RESTCONF ProtocolYumaWorksandy@yumaworks.comTail-f Systemsmbj@tail-f.comJuniper Networkskwatsen@juniper.net
This document describes an HTTP-based protocol that provides
a programmatic interface for accessing data defined in YANG,
using the datastores defined in NETCONF.
There is a need for standard mechanisms to allow WEB applications
to access the configuration data, operational data,
data-model specific protocol operations, and notification events
within a networking device, in a modular and extensible manner.
This document describes an HTTP based protocol called
RESTCONF, for accessing data defined in YANG , using
datastores defined in NETCONF .
The NETCONF protocol defines configuration datastores and
a set of Create, Retrieve, Update, Delete (CRUD) operations
that can be used to access these datastores. The YANG language
defines the syntax and semantics of datastore content,
operational data, protocol operations, and notification events.
RESTCONF uses HTTP operations to provide CRUD operations on a
NETCONF datastore containing YANG-defined data. Since NETCONF
protocol operations are not relevant, the user should
not need any prior knowledge of NETCONF in order to use RESTCONF.
Configuration data and state data are exposed as resources that
can be retrieved with the GET method.
Resources representing configuration data
can be modified with the DELETE, PATCH, POST, and PUT methods.
Data is encoded with either XML
or JSON .
Data-model specific protocol operations defined with
the YANG "rpc" statement can be invoked with the POST method.
Data-model specific notification events defined with
the YANG "notification" statement can be accessed.
RESTCONF relies on TLS to provide privacy and data
integrity for its HTTP operations. More specifically,
RESTCONF requires HTTP over TLS (HTTPS) . To ensure
security, RESTCONF clients MUST verify the RESTCONF server's
X.509 certificate using the path validation algorithm defined in
section 6 of . Devices that do not support TLS will
be unable to implement RESTCONF.
The framework and meta-model used for an HTTP-based API does not need to
mirror those used by the NETCONF protocol, but it needs to
be compatible with NETCONF. A simplified framework and protocol
is needed that utilizes the three NETCONF datastores (candidate,
running, startup), but hides the complexity of multiple datastores
from the client.
A simplified transaction model is needed that allows basic
CRUD operations on a hierarchy of conceptual resources.
This represents a limited subset of the transaction capabilities
of the NETCONF protocol.
Applications that require more complex transaction capabilities
might consider NETCONF instead of RESTCONF. The following
transaction features are not directly provided in RESTCONF:
datastore locking (full or partial)
candidate datastore
startup datastore
validate operation
confirmed-commit procedure
RESTCONF is not intended to replace NETCONF, but rather provide
an additional simplified interface that follows REST principles and
is compatible with a resource-oriented device abstraction.
The following figure shows the system components:
RESTCONF combines the simplicity of the HTTP protocol with the
predictability and automation potential of a schema-driven API.
Using YANG, a client can predict all resource endpoints, much
like using URI Templates , but in a more holistic
manner. This strategy obviates the need for responses provided
by the server to contain HATEOAS links, originally described in
Roy Fielding's doctoral dissertation .
A REST client using HATEOAS principles would not use
any data modeling language to define the application-specific content
of the API. The client would discover each new child
resource as it traverses the URIs returned as Location IDs
to discover the server capabilities. This approach has 3 significant
weaknesses with regards to control of complex networking devices:
inefficient performance: configuration APIs will be quite
complex and may require thousands of protocol messages to
discover all the schema information. Typically the
data type information has to be passed in the protocol messages,
which is also wasteful overhead.
no data model richness: without a data model, the schema-level
semantics and validation constraints are not available to the
application.
no tool automation: API automation tools need some sort of
content schema to function. Such tools can automate
various programming and documentation tasks related
to specific data models.
Data model modules such as YANG modules serve as an "API contract"
that will be honored by the server. An application designer
can code to the data model, knowing in advance important details
about the exact protocol operations and datastore content
a conforming server implementation will support.
RESTCONF provides the YANG module capability information
supported by the server, in case the client wants to use it.
The URIs for custom protocol operations and datastore content
are predictable, based on the YANG module definitions.
Operational experience with CLI and SNMP indicates that
operators learn the 'location' of specific service
or device related data and do not expect such information
to be arbitrary and discovered each time the
client opens a management session to a server.
The RESTCONF protocol operates on a conceptual datastore defined with
the YANG data modeling language. The server lists each YANG
module it supports under "/modules" defined in the "ietf‑yang‑library"
YANG module.
The conceptual datastore contents, data-model-specific
operations and notification events are identified by this set of
YANG module resources. All RESTCONF content identified
as either a data resource, operation resource, or event stream resource
is defined with the YANG language.
The classification of data as configuration or
non-configuration is derived from the YANG "config" statement.
Data ordering behavior is derived from the YANG "ordered‑by"
statement.
The RESTCONF datastore editing model is simple and direct,
similar to the behavior of the ":writable‑running"
capability in NETCONF. Each RESTCONF edit of a datastore
resource is activated upon successful completion of the transaction.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14, .
The following terms are defined in :
candidate configuration datastore
client
configuration data
datastore
configuration datastore
protocol operation
running configuration datastore
server
startup configuration datastore
state data
user
The following terms are defined in :
entity tag
fragment
header line
message body
method
path
query
request
request URI
response body
resource
The following terms are defined in :
container
data node
key leaf
leaf
leaf-list
list
presence container (or P-container)
RPC operation (now called protocol operation)
non-presence container (or NP-container)
ordered-by system
ordered-by user
The following terms are used within this document:
API resource: a resource with the media type
"application/yang.api+xml" or "application/yang.api+json".
API resources can only be edited by the server.
collection resource: a resource with the media type
"application/yang.collection+xml" or
"application/yang.collection+json". Contains a set of
data resources.
data resource: a resource with the media type
"application/yang.data+xml" or "application/yang.data+json".
Containers, leafs, list entries and anyxml nodes can be data
resources.
datastore resource: a resource with the media type
"application/yang.datastore+xml" or
"application/yang.datastore+json". Represents a configuration
datastore.
edit operation: a RESTCONF operation on a data resource
using the POST, PUT, PATCH, or DELETE method.
event stream resource: This resource represents
an SSE (Server-Sent Events) event stream. The content consists of text
using the media type "text/event‑stream", as defined by the HTML5
specification. Each event represents
one <notification> message generated by the server.
It contains a conceptual system or data-model specific event
that is delivered within a notification event stream.
Also called a "stream resource".
operation: the conceptual RESTCONF operation for a message,
derived from the HTTP method, request URI, headers, and message body.
operation resource: a resource with the media type
"application/yang.operation+xml" or
"application/yang.operation+json".
patch: a generic PATCH request on the target datastore
or data resource.
The media type of the message body content will identify
the patch type in use.
plain patch: a PATCH request where the media type
is "application/yang.data+xml" or "application/yang.data+json".
query parameter: a parameter (and its value if any),
encoded within the query component of the request URI.
retrieval request: a request using the GET or HEAD methods.
target resource: the resource that is associated with
a particular message, identified by the "path" component
of the request URI.
unified datastore: A conceptual representation of the device
running configuration. The server will hide all NETCONF datastore
details for edit operations, such as the ":candidate" and ":startup"
capabilities.
schema resource: a resource with the media type
"application/yang". The YANG representation of the schema
can be retrieved by the client with the GET method.
stream list: the set of data resource instances that describe
the event stream resources available from the server.
This information is defined in the "ietf‑restconf‑monitoring"
module as the "stream" list. It can be retrieved using the
target resource "{+restconf}/data/ietf‑restconf‑monitoring:restconf‑state/streams/stream".
The stream list contains information about each stream,
such as the URL to retrieve the event stream data.
Throughout this document, the URI template syntax
"{+restconf}" is used to refer to the RESTCONF API entry point outside
of an example. See @path-resolution@ for details.
All of the examples in this document assume "/restconf" as the
discovered RESTCONF API root path.
A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these
diagrams is as follows:
Brackets "[" and "]" enclose list keys.
Abbreviations before data node names: "rw" means configuration
data (read-write) and "ro" state data (read-only).
Symbols after data node names: "?" means an optional node, "!" means
a presence container, and "*" denotes a list and leaf-list.
Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
Ellipsis ("...") stands for contents of subtrees that are not shown.
The RESTCONF protocol operates on a hierarchy of resources,
starting with the top-level API resource itself. Each resource
represents a manageable component within the device.
A resource can be considered a collection of conceptual data and the
set of allowed methods on that data. It can contain nested child
resources. The child resource types and methods allowed on them are
data-model specific.
A resource has its own media type identifier, represented
by the "Content‑Type" header in the HTTP response message.
A resource can contain zero or more nested resources.
A resource can be created and deleted independently of its
parent resource, as long as the parent resource exists.
All RESTCONF resources are defined in this document except
datastore contents, protocol operations, and notification events.
The syntax and semantics for these resource types are
defined in YANG modules.
The RESTCONF resources are accessed via a set of
URIs defined in this document.
The set of YANG modules supported by the server
will determine the data model specific operations,
top-level data node resources, and notification event messages
supported by the server.
The resources used in the RESTCONF protocol are identified
by the "path" component in the request URI. Each operation
is performed on a target resource.
The RESTCONF protocol defines a set of application specific media
types to identify each of the available resource types. The following
resource types are defined in RESTCONF:
ResourceMedia TypeAPIapplication/yang.apiCollectionapplication/yang.collectionDatastoreapplication/yang.datastoreDataapplication/yang.dataErrorsapplication/yang.errorsOperationapplication/yang.operationSchemaapplication/yang
A client SHOULD start by retrieving the top-level API resource,
using the entry point URI defined in .
The RESTCONF protocol does not include a
resource discovery mechanism. Instead, the definitions
within the YANG modules advertised by the server
are used to construct a predictable operation or data
resource identifier.
The "depth" query parameter (see ) can be used to control how
many descendant levels should be included when retrieving child
resources. This parameter can be used with the GET method to discover
child resources within a particular resource.
The API resource contains the state and access points for
the RESTCONF features.
It is the top-level resource and has the media type
"application/yang.api+xml" or "application/yang.api+json".
YANG Tree Diagram for "application/yang.api" Resource Type:
The "restconf" grouping definition in the "ietf‑restconf" module
defined in is used to specify the structure and syntax
of the conceptual child resources within the API resource.
This resource has the following child resources:
Child ResourceDescriptiondataContains all data resourcesoperationsData-model specific operations
This mandatory resource represents the combined configuration
and operational data resources that can be accessed by a client.
It cannot be created or deleted by the client.
The datastore resource type is defined in .
Example:
This example request by the client
would retrieve only the non-configuration data nodes
that exist within the "library" resource, using the "content"
query parameter (see ).
The server might respond:
This optional resource is a container that provides access to the
data-model specific protocol operations supported by the server.
The server MAY omit this resource if no data-model specific
operations are advertised.
Any data-model specific operations defined in the YANG
modules advertised by the server MAY be available
as child nodes of this resource.
Operation resources are defined in .
The "{+restconf}/data" subtree represents the datastore resource type,
which is a collection of configuration and operational data nodes.
A "unified datastore" interface is used to simplify resource
editing for the client. The RESTCONF unified datastore is a
conceptual interface to the native configuration datastores
that are present on the device.
The underlying NETCONF datastores (i.e., candidate, running, startup)
can be used to implement the unified datastore, but the server design
is not limited to the exact datastore procedures defined
in NETCONF.
The "candidate" and "startup" datastores are not visible
in the RESTCONF protocol. Transaction management and
configuration persistence are handled by the server
and not controlled by the client.
A datastore resource can only be written directly with
the PATCH method. Only the configuration data resources
within the datastore resource can be edited directly with
all methods.
Each RESTCONF edit of a datastore resource is
saved to non-volatile storage in an
implementation-specific matter by the server.
There is no guarantee that configuration changes
are saved immediately, or that the saved configuration
is always a mirror of the running configuration.
Two "edit collision detection" mechanisms are provided
in RESTCONF, for datastore and data resources.
The last change time is maintained and
the "Last‑Modified" and "Date" headers are returned in the
response for a retrieval request.
The "If‑Unmodified‑Since" header can be used
in edit operation requests to cause the server
to reject the request if the resource has been modified
since the specified timestamp.
The server MUST maintain a last-modified timestamp for this
resource, and return the "Last‑Modified" header when this
resource is retrieved with the GET or HEAD methods.
Only changes to configuration data resources within
the datastore affect this timestamp.
A unique opaque string is maintained and
the "ETag" header is returned in the
response for a retrieval request.
The "If‑Match" header can be used
in edit operation requests to cause the server
to reject the request if the resource entity tag
does not match the specified value.
The server MUST maintain a resource entity tag for this
resource, and return the "ETag" header when this
resource is retrieved with the GET or HEAD methods.
The resource entity tag MUST be changed to a new
previously unused value if changes to any configuration
data resources within the datastore are made.
A data resource represents a YANG data node that is a descendant
node of a datastore resource. Containers, leafs, list entries and
anyxml nodes are data resources.
For configuration data resources,
the server MAY maintain a last-modified timestamp for the
resource, and return the "Last‑Modified" header when it
is retrieved with the GET or HEAD methods.
If maintained, the resource timestamp MUST be set to the current
time whenever the resource
or any configuration resource within the resource is altered.
For configuration data resources,
the server MAY maintain a resource entity tag for the
resource, and return the "ETag" header when it
is retrieved as the target resource with the GET or HEAD methods.
If maintained, the resource entity tag MUST be updated
whenever the resource
or any configuration resource within the resource is altered.
A data resource can be retrieved with the GET method.
Data resources are accessed via the "{+restconf}/data" entry point.
This sub-tree is used to retrieve and edit data resources.
A configuration data resource can be altered by the client
with some or all of the edit operations, depending on the
target resource and the specific operation. Refer to
for more details on edit operations.
The resource definition version for a data resource
is identified by the revision date of the YANG module
containing the YANG definition for the data resource,
specified in the "{+restconf}/modules" sub-tree.
In YANG, data nodes are named with an absolute
XPath expression, defined in , starting
from the document root to the target resource.
In RESTCONF, URL encoded Location header expressions are used instead.
The YANG "instance‑identifier" (i-i) data type is represented
in RESTCONF with the path expression format defined
in this section.
NameCommentspointInsertion point is always a full i-ipathRequest URI path is a full or partial i-i
The "path" component of the request URI contains the
absolute path expression that identifies the
target resource.
A predictable location for a data resource
is important, since applications will code to the YANG
data model module, which uses static naming and defines an
absolute path location for all data nodes.
A RESTCONF data resource identifier is not an XPath expression.
It is encoded from left to right, starting with the top-level
data node, according to the "api‑path" rule in .
The node name of each ancestor of the target resource node
is encoded in order, ending with the node name for the
target resource.
If a data node in the path expression is a YANG list node,
then the key values for the list (if any) MUST be encoded
according to the following rules.
The key leaf values for a data resource representing a YANG
list MUST be encoded using one path segment .
If there is only one key leaf value, the path segment is constructed
by having the list name followed by an "=" followed by the single key
leaf value.
If there are multiple key leaf values, the value of each leaf
identified in the "key" statement is encoded
in the order specified in the YANG "key" statement, with a
comma separating them.
All the components in the "key" statement MUST be encoded.
Partial instance identifiers are not supported.
Quoted strings are supported in the key leaf values. Quoted
strings MUST be used to express empty strings.
(example: list=foo,'',baz).
The "list‑instance" ABNF rule defined in
represents the syntax of a list instance identifier.
Resource URI values returned in Location headers
for data resources MUST identify the module name, even
if there are no conflicting local names when the resource
is created. This ensures the correct resource will be identified
even if the server loads a new module that the old client
does not know about.
Examples:
For the above YANG definition, URI with key leaf values will be
encoded as follows (line wrapped for display purposes only):
The "api‑path" ABNF syntax is used to construct RESTCONF
path identifiers:
NETCONF has a rather complex model for handling default values for
leafs. RESTCONF attempts to avoid this complexity by
restricting the operations that can be applied to
a resource. Applications that require full control of defaults
might consider NETCONF instead of RESTCONF.
If the target of a GET method is a data node
that represents a leaf that has a default value,
and the leaf has not been given a value yet, the server MUST
return the default value that is in use by the server.
If the target of a GET method is a data node
that represents a container or list that has any child resources
with default values, for the child resources that have not been given
value yet, the server MAY
return the default values that are in use by the server.
A collection resource contains a set of data resources. It is used to
represent a all instances or a subset of all instances in a YANG list
or leaf-list.
A collection resource can be retrieved with the GET method, optionally
with the query parameters "limit" () and "offset" ().
The "ietf‑restconf" YANG module contains the "collection" grouping
which specifies the syntax of a collection resource.
An operation resource represents an protocol operation
defined with the YANG "rpc" statement.
All operation resources share the same module namespace
as any top-level data resources, so the name of an operation
resource cannot conflict with the name of a top-level
data resource defined within the same module.
If 2 different YANG modules define the same "rpc" identifier,
then the module name MUST be used in the request URI.
For example, if "module‑A" and "module‑B" both defined
a "reset" operation, then invoking the operation from "module‑A"
would be requested as follows:
Any usage of an operation resource from the same module,
with the same name, refers to the same "rpc" statement
definition. This behavior can be used to design protocol operations
that perform the same general function on different
resource types.
If the "rpc" statement has an "input" section, then a message body
MAY be sent by the client in the request, otherwise the request
message MUST NOT include a message body.
If the "rpc" statement has an "output" section, then a message body
MAY be sent by the server in the response. Otherwise the
server MUST NOT include a message body in the response message,
and MUST send a "204 No Content" Status-Line instead.
If the "rpc" statement has an "input" section, then
the "input" node is provided in the message body,
corresponding to the YANG data definition statements
within the "input" section.
Example:
The following YANG definition is used for the examples in this
section.
The client might send the following POST request message:
The server might respond:
If the "rpc" statement has an "output" section, then
the "output" node is provided in the message body,
corresponding to the YANG data definition statements
within the "output" section.
Example:
The following YANG definition is used for the examples in this
section.
The client might send the following POST request message:
The server might respond:
If the server supports the "schema" leaf within the API then
the client can retrieve the YANG schema text for the associated
YANG module or submodule, using the GET method.
First the client needs to retrieve the URL for retrieving the schema.
The client might send the following GET request message:
The server might respond:
Next the client needs to retrieve the actual YANG schema.
The client might send the following GET request message:
The server might respond:
A "stream" resource represents a source for system generated
event notifications. Each stream is created and modified
by the server only. A client can retrieve a stream resource
or initiate a long-poll server sent event stream,
using the procedure specified in .
A notification stream functions according to the NETCONF
Notifications specification . The available streams
can be retrieved from the stream list,
which specifies the syntax and semantics of a stream resource.
An "errors" resource is a collection of error information that
is sent as the message body in a server response message,
if an error occurs while processing a request message.
The "ietf‑restconf" YANG module contains the "errors" grouping
which specifies the syntax and semantics of an errors resource.
RESTCONF error handling behavior is defined in .
The RESTCONF protocol uses HTTP methods to identify
the CRUD operation requested for a particular resource.
The following table shows how the RESTCONF operations relate to
NETCONF protocol operations:
RESTCONFNETCONFOPTIONSnoneHEADnoneGET<get-config>, <get>POST<edit-config> (operation="create")PUT<edit-config> (operation="replace")PATCH<edit-config> (operation="merge")DELETE<edit-config> (operation="delete")
The NETCONF "remove" operation attribute is not supported
by the HTTP DELETE method. The resource must exist or
the DELETE method will fail. The PATCH method is equivalent to
a "merge" operation for a plain patch.
Access control mechanisms may be used to limit what operations
can be used. In particular, RESTCONF is compatible with the
NETCONF Access Control Model (NACM) , as there is a
specific mapping between RESTCONF and NETCONF operations,
defined in . The resource path needs
to be converted internally by the server to the corresponding
YANG instance-identifier. Using this information,
the server can apply the NACM access control rules to RESTCONF
messages.
The server MUST NOT allow any operation to any resources that
the client is not authorized to access.
Implementation of all methods (except PATCH) are defined in .
This section defines the RESTCONF protocol usage for
each HTTP method.
The OPTIONS method is sent by the client to
discover which methods are supported by the server
for a specific resource.
If supported, it SHOULD be implemented for all media types.
The server SHOULD implement this method, however the same information
could be extracted from the YANG modules and the RESTCONF
protocol specification.
If the PATCH method is supported, then the "Accept‑Patch" header
MUST be supported, as defined in .
The HEAD method is sent by the client to
retrieve just the headers that would be returned
for the comparable GET method, without the response body.
It is supported for all resource types, except operation resources.
The request MUST contain a request URI
that contains at least the entry point component.
The same query parameters supported by the GET method
are supported by the HEAD method.
The access control behavior is enforced
as if the method was GET instead of HEAD.
The server MUST respond the same as if the method
was GET instead of HEAD, except that no
response body is included.
The GET method is sent by the client to
retrieve data and meta-data for a resource.
It is supported for all resource types, except operation resources.
The request MUST contain a request URI
that contains at least the entry point component.
The server MUST NOT return any data resources for which the user
does not have read privileges.
If the user is not authorized to read
the target resource, an error response containing
a "403 Forbidden" or "404 Not Found" Status-Line is returned to
the client.
If the user is authorized to read some but not all of
the target resource, the unauthorized content is omitted
from the response message body, and the authorized content
is returned to the client.
Example:
The client might request the response headers for a
JSON representation of the "library" resource:
The server might respond:
The POST method is sent by the client to create a data resource
or invoke an operation resource.
The server uses the target resource media type
to determine how to process the request.
TypeDescriptionDatastoreCreate a top-level configuration data resourceDataCreate a configuration data child resourceOperationInvoke a protocol operation
If the target resource type is a datastore or data resource,
then the POST is treated as a request to create a resource or
child resource. The message body is expected to contain the
content of a child resource to create within the parent (target resource).
The "insert" and "point" query parameters are supported
by the POST method for datastore and data resource types,
as specified in the YANG definition in .
If the POST method succeeds,
a "201 Created" Status-Line is returned and there is
no response message body. A "Location" header identifying
the child resource that was created MUST be present
in the response in this case.
If the user is not authorized to create the target resource,
an error response containing
a "403 Forbidden" or "404 Not Found" Status-Line is returned to
the client. All other error responses are handled according to
the procedures defined in .
Example:
To create a new "jukebox" resource, the client might send:
If the resource is created, the server might respond as follows:
Refer to for more resource creation examples.
If the target resource type is an operation resource,
then the POST method is treated as a request to invoke that operation.
The message body (if any) is processed as the operation input
parameters. Refer to for details
on operation resources.
If the POST request succeeds, a "200 OK" Status-Line
is returned if there is a response message body, and
a "204 No Content" Status-Line is returned if there is
no response message body.
If the user is not authorized to invoke the target operation,
an error response containing
a "403 Forbidden" or "404 Not Found" Status-Line is returned to
the client. All other error responses are handled according to
the procedures defined in .
Example:
In this example, the client is invoking the "play" operation
defined in the "example‑jukebox" YANG module.
A client might send a "play" request as follows:
The server might respond:
The PUT method is sent by the client to create or replace
the target resource.
The only target resource media type that supports PUT is the data
resource. The message body is expected to contain the
content used to create or replace the target resource.
The "insert" () and "point" () query parameters are
supported by the PUT method for data resources.
Consistent with , if the PUT request creates a new resource,
a "201 Created" Status-Line is returned. If an existing resource
is modified, either "200 OK" or "204 No Content" are returned.
If the user is not authorized to create or replace the target resource
an error response containing
a "403 Forbidden" or "404 Not Found" Status-Line is returned to
the client. All other error responses are handled according to
the procedures defined in .
Example:
An "album" child resource defined in the "example‑jukebox" YANG module
is replaced or created if it does not already exist.
To replace the "album" resource contents,
the client might send as follows.
Note that the request URI header line is wrapped
for display purposes only:
If the resource is updated, the server might respond:
RESTCONF uses the HTTP PATCH method defined
in to provide an extensible framework for
resource patching mechanisms. It is optional to implement
by the server. Each patch type needs a unique
media type. Zero or more PATCH media types MAY be supported
by the server.
A plain patch is used to create or update
a child resource within the target resource.
If the target resource instance does not exist, the server MUST
NOT create it.
If the PATCH request succeeds, a "200 OK" Status-Line
is returned if there is a message body, and "204 No Content"
is returned if no response message body is sent.
If the user is not authorized to alter the target resource
an error response containing
a "403 Forbidden" or "404 Not Found" Status-Line is returned to
the client. All other error responses are handled according to
the procedures defined in .
Example:
To replace just the "year" field in the "album" resource
(instead of replacing the entire resource with the PUT method),
the client might send a plain patch as follows.
Note that the request URI header line is wrapped
for display purposes only:
If the field is updated, the server might respond:
The XML encoding for the same request might be:
The DELETE method is used to delete the target resource.
If the DELETE request succeeds, a "204 No Content" Status-Line
is returned, and there is no response message body.
If the user is not authorized to delete the target resource then
an error response containing
a "403 Forbidden" or "404 Not Found" Status-Line is returned to
the client. All other error responses are handled according to
the procedures defined in .
Example:
To delete a resource such as the "album" resource,
the client might send:
If the resource is deleted, the server might respond:
Each RESTCONF operation allows zero or more query
parameters to be present in the request URI.
The specific parameters that are allowed depends
on the resource type, and sometimes the specific target
resource used, in the request.
NameMethodsDescriptioncontentGETSelect config and/or non-config data resourcesdepthGETRequest limited sub-tree depth in the reply contentfilterGETBoolean notification filter for event-stream resourcesinsertPOST, PUTInsertion mode for user-ordered data resourceslimitGETNumber of entries to return for collection resourcesoffsetGETStarting point for collection resourcespointPOST, PUTInsertion point for user-ordered data resourcesselectGETRequest a subset of the target resource contentsstart-timeGETReplay buffer start time for event-stream resourcesstop-timeGETReplay buffer stop time for event-stream resources
Query parameters can be given in any order.
Each parameter can appear at most once in a request URI.
A default value may apply if the parameter is missing.
Refer to for examples of query parameter usage.
If vendors define additional query parameters, they SHOULD use a
prefix (such as the enterprise or organization name) for query
parameter names in order to avoid collisions with other parameters.
A new set of NETCONF Capability URNs are defined to identify the specific
query parameters supported by the server.
NameURIcontenturn:ietf:params:restconf:capability:content:1.0depthurn:ietf:params:restconf:capability:depth:1.0filterurn:ietf:params:restconf:capability:filter:1.0inserturn:ietf:params:restconf:capability:insert:1.0pageurn:ietf:params:restconf:capability:page:1.0selecturn:ietf:params:restconf:capability:select:1.0replayurn:ietf:params:restconf:capability:replay:1.0
The "content" parameter controls how descendant nodes of
the requested data nodes will be processed in the reply.
The allowed values are:
ValueDescriptionconfigReturn only configuration descendant data nodesnonconfigReturn only non-configuration descendant data nodesallReturn all descendant data nodes
This parameter is only allowed for GET methods on datastore and data
resources. A 400 Bad Request error is returned if used for other
methods or resource types.
The default value is determined by the "config" statement value of the
requested data nodes. If the "config" value is "false", then the
default for the "content" parameter is "nonconfig". If "config" is
"true" then the default for the "content" parameter is "config".
If this query parameter is supported by the server, then the
"content" query parameter URI MUST be listed in the "capability" leaf-list
in .
The "depth" parameter is used to specify the number of nest levels
returned in a response for a GET method. The first nest-level
consists of the requested data node itself. Any child nodes which are
contained within a parent node have a depth value that is 1 greater
than its parent.
The value of the "depth" parameter is either an integer between 1 and
65535, or the string "unbounded". "unbounded" is the default.
This parameter is only allowed for GET methods on API, datastore, and
data resources. A 400 Bad Request error is returned if it used for
other methods or resource types.
By default, the server will include all sub-resources within a
retrieved resource, which have the same resource type as the requested
resource. Only one level of sub-resources with a different media type
than the target resource will be returned.
If this query parameter is supported by the server, then the
"depth" query parameter URI MUST be listed in the "capability" leaf-list
in .
The "select" query parameter is used to optionally identify
data nodes within the target resource to be retrieved in a
GET method. The client can use this parameter to retrieve
a subset of all nodes in a resource.
A value of the "select" query parameter matches the
following rule:
"api‑identifier" is defined in .
";" is used to select multiple nodes. For example, to
retrieve only the "genre" and "year" of an album, use:
"select=genre;year".
Parentheses are used to specify sub-selectors of a node.
For example, to retrieve only the "label" and
"catalogue‑number" of an album, use:
"select=admin(label;catalogue‑number)".
"/" is used in a path to retrieve a child node of a node.
For example, to retrieve only the "label" of an album, use:
"select=admin/label".
This parameter is only allowed for GET methods on api,
datastore, and data resources. A 400 Bad Request error
is returned if used for other methods or resource types.
If this query parameter is supported by the server, then the
"select" query parameter URI MUST be listed in the "capability" leaf-list
in .
The "insert" parameter is used to specify how a
resource should be inserted within a user-ordered list.
The allowed values are:
ValueDescriptionfirstInsert the new data as the new first entry.lastInsert the new data as the new last entry.beforeInsert the new data before the insertion point, as specified by the value of the "point" parameter.afterInsert the new data after the insertion point, as specified by the value of the "point" parameter.
The default value is "last".
This parameter is only supported for the POST and PUT
methods. It is also only supported if the target
resource is a data resource, and that data represents
a YANG list or leaf-list that is ordered by the user.
If the values "before" or "after" are used,
then a "point" query parameter for the insertion
parameter MUST also be present, or a 400 Bad Request
error is returned.
If this query parameter is supported by the server, then the
"insert" query parameter URI MUST be listed in the "capability" leaf-list
in . The "point" query parameter MUST also be supported
by the server.
The "point" parameter is used to specify the
insertion point for a data resource that is being
created or moved within a user ordered list or leaf-list.
The value of the "point" parameter is of type
"data‑resource‑identifier", defined in the "ietf‑restconf" YANG module
.
This parameter is only supported for the POST and PUT
methods. It is also only supported if the target
resource is a data resource, and that data represents
a YANG list or leaf-list that is ordered by the user.
If the "insert" query parameter is not present, or has
a value other than "before" or "after", then a 400
Bad Request error is returned.
This parameter contains the instance identifier of the
resource to be used as the insertion point for a
POST or PUT method.
If the server includes the "insert" query parameter URI in
the "capability" leaf-list in , then the "point"
query parameter MUST be supported.
The "limit" parameter is used to restrict the number of data resources
to return in response to GET requests on collection resources.
The value of the "limit" parameter is either an integer greater than
or equal to 1, or the string "unbounded". The string "unbounded" is the
default value.
If the server includes the "page" query parameter URI in
the "capability" leaf-list in , then the "limit"
query parameter MUST be supported.
The "offset" parameter is used to specify the first data resource to
return in response to GET requests on collection resources.
Resources instances are numbered with consecutive integers
from 1 to the number of resource instances.
The value of the "offset" parameter is an integer greater than
or equal to 1. The default value is 1.
If the server includes the "page" query parameter URI in
the "capability" leaf-list in , then the "offset"
query parameter MUST be supported.
The "filter" parameter is used to indicate which subset of
all possible events are of interest. If not present, all
events not precluded by other parameters will be sent.
This parameter is only allowed for GET methods on a
text/event-stream data resource. A 400 Bad Request error
is returned if used for other methods or resource types.
The format of this parameter is an XPath 1.0 expression, and is
evaluated in the following context:
The set of namespace declarations is the set of
prefix and namespace pairs for all supported YANG
modules, where the prefix is the YANG module name, and
the namespace is as defined by the "namespace" statement
in the YANG module.
The function library is the core function library defined
in XPath 1.0.
The set of variable bindings is empty.
The context node is the root node.
The filter is used as defined in , section 3.6.
If the boolean result of the expression is true when applied
to the conceptual "notification" document root, then the
notification event is delivered to the client.
If this query parameter is supported by the server, then the
"filter" query parameter URI MUST be listed in the "capability" leaf-list
in .
The "start‑time" parameter is used to trigger
the notification replay feature and indicate
that the replay should start at the time specified.
If the stream does not support replay, per the
"replay‑support" attribute returned by stream list
entry for the stream resource, then the server MUST
return the HTTP error code 400 Bad Request.
The value of the "start‑time" parameter is of type
"date‑and‑time", defined in the "ietf‑yang" YANG module
.
This parameter is only allowed for GET methods on a
text/event-stream data resource. A 400 Bad Request error
is returned if used for other methods or resource types.
If this parameter is not present, then a replay subscription
is not being requested. It is not valid to specify start
times that are later than the current time. If the value
specified is earlier than the log can support, the replay
will begin with the earliest available notification.
If this query parameter is supported by the server, then the
"replay" query parameter URI MUST be listed in the "capability" leaf-list
in . The "stop‑time" query parameter MUST also be supported
by the server.
If the "replay‑support" leaf is present in the "stream"
entry (defined in ) then the server MUST support
the "start‑time" and "stop‑time" query parameters for that stream.
The "stop‑time" parameter is used with the
replay feature to indicate the newest notifications of
interest. This parameter MUST be used with and have a
value later than the "start‑time" parameter.
The value of the "stop‑time" parameter is of type
"date‑and‑time", defined in the "ietf‑yang" YANG module
.
This parameter is only allowed for GET methods on a
text/event-stream data resource. A 400 Bad Request error
is returned if used for other methods or resource types.
If this parameter is not present, the notifications will
continue until the subscription is terminated.
Values in the future are valid.
If this query parameter is supported by the server, then the
"replay" query parameter URI MUST be listed in the "capability" leaf-list
in . The "start‑time" query parameter MUST also be supported
by the server.
If the "replay‑support" leaf is present in the "stream"
entry (defined in ) then the server MUST support
the "start‑time" and "stop‑time" query parameters for that stream.
The RESTCONF protocol uses HTTP entities for messages.
A single HTTP message corresponds to a single protocol method.
Most messages can perform a single task on a single resource,
such as retrieving a resource or editing a resource.
The exception is the PATCH method, which allows multiple datastore
edits within a single message.
Resources are represented with URIs following the structure
for generic URIs in .
A RESTCONF operation is derived from the HTTP method
and the request URI, using the following conceptual fields:
method: the HTTP method identifying the RESTCONF operation
requested by the client, to act upon the target resource
specified in the request URI. RESTCONF operation details are
described in .
entry: the root of the RESTCONF API configured on this HTTP
server, discovered by getting the ".well‑known/host‑meta"
resource, as described in .
resource: the path expression identifying the resource
that is being accessed by the operation.
If this field is not present, then the target resource
is the API itself, represented by the media type "application/yang.api".
query: the set of parameters associated with the RESTCONF
message. These have the familiar form of "name=value" pairs.
All query parameters are optional to implement by the server
and optional to use by the client. Each query parameter is
identified by a URI. The server MUST list the
query parameter URIs it supports in the "capabilities"
list defined in .
There is a specific set of parameters defined,
although the server MAY choose to support query
parameters not defined in this document.
The contents of the any query parameter value MUST be encoded
according to , section 3.4. Any reserved characters
MUST be encoded with escape sequences, according to ,
section 2.4.
fragment: This field is not used by the RESTCONF protocol.
When new resources are created by the client, a "Location" header
is returned, which identifies the path of the newly created resource.
The client MUST use this exact path identifier to access
the resource once it has been created.
The "target" of an operation is a resource.
The "path" field in the request URI represents
the target resource for the operation.
In line the best practices defined by , RESTCONF
enables deployments to specify where the RESTCONF API is located.
When first connecting to a RESTCONF server, a RESTCONF client MUST
determine the root of the RESTCONF API. The client discovers this
by getting the "/.well‑known/host‑meta" resource () and
using the <Link> element containing the "restconf" attribute :
Once discovering the RESTCONF API root, the client MUST prepend it to
any subsequent request to a RESTCONF resource. For instance, using
the "/restconf" path discovered above, the client can now determine
the operations supported by the the server:
There are several HTTP header lines utilized in RESTCONF messages.
Messages are not limited to the HTTP headers listed in this section.
HTTP defines which header lines are required for particular
circumstances. Refer to each operation definition section
in for examples on how particular headers are used.
There are some request headers that are used within RESTCONF,
usually applied to data resources.
The following tables summarize the headers most relevant
in RESTCONF message requests:
NameDescriptionAcceptResponse Content-Types that are acceptableContent-TypeThe media type of the request bodyHostThe host address of the serverIf-MatchOnly perform the action if the entity matches ETagIf-Modified-SinceOnly perform the action if modified since timeIf-Unmodified-SinceOnly perform the action if un-modified since time
The following tables summarize the headers most relevant
in RESTCONF message responses:
NameDescriptionAllowValid actions when 405 error returnedCache-ControlThe cache control parameters for the responseContent-TypeThe media type of the response bodyDateThe date and time the message was sentETagAn identifier for a specific version of a resourceLast-ModifiedThe last modified date and time of a resourceLocationThe resource identifier for a newly created resource
RESTCONF messages are encoded in HTTP according to RFC 2616.
The "utf‑8" character set is used for all messages.
RESTCONF message content is sent in the HTTP message body.
Content is encoded in either JSON or XML format.
A server MUST support XML encoding and MAY support JSON encoding.
XML encoding rules for data nodes are defined in .
The same encoding rules are used for all XML content.
JSON encoding rules are defined in .
This encoding is valid JSON, but also has
special encoding rules to identify module namespaces
and provide consistent type processing of YANG data.
Request input content encoding format is identified with the Content-Type
header. This field MUST be present if a message body is sent
by the client.
Response output content encoding format is identified with the Accept
header in the request, or if is not specified, the request
input encoding format is used.
If there was no request input, then the default output encoding is XML.
File extensions encoded in the request are not used to identify
format encoding.
The RESTCONF protocol needs to retrieve the same meta-data that is
used in the NETCONF protocol. Information about default leafs,
last-modified timestamps, etc. are commonly used to annotate
representations of the datastore contents. This meta-data
is not defined in the YANG schema because it applies to the
datastore, and is common across all data nodes.
This information is encoded as attributes in XML.
JSON encoding of meta-data is defined in .
Each message represents some sort of resource access.
An HTTP "Status‑Line" header line is returned for each request.
If a 4xx or 5xx range status code is returned in the Status-Line,
then the error information will be returned in the response,
according to the format defined in .
Since the datastore contents change at unpredictable times,
responses from a RESTCONF server generally SHOULD NOT be cached.
The server SHOULD include a "Cache‑Control" header in every response
that specifies whether the response should be cached. A "Pragma"
header specifying "no‑cache" MAY also be sent in case the
"Cache‑Control" header is not supported.
Instead of using HTTP caching, the client SHOULD track the "ETag"
and/or "Last‑Modified" headers returned by the server for the
datastore resource (or data resource if the server supports it).
A retrieval request for a resource can include
the "If‑None‑Match" and/or "If‑Modified‑Since" headers, which
will cause the server to return a "304 Not Modified" Status-Line
if the resource has not changed.
The client MAY use the HEAD method to retrieve just
the message headers, which SHOULD include the "ETag"
and "Last‑Modified" headers, if this meta-data is maintained
for the target resource.
The RESTCONF protocol supports YANG-defined event notifications. The
solution preserves aspects of NETCONF Event Notifications
while utilizing the Server-Sent Events
transport strategy.
A RESTCONF server is not required to support RESTCONF notifications.
Clients may determine if a server supports RESTCONF notifications by
using the HTTP operation OPTIONS, HEAD, or GET on the stream list.
The server does not support RESTCONF notifications if an HTTP error
code is returned (e.g., 404 Not Found).
A RESTCONF server that supports notifications will populate a
stream resource for each notification delivery service access point.
A RESTCONF client can retrieve the list of supported event streams from
a RESTCONF server using the GET operation on the stream list.
The "restconf‑state/streams" container definition in
the "ietf‑restconf‑monitoring" module
(defined in ) is used to specify the structure and syntax
of the conceptual child resources within the "streams" resource.
For example:
The client might send the following request:
The server might send the following response:
RESTCONF clients can determine the URL for the subscription resource
(to receive notifications) by sending an
HTTP GET request for the "events" leaf with the stream list
entry. The value returned by the server can be used for the actual
notification subscription.
The client will send an HTTP GET request for the URL returned
by the server with the "Accept" type "text/event‑stream".
The server will treat the connection as an event stream, using the
Server Sent Events transport strategy.
The server MAY support query parameters for a GET method on this
resource. These parameters are specific to each notification stream.
For example:
The client might send the following request:
The server might send the following response:
The RESTCONF client can then use this URL value to start
monitoring the event stream:
A RESTCONF client MAY request the server compress the events using
the HTTP header field "Accept‑Encoding". For instance:
The server SHOULD support the "NETCONF" notification stream
defined in . For this stream,
RESTCONF notification subscription requests MAY specify parameters
indicating the events it wishes to receive. These query parameters
are optional to implement, and only available if the server supports
them.
NameSectionDescriptionstart-timereplay event start timestop-timereplay event stop timefilterboolean content filter
The semantics and syntax for these query parameters are
defined in the sections listed above.
The YANG encoding MUST be converted to URL-encoded string
for use in the request URI.
Refer to for filter parameter examples.
RESTCONF notifications are encoded according to the
definition of the event stream. The NETCONF stream
defined in is encoded in XML format.
The structure of the event data is based on the "notification"
element definition in section 4 of . It MUST
conform to the "notification" YANG container definition in .
An example SSE notification encoded using XML:
An example SSE notification encoded using JSON:
Alternatively, since neither XML nor JSON are whitespace sensitive,
the above messages can be encoded onto a single line. For example:
For example: ('\' line wrapping added for formatting only)
The SSE specifications supports the following additional fields:
event, id and retry. A RESTCONF server MAY send the "retry" field
and, if it does, RESTCONF clients SHOULD use it.
A RESTCONF server SHOULD NOT send the "event" or "id" fields,
as there are no meaningful values that could be used for them
that would not be redundant to the contents of the notification itself.
RESTCONF servers that do not send the "id" field also do not need
to support the HTTP header "Last‑Event‑Id". RESTCONF servers that
do send the "id" field MUST still support the "startTime" query
parameter as the preferred means for a client to specify where to
restart the event stream.
HTTP Status-Lines are used to report success or failure
for RESTCONF operations.
The <rpc‑error> element returned in NETCONF error responses
contains some useful information. This error information
is adapted for use in RESTCONF, and error information
is returned for "4xx" class of status codes.
The following table summarizes the return status codes
used specifically by RESTCONF operations:
Status-LineDescription100 ContinuePOST accepted, 201 should follow200 OKSuccess with response body201 CreatedPOST to create a resource success202 AcceptedPOST to create a resource accepted204 No ContentSuccess without response body304 Not ModifiedConditional operation not done400 Bad RequestInvalid request message403 ForbiddenAccess to resource denied404 Not FoundResource target or resource node not found405 Method Not AllowedMethod not allowed for target resource409 ConflictResource or lock in use412 Precondition FailedConditional method is false413 Request Entity Too Largetoo-big error414 Request-URI Too Largetoo-big error415 Unsupported Media Typenon RESTCONF media type500 Internal Server Erroroperation-failed501 Not Implementedunknown-operation503 Service UnavailableRecoverable server error
Since an operation resource is defined with a YANG "rpc"
statement, a mapping between the NETCONF <error‑tag> value
and the HTTP status code is needed. The specific error
condition and response code to use are data-model specific
and might be contained in the YANG "description" statement
for the "rpc" statement.
<error‑tag>status codein-use409invalid-value400too-big413missing-attribute400bad-attribute400unknown-attribute400bad-element400unknown-element400unknown-namespace400access-denied403lock-denied409resource-denied409rollback-failed500data-exists409data-missing409operation-not-supported501operation-failed500partial-operation500malformed-message400
When an error occurs for a request message on a data resource
or an operation resource, and a "4xx" class of status codes
(except for status code "403 Forbidden"),
then the server SHOULD send a response body containing
the information described by the "errors" container definition
within the YANG module . The Content-Type of this
response message MUST be application/yang.errors.
YANG Tree Diagram for <errors> Data:
The semantics and syntax for RESTCONF error messages are
defined in the "errors" YANG grouping in .
Examples:
The following example shows an error returned for
an "lock‑denied" error on a datastore resource.
The server might respond:
The following example shows an error returned for
a "data‑exists" error on a data resource.
The "jukebox" resource already exists so it cannot be created.
The client might send:
The server might respond:
The "ietf‑restconf" module defines conceptual definitions
within groupings, which are not meant to be implemented
as datastore contents by a server. The "restconf" container
is not intended to be implemented as a top-level data node
(under the "/restconf/data" entry point).
The "ietf‑yang‑types" module from
is used by this module for some type definitions.
RFC Ed.: update the date below with the date of RFC publication and
remove this note.
<CODE BEGINS> file "ietf-restconf@2014-10-25.yang"<CODE ENDS>
The "ietf‑restconf‑monitoring" module provides information about
the RESTCONF protocol capabilities and notification event streams
available from the server. Implementation is
mandatory for RESTCONF servers, if any protocol capabilities
or notification event streams are supported.
YANG Tree Diagram for "ietf‑restconf‑monitoring" module:
This mandatory container holds the RESTCONF
protocol capability URIs supported by the server.
The server MUST maintain a last-modified timestamp for this
container, and return the "Last‑Modified" header when this
data node is retrieved with the GET or HEAD methods.
The server SHOULD maintain an entity-tag for this
container, and return the "ETag" header when this
data node is retrieved with the GET or HEAD methods.
This optional container provides access to the
notification event streams supported by the server.
The server MAY omit this container if no
notification event streams are supported.
The server will populate this container with a stream list entry for
each stream type it supports. Each stream contains a leaf
called "events" which contains a URI that
represents an event stream resource.
Stream resources are defined in .
Notifications are defined in .
The "ietf‑restconf‑monitoring" module defines monitoring
information for the RESTCONF protocol.
The "ietf‑yang‑types" and "ietf‑inet‑types" modules from
are used by this module for some type definitions.
RFC Ed.: update the date below with the date of RFC publication and
remove this note.
<CODE BEGINS> file "ietf-restconf-monitoring@2014-10-25.yang"<CODE ENDS>
The "ietf‑yang‑library" module provides information about
the YANG modules and submodules used by the RESTCONF server.
Implementation is mandatory for RESTCONF servers.
All YANG modules and submodules used by the server MUST
be identified in the YANG module library.
YANG Tree Diagram for "ietf‑yang‑library" module:
This mandatory container holds the identifiers
for the YANG data model modules supported by the server.
The server MUST maintain a last-modified timestamp for this
container, and return the "Last‑Modified" header when this
data node is retrieved with the GET or HEAD methods.
The server SHOULD maintain an entity-tag for this
container, and return the "ETag" header when this
data node is retrieved with the GET or HEAD methods.
This mandatory list contains one entry
for each YANG data model module supported by the server.
There MUST be an instance of this list for every
YANG module that is used by the server.
The contents of the "module" list are defined in
the "module" YANG list statement in .
The server MAY maintain a last-modified timestamp for
each instance of this list entry, and return the
"Last‑Modified" header when this data node is retrieved
with the GET or HEAD methods. If not supported
then the timestamp for the parent "modules" container
MAY be used instead.
The server MAY maintain an entity-tag for each instance
of this list entry, and return the "ETag" header when this
data node is retrieved with the GET or HEAD methods.
If not supported then the timestamp for the
parent "modules" container MAY be used instead.
The "ietf‑yang‑library" module defines monitoring
information for the YANG modules used by a RESTCONF server.
The "ietf‑yang‑types" and "ietf‑inet‑types" modules from
are used by this module for some type definitions.
RFC Ed.: update the date below with the date of RFC publication and
remove this note.
<CODE BEGINS> file "ietf-yang-library@2014-10-25.yang"<CODE ENDS>
This specification registers the "restconf" relation type in the Link
Relation Type Registry defined by :
`
This document registers three URIs in the IETF XML registry
. Following the format in RFC 3688, the following
registration is requested to be made.
This document registers three YANG modules in the YANG Module Names
registry .
The parent MIME media type for RESTCONF resources is application/yang,
which is defined in . This document defines the following
sub-types for this media type.
This document registers several capability identifiers in
"Network Configuration Protocol (NETCONF) Capability URNs"
registry
This section provides security considerations for the resources
defined by the RESTCONF protocol. Security considerations for
HTTPS are defined in . Security considerations for the
content manipulated by RESTCONF can be found in the documents
defining data models.
This document does not specify an authentication scheme, but
it does require that an authenticated NETCONF username be
associated with each HTTP request. The authentication scheme
MAY be implemented in the underlying transport layer (e.g.,
client certificates) or within the HTTP layer (e.g., Basic
Auth, OAuth, etc.). RESTCONF does not itself define an
authentication mechanism, authentication MUST occur in a
lower layer. Implementors SHOULD provide a comprehensive
authorization scheme with RESTCONF and ensure that the resulting
NETCONF username is made available to the RESTCONF server.
Authorization of individual user access to operations and data
MAY be configured via NETCONF Access Control Model (NACM)
, as specified in . Other authorization
models MAY be used, but are outside of the scope of this
document.
Configuration information is by its very nature sensitive. Its
transmission in the clear and without integrity checking leaves
devices open to classic eavesdropping and false data injection
attacks. Configuration information often contains passwords, user
names, service descriptions, and topological information, all of
which are sensitive. Because of this, this protocol SHOULD be
implemented carefully with adequate attention to all manner of attack
one might expect to experience with other management interfaces.
Different environments may well allow different rights prior to and
then after authentication. When an operation is not properly authorized,
the RESTCONF server MUST return HTTP error status code 401 Unauthorized.
Note that authorization information can be exchanged in the form of
configuration information, which is all the more reason to ensure the
security of the connection.
The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Rex Fernando
Key words for use in RFCs to Indicate Requirement LevelsHarvard UniversityIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.The TLS Protocol, Version 1.0CerticomCerticomThis document specifies Version 1.0 of the Transport Layer Security
(TLS) protocol. The TLS protocol provides communications privacy over
the Internet. The protocol allows client/server applications to
communicate in a way that is designed to prevent eavesdropping,
tampering, or message forgery.Uniform Resource Identifiers (URI): Generic SyntaxWorld Wide Web ConsortiumMIT Laboratory for Computer Science, NE43-356545 Technology SquareCambridgeMA02139+1(617)258-8682timbl@w3.orgDepartment of Information and Computer ScienceUniversity of California, IrvineIrvineCA92697-3425+1(949)824-1715fielding@ics.uci.eduXerox PARC3333 Coyote Hill RoadPalo AltoCA94034+1(415)812-4333masinter@parc.xerox.com
Applications
uniform resourceURI
A Uniform Resource Identifier (URI) is a compact string of characters
for identifying an abstract or physical resource. This document
defines the generic syntax of URI, including both absolute and
relative forms, and guidelines for their use; it revises and replaces
the generic definitions in RFC 1738 and RFC 1808.
This document defines a grammar that is a superset of all valid URI,
such that an implementation can parse the common components of a URI
reference without knowing the scheme-specific requirements of every
possible identifier type. This document does not define a generative
grammar for URI; that task will be performed by the individual
specifications of each URI scheme.
This paper describes a "superset" of operations that can be applied
to URI. It consists of both a grammar and a description of basic
functionality for URI. To understand what is a valid URI, both the
grammar and the associated description have to be studied. Some of
the functionality described is not applicable to all URI schemes, and
some operations are only possible when certain media types are
retrieved using the URI, regardless of the scheme used.
Hypertext Transfer Protocol -- HTTP/1.1Department of Information and Computer ScienceUniversity of California, IrvineIrvineCA92697-3425+1(949)824-1715fielding@ics.uci.eduWorld Wide Web ConsortiumMIT Laboratory for Computer Science, NE43-356545 Technology SquareCambridgeMA02139+1(617)258-8682jg@w3.orgCompaq Computer CorporationWestern Research Laboratory250 University AvenuePalo AltoCA94305mogul@wrl.dec.comWorld Wide Web ConsortiumMIT Laboratory for Computer Science, NE43-356545 Technology SquareCambridgeMA02139+1(617)258-8682frystyk@w3.orgXerox CorporationMIT Laboratory for Computer Science, NE43-3563333 Coyote Hill RoadPalo AltoCA94034masinter@parc.xerox.comMicrosoft Corporation1 Microsoft WayRedmondWA98052paulle@microsoft.comWorld Wide Web ConsortiumMIT Laboratory for Computer Science, NE43-356545 Technology SquareCambridgeMA02139+1(617)258-8682timbl@w3.org
The Hypertext Transfer Protocol (HTTP) is an application-level
protocol for distributed, collaborative, hypermedia information
systems. It is a generic, stateless, protocol which can be used for
many tasks beyond its use for hypertext, such as name servers and
distributed object management systems, through extension of its
request methods, error codes and headers . A feature of HTTP is
the typing and negotiation of data representation, allowing systems
to be built independently of the data being transferred.
HTTP has been in use by the World-Wide Web global information
initiative since 1990. This specification defines the protocol
referred to as "HTTP/1.1", and is an update to RFC 2068 .
The IETF XML RegistryRTFM, Inc.This memo describes how to use TLS to secure HTTP connections over
the Internet. Current practice is to layer HTTP over SSL (the
predecessor to TLS), distinguishing secured traffic from insecure
traffic by the use of a different server port. This document
documents that practice using TLS. A companion document describes a
method for using HTTP/TLS over the same port as normal HTTP
[RFC2817].The IETF XML RegistryThis document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas.Uniform Resource Identifier (URI): Generic SyntaxWorld Wide Web ConsortiumMassachusetts Institute of Technology77 Massachusetts AvenueCambridgeMA02139USA+1-617-253-5702+1-617-258-5999timbl@w3.orghttp://www.w3.org/People/Berners-Lee/Day Software5251 California Ave., Suite 110IrvineCA92617USA+1-949-679-2960+1-949-679-2972fielding@gbiv.comhttp://roy.gbiv.com/Adobe Systems Incorporated345 Park AveSan JoseCA95110USA+1-408-536-3024LMM@acm.orghttp://larry.masinter.net/
Applications
uniform resource identifierURIURLURNWWWresource
A Uniform Resource Identifier (URI) is a compact sequence of characters
that identifies an abstract or physical resource. This specification
defines the generic URI syntax and a process for resolving URI references
that might be in relative form, along with guidelines and security
considerations for the use of URIs on the Internet.
The URI syntax defines a grammar that is a superset of all valid URIs,
allowing an implementation to parse the common components of a URI
reference without knowing the scheme-specific requirements of every
possible identifier. This specification does not define a generative
grammar for URIs; that task is performed by the individual
specifications of each URI scheme.
NETCONF Event NotificationsNortelCiscoYANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS TRACK]Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) ProfileNISTMicrosoftTrinity College DublinEntrustVigil SecurityNISTThis memo profiles the X.509 v3 certificate and X.509 v2 certificate
revocation list (CRL) for use in the Internet. An overview of this
approach and model is provided as an introduction. The X.509 v3
certificate format is described in detail, with additional
information regarding the format and semantics of Internet name
forms. Standard certificate extensions are described and two
Internet-specific extensions are defined. A set of required
certificate extensions is specified. The X.509 v2 CRL format is
described in detail along with standard and Internet-specific
extensions. An algorithm for X.509 certification path validation is
described. An ASN.1 module and examples are provided in the
appendices.PATCH Method for HTTPSeveral applications extending the Hypertext Transfer Protocol (HTTP) require a feature to do partial resource modification. The existing HTTP PUT method only allows a complete replacement of a document. This proposal adds a new HTTP method, PATCH, to modify an existing HTTP resource. [STANDARDS-TRACK]Web LinkingYANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS TRACK]Network Configuration Protocol (NETCONF)Network Configuration Protocol (NETCONF) Access Control ModelThe standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF protocol access for particular users to a pre-configured subset of all available NETCONF protocol operations and content. This document defines such an access control model. [STANDARDS-TRACK]URI TemplateGoogleAdobeMITRERackspaceSalesforce.comArchitectural Styles and
the Design of Network-based Software ArchitecturesUniversity of California, IrvineModeling JSON Text with YANGCZ.NICDefining and Using Metadata with YANGCZ.NICWeb Host MetadataCommon YANG Data TypesThis document introduces a collection of common data types to be used with the YANG data modeling language. This document obsoletes RFC 6021.Server-Sent EventsExtensible Markup Language (XML) 1.0 (Fifth Edition)The JSON Data Interchange FormatURI Design and OwnershipXML Path Language (XPath) Version 1.0
added collection resource
added "page" query parameter capability
added "limit" and "offset" query parameters, which are available if
the "page" capability is supported
added "stream list" term
fixed bugs in some examples
added "encoding" list within the "stream" list to allow
different <events> URLs for XML and JSON encoding.
made XML MUST implement and JSON MAY implement for servers
re-add JSON notification examples (previously removed)
updated JSON references
moved query parameter definitions from the YANG module
back to the plain text sections
made all query parameters optional to implement
defined query parameter capability URI
moved 'streams' to new YANG module (ietf-restconf-monitoring)
added 'capabilities' container to new YANG module (ietf-restconf-monitoring)
moved 'modules' container to new YANG module (ietf-yang-library)
added new leaf 'module‑set‑id' (ietf-yang-library)
added new leaf 'conformance' (ietf-yang-library)
changed 'schema' leaf to type inet:uri that returns the location
of the YANG schema (instead of returning the schema directly)
changed 'events' leaf to type inet:uri that returns the location
of the event stream resource (instead of returning events directly)
changed examples for yang.api resource since the monitoring information
is no longer in this resource
closed issue #1 'select parameter' since no objections to the proposed
syntax
closed "encoding of list keys" issue since no objection to new encoding
of list keys in a target resource URI.
moved open issues list to the issue tracker on github
fixed content=nonconfig example (non-config was incorrect)
closed open issue 'message‑id'. There is no need for a message-id
field, and RFC 2392 does not apply.
closed open issue 'server support verification'. The headers used
by RESTCONF are widely supported.
removed encoding rules from section on RESTCONF Meta-Data. This is now
defined in "I‑D.lhotka‑netmod‑json".
added media type application/yang.errors to map to errors YANG grouping.
Updated error examples to use new media type.
closed open issue 'additional datastores'. Support may be added in the
future to identify new datastores.
closed open issue 'PATCH media type discovery'. The section
on PATCH has an added sentence on the Accept-Patch header.
closed open issue 'YANG to resource mapping'. Current mapping
of all data nodes to resources will be used in order to allow
mandatory DELETE support. The PATCH operation is optional,
as well as the YANG Patch media type.
closed open issue '_self links for HATEOAS support'. It was decided
that they are redundant because they can be derived from the YANG module
for the specific data.
added explanatory text for the 'select' parameter.
added RESTCONF Path Resolution section for discovering the
root of the RESTCONF API using the /.well-known/host-meta.
added an "error" media type to for structured error messages
added Secure Transport section requiring TLS
added Security Considerations section
removed all references to "REST‑like"
updated open issues section
The RESTCONF issues are tracked on github.com:
The example YANG module used in this document represents
a simple media jukebox interface.
YANG Tree Diagram for "example‑jukebox" Module
The examples within this document use the normative
YANG module defined in and the non-normative
example YANG module defined in .
This section shows some typical RESTCONF message exchanges.
The client may start by retrieving the top-level
API resource, using the entry point URI "{+restconf}".
The server might respond as follows:
To request that the response content to be encoded in XML,
the "Accept" header can be used, as in this example request:
The server will return the same response either way,
which might be as follows :
In this example the client is retrieving the modules information
from the server in JSON format:
The server might respond as follows.
In this example the client is retrieving the capability information
from the server in JSON format, and the server supports all
the RESTCONF query parameters, plus one vendor parameter:
The server might respond as follows.
To create a new "artist" resource within the "library"
resource, the client might send the following request.
If the resource is created, the server might respond as follows.
Note that the "Location" header line is wrapped
for display purposes only:
To create a new "album" resource for this artist within the "jukebox"
resource, the client might send the following request.
Note that the request URI header line is wrapped
for display purposes only:
If the resource is created, the server might respond
as follows. Note that the "Location" header line is wrapped
for display purposes only:
In this example, the server just supports the
mandatory datastore last-changed timestamp.
The client has previously retrieved the "Last‑Modified"
header and has some value cached to provide in
the following request to patch an "album" list entry
with key value "Wasting Light". Only the "year" field is being
updated.
In this example the datastore resource has changed
since the time specified in the "If‑Unmodified‑Since"
header. The server might respond:
The "content" parameter is used to select the type of
data child resources (configuration and/or not configuration)
that are returned by the server for a GET method request.
In this example, a simple YANG list that has configuration
and non-configuration child resources.
Example 1: content=all
To retrieve all the child resources, the "content" parameter
is set to "all". The client might send:
The server might respond:
Example 2: content=config
To retrieve only the configuration child resources,
the "content" parameter is set to "config" or omitted
since this is the default value. Note that the "ETag"
and "Last‑Modified" headers are only returned if
the content parameter value is "config".
The server might respond:
Example 3: content=nonconfig
To retrieve only the non-configuration child resources,
the "content" parameter is set to "nonconfig". Note
that configuration ancestors (if any) and list key leafs
(if any) are also returned. The client might send:
The server might respond:
The "depth" parameter is used to limit the number of levels
of child resources that are returned by the server for
a GET method request.
This example shows how different values of the "depth"
parameter would affect the reply content for
retrieval of the top-level "jukebox" data resource.
Example 1: depth=unbounded
To retrieve all the child resources, the "depth" parameter
is not present or set to the default value "unbounded".
Note that some strings are wrapped for display purposes only.
The server might respond:
Example 2: depth=1
To determine if 1 or more resource instances exist for
a given target resource, the value "1" is used.
The server might respond:
Example 3: depth=3
To limit the depth level to the target resource plus 2 child resource layers
the value "3" is used.
The server might respond:
In this example the client is retrieving the API resource, but
selecting only the "name" and "revision" nodes
from each module, in JSON format:
The server might respond as follows.
In this example, a new first entry in the "Foo‑One" playlist
is being created.
Request from client:
Response from server:
In this example, the client is inserting a new "song"
resource within an "album" resource after another song.
The request URI is split for display purposes only.
Request from client:
Response from server:
In this example, the client requests the first two "album" resources
for a given artist:
Request from client:
Response from server:
In this example, the client requests the next two albums, i.e., two
albums starting from two.
Request from client:
Response from server:
The following URIs show some examples of notification filter
specifications (lines wrapped for display purposes only):