value. This is specified per select chunk. The possible result-types are: string , path , leaf-value and inline.

The difference between string and leaf-value is somewhat subtle. In the case of string the result will be processed by the XPath function: string() (which if the result is a node-set will concatenate all the values). The leaf-value will return the value of the first node in the result. As long as the result is a leaf node, string and leaf-value will return the same result. In the example above, the string is used as shown below. Note that at least one result-type must be specified.

The result-type inline makes it possible to return the full sub-tree of data, either in XML or in JSON format. The data will be enclosed with a tag: data.

It is possible to specify an optional label for a convenient way of labeling the returned data:

<select>
  <label>Host name</label>
  <expression>name</expression>
  <result-type>string</result-type>
</select>
<select>
  <expression>address</expression>
  <result-type>string</result-type>
</select>

The returned result can be sorted. This is expressed as an XPath expression, which in most cases is very simple and refers to the found node set. In this example we sort the result by the content of the name node:

<sort-by>name</sort-by>

With the offset element we can specify at which node we should start to receive the result. The default is 1, i.e., the first node in the resulting node-set.

<offset>1</offset>

It is possible to set a custom timeout when starting or resetting a query. Each time a function is called, the timeout timer resets. The default is 600 seconds, i.e. 10 minutes.

<timeout>600</timeout>

The reply to this request would look something like this:

<start-query-result>
  <query-handle>12345</query-handle>
</start-query-result>

The query handle (in this example '12345') must be used in all subsequent calls. To retrieve the result, we can now send:

<fetch-query-result xmlns="http://tail-f.com/ns/tailf-rest-query">
  <query-handle>12345</query-handle>
</fetch-query-result>

Which will result in something like the following:

<query-result xmlns="http://tail-f.com/ns/tailf-rest-query">
  <result>
    <select>
      <label>Host name</label>
      <value>One</value>
    </select>
    <select>
      <value>10.0.0.1</value>
    </select>
  </result>
  <result>
    <select>
      <label>Host name</label>
      <value>Three</value>
    </select>
    <select>
      <value>10.0.0.3</value>
    </select>
  </result>
</query-result>

If we try to get more data with the fetch-query-result we might get more result entries in return until no more data exists and we get an empty query result back:

<query-result xmlns="http://tail-f.com/ns/tailf-rest-query">
</query-result>

Finally, when we are done we stop the query:

<stop-query xmlns="http://tail-f.com/ns/tailf-rest-query">
  <query-handle>12345</query-handle>
</stop-query>

Reset a Query

If we want to go back in the "stream" of received data chunks and have them repeated, we can do that with the 'reset-query' request. In the example below we ask to get results from the 42:nd result entry:

<reset-query xmlns="http://tail-f.com/ns/tailf-rest-query">
  <query-handle>12345</query-handle>
  <offset>42</offset>
</reset-query>

Immediate Query

If we want to get the entire result sent back to us, using only one request, we can do this by using the immediate-query. This function takes similar arguments as start-query and returns the entire result analogous with the result from a fetch-query-result request. Note that it is not possible to paginate or set an offset start node for the result list; i.e. the options limit and offset are ignored.

Partial Responses

This functionality is supported if the http://tail-f.com/ns/restconf/partial-response/1.0 capability is presented. See also: the section called “How to view the capabilities of the RESTCONF server”.

By default, the server sends back the full representation of a resource after processing a request. For better performance, the server can be instructed to send only the nodes the client really needs in a partial response.

To request a partial response for a set of list entries, use the offset and limit query parameters to specify a limited set of entries to be returned.

In the following example we retrieve only 2 entries, skipping the first entry and then returning the next two entries:

Example 38. Partial Response

GET /restconf/data/example-jukebox:jukebox/library/artist?offset=1&limit=2
Accept: application/yang-data+json

...in return we will get the second and third elements of the list...

Hidden Nodes

This functionality is supported if the http://tail-f.com/ns/restconf/unhide/1.0 capability is presented. See also: the section called “How to view the capabilities of the RESTCONF server”.

By default, hidden nodes are not visible in the RESTCONF interface. In order to unhide hidden nodes for retrieval or editing, clients can use the query parameter unhide or set parameter showHidden to true under /confdConfig/restconf in confd.conf file. The query parameter unhide is supported for RPC and action invocation.

The format of the unhide parameter is a comma separated list of

<groupname>[;<password>]

As an example:

unhide=extra,debug;secret

This example unhides the unprotected group extra and the password protected group debug with the password secret;.

Configuration Meta-Data

It is possible to associate meta-data with the configuration data. For RESTCONF, resources such as containers, lists as well as leafs and leaf-lists can have such meta-data. For XML, this meta-data is represented as attributes attached to the XML element in question. For JSON, there does not exist a natural way to represent this info. Hence a special special notation has been introduced, based on the RFC 7952, see the example below.

Example 39. XML representation of meta-data

<x xmlns="urn:x" xmlns:x="urn:x">
  <id tags=" important ethernet " annotation="hello world">42</id>
  <person annotation="This is a person">
    <name>Bill</name>
    <person annotation="This is another person">grandma</person>
  </person>
</x>

Example 40. JSON representation of meta-data

{
  "x": {
    "id": 42,
    "@id": {"tags": ["important","ethernet"],"annotation": "hello world"},
    "person": {
      // NB: the below refers to the parent object
      "@@person": {"annotation": "This is a person"},
      "name": "Bill",
      "person": "grandma",
      // NB: the below refers to the sibling object
      "@person": {"annotation": "This is another person"}
    }
  }
}

For JSON, note how we represent the meta data for a certain object "x" by another object constructed of the object name prefixed with either one or two "@" signs. The meta-data object "@x" refers to the sibling object "x" and the "@@x" object refers to the parent object.

Note

This differs from the RFC 7952!

The Authentication Cache

The RESTCONF server maintains an authentication cache. When authenticating an incoming request for a particular User:Password, it is first checked if the User exists in the cache and if so, the request is processed. This makes it possible to avoid the, potentially time consuming, login procedure that will take place in case of a cache miss.

Cache entries has a maximum Time-To-Live (TTL) and upon expiry a cache entry is removed which will cause the next request for that User to perform the normal login procedure. The TTL value is configurable via the auth-cache-ttl parameter, as shown in the example. Note that, by setting the TTL value to PT0S (zero), the cache is effectively turned off.

It is also possible to combine the Clients IP address with the User name as a key into the cache. This behaviour is disabled by default. It can be enabled by setting the enable-auth-cache-client-ip parameter to true. With this enabled, only a Client coming from the same IP address may get a hit in the authentication cache.

Example 41. NSO configuration of the authentication cache TTL

  ...
  <aaa>
     ...
     <restconf>
        <!-- Set the TTL to 10 seconds! -->
        <auth-cache-ttl>PT10S</auth-cache-ttl>
        <!-- Use both "User" and "ClientIP" as key into the AuthCache -->
        <enable-auth-cache-client-ip>false</enable-auth-cache-client-ip>
     </restconf>
     ...
  </aaa>
  ...

Client IP via Proxy

It is possible to configure the NSO RESTCONF server to pick up the client IP address via a HTTP header in the request. A list of HTTP headers to look for is configurable via the proxy-headers parameter as shown in the example.

To avoid misuse of this feature, only requests from trusted sources will be searched for such a HTTP header. The list of trusted sources is configured via the allowed-proxy-ip-prefix as shown in the example.

Example 42. NSO configuration of Client IP via Proxy

  ...
  <webui>
     ...
    <use-forwarded-client-ip>
      <proxy-headers>X-Forwarded-For</proxy-headers>
      <proxy-headers>X-REAL-IP</proxy-headers>
      <allowed-proxy-ip-prefix>10.12.34.0/24</allowed-proxy-ip-prefix>
      <allowed-proxy-ip-prefix>2001:db8:1234::/48</allowed-proxy-ip-prefix>
    </use-forwarded-client-ip>
     ...
  </webui>
  ...

External token authentication/validation

The NSO RESTCONF server can be setup to pass a long a token used for authentication and/or validation of the client. Note that this require external authentication/validation to be setup properly. See the section called “External token validation” in Administration Guide and the section called “External authentication” in Administration Guide for details.

With token authentication we mean that the client sends a User:Password to the RESTCONF server, which will invoke an external executable that perform the authentication and upon success produces a token that the RESTCONF server will return in the X-Auth-Token HTTP header of the reply.

With token validation we mean that the RESTCONF server will pass along any token, provided in the X-Auth-Token HTTP header, to an external executable that performs the validation. This external program may produce a new token that the RESTCONF server will return in the X-Auth-Token HTTP header of the reply.

To make this work, the following need to be configured in the ncs.conf file:

Example 43. Configure RESTCONF external token authentication/validation

  ...
  <restconf>
     ...
    <token-response>
      <x-auth-token>true</x-auth-token>
    </token-response>
     ...
  </restconf>
  ...

It is also possible to have the RESTCONF server to return a HTTP cookie containing the token.

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. This can be convenient in certain solutions, where typically, it is used to tell if two requests came from the same browser, keeping a user logged-in, for example.

To make this happen, the name of the cookie need to be configured as well as a directives string which will be sent as part of the cookie.

Example 44. Configure the RESTCONF token cookie

  ...
  <restconf>
     ...
     <token-cookie>
       <name>X-JWT-ACCESS-TOKEN</name>
       <directives>path=/; Expires=Tue, 19 Jan 2038 03:14:07 GMT;</directives>
     </token-cookie>
     ...
  </restconf>
  ...

Custom Response HTTP Headers

The RESTCONF server can be configured to reply with particular HTTP headers in the HTTP response. For example, to support Cross-Origin Resource Sharing (CORS, https://www.w3.org/TR/cors/) there is a need to add a couple of headers to the HTTP Response.

We add the extra configuration parameter in ncs.conf.

Example 45. NSO RESTCONF custom header configuration

    <restconf>
      <enabled>true</enabled>
      <custom-headers>
        <header>
          <name>Access-Control-Allow-Origin</name>
          <value>*</value>
        </header>
      </custom-headers>
    </restconf>

A number of HTTP header has been deemed so important by security reasons that they, with sensible default values, per default will be included in the RESTCONF reply. The values can be changed by configuration in the ncs.conf file. Note that a configured empty value will effectively turn off that particular header from being included in the RESTCONF reply. The headers and their default values are:

xFrameOptions : DENY

The default value indicate that the page cannot be displayed in a frame/iframe/embed/object regardless of the site attempting to do so.
xContentTypeOptions : nosniff

The default value indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. In particular should requests for CSS or Javascript be blocked in case a proper MIME type is not used.
xXssProtection : 1; mode=block

This header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. It enables XSS filtering and tell the browser to prevent rendering of the page if an attack is detected.
strictTransportSecurity : max-age=15552000; includeSubDomains

The default value tell browsers that the RESTCONF server should only be accessed using HTTPS, instead of using HTTP. It set the time that the browser should remember this and state that this rule applies to all of the servers subdomains as well.
contentSecurityPolicy : default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';

The default value means that: Resources like fonts, scripts, connections, images, and styles will all only load from the same origin as the protected resource. All mixed contents will be blocked and frame-ancestors like iframes and applets is prohibited.

Generating Swagger for RESTCONF

Swagger is a documentation language used to describe RESTful APIs. The resulting specifications are used to both document APIs as well as generating clients in a variety of languages. For more information about the Swagger specification itself and the ecosystem of tools available for it, see swagger.io.

The RESTCONF API in NSO provides an HTTP-based interface for accessing data. The YANG modules loaded into the system define the schema for the data structures that can be manipulated using the RESTCONF protocol. The yanger tool provides options to generate Swagger specifications from YANG files. The tool currently supports generating specifications according to OpenAPI/Swagger 2.0 using JSON encoding. The tool supports validation of JSON bodies in body parameters and response bodies, and XML content validation is not supported.

YANG and Swagger are two different languages serving slightly different purposes. YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols such as NETCONF and RESTCONF. Swagger is an API definition language that documents API resource structure as well as HTTP body content validation for applicable HTTP request methods. Translation from YANG to Swagger is not perfect in the sense that there are certain constructs and features in YANG that is not possible to capture completely in Swagger. The design of the translation is designed such that the resulting Swagger definitions are more restrictive than what is expressed in the YANG definitions. This means that there are certain cases where a client can do more in the RESTCONF API than what the Swagger definition expresses. There is also a set of well-known resources defined in the RESTCONF RFC 8040 that are not part of the generated Swagger specification, notably resources related to event streams.

Using yanger to generate Swagger

The yanger tool is a YANG parser and validator that provides options to convert YANG modules to a multitude of formats including Swagger. You use the -f swagger option to generate a Swagger definition from one or more YANG files. The following command generates a Swagger file named example.json from the example.yang YANG file:


yanger -t expand -f swagger example.yang -o example.json

It is only supported to generate Swagger from one YANG module at a time. It is possible however to augment this module by supplying additional modules. The following command generates a Swagger document from base.yang which is augmented by base-ext-1.yang and base-ext-2.yang:


yanger -t expand -f swagger base.yang base-ext-1.yang base-ext-2.yang -o base.json

Only supplying augmenting modules is not supported.

Use the --help option to the yanger command to see all available options:


yanger --help

The complete list of options related to Swagger generation is:

Swagger output specific options:
  --swagger-host                    Add host to the Swagger output
  --swagger-basepath                Add basePath to the Swagger output
  --swagger-version                 Add version url to the Swagger output.
                                    NOTE: this will override any revision
                                    in the yang file
  --swagger-tag-mode                Set tag mode to group resources. Valid
                                    values are: methods, resources, all
                                    [default: all]
  --swagger-terms                   Add termsOfService to the Swagger
                                    output
  --swagger-contact-name            Add contact name to the Swagger output
  --swagger-contact-url             Add contact url to the Swagger output
  --swagger-contact-email           Add contact email to the Swagger output
  --swagger-license-name            Add license name to the Swagger output
  --swagger-license-url             Add license url to the Swagger output
  --swagger-top-resource            Generate only swagger resources from
                                    this top resource. Valid values are:
                                    root, data, operations, all [default:
                                    all]
  --swagger-omit-query-params       Omit RESTCONF query parameters
                                    [default: false]
  --swagger-omit-body-params        Omit RESTCONF body parameters
                                    [default: false]
  --swagger-omit-form-params        Omit RESTCONF form parameters
                                    [default: false]
  --swagger-omit-header-params      Omit RESTCONF header parameters
                                    [default: false]
  --swagger-omit-path-params        Omit RESTCONF path parameters
                                    [default: false]
  --swagger-omit-standard-statuses  Omit standard HTTP response statuses.
                                    NOTE: at least one successful HTTP
                                    status will still be included
                                    [default: false]
  --swagger-methods                 HTTP methods to include. Example:
                                    --swagger-methods "get, post"
                                    [default: "get, post, put, patch,
                                    delete"]
  --swagger-path-filter             Filter out paths matching a path filter.
                                    Example: --swagger-path-filter
                                    "/data/example-jukebox/jukebox"

Using the example-jukebox.yang from the RESTCONF RFC 8040, the following example generates a comprehensive Swagger definition using a variety of the Swagger-related options:

Example 46. Comprehensive Swagger generation example


yanger -p . -t expand -f swagger example-jukebox.yang \
       --swagger-host 127.0.0.1:8080 \
       --swagger-basepath /restconf \
       --swagger-version "My swagger version 1.0.0.1" \
       --swagger-tag-mode all \
       --swagger-terms "http://my-terms.example.com" \
       --swagger-contact-name "my contact name" \
       --swagger-contact-url "http://my-contact-url.example.com" \
       --swagger-contact-email "my-contact-email@example.com" \
       --swagger-license-name "my license name" \
       --swagger-license-url "http://my-license-url.example.com" \
       --swagger-top-resource all \
       --swagger-omit-query-params false \
       --swagger-omit-body-params false \
       --swagger-omit-form-params false \
       --swagger-omit-header-params false \
       --swagger-omit-path-params false \
       --swagger-omit-standard-statuses false \
       --swagger-methods "post, get, patch, put, delete, head, options"