How to use wildcard to specify nodes (in config) when using annotation

I am trying to hide the password field in tailf-aaa.yang through annotation as given in the example below.

//---- main.yang file ----

module xyz-main {
  namespace "";
  prefix xyz;

  include tailf-aaa-annotation;

  // Other code


//---- tailf-aaa-annotation.yang file

submodule tailf-aaa-annotation {
    belongs-to xyz-main {
        prefix clp;

    import tailf-common {
        prefix tailf;

    import tailf-aaa {
       prefix aaa;

    tailf:annotate "/aaa:aaa/aaa:authentication/aaa:users/(*)/aaa:password" {
        tailf:hidden "hide-aaa-password";

//    tailf:annotate "/aaa:aaa/aaa:authentication/aaa:users/aaa:user/(*)/aaa:password" {
//        tailf:hidden "hide-aaa-password";
//    }


I am encountering problem with specifying wildcard as given in the above example.
I tried ‘()’ as used above, '’, etc. but it fails with the following message.
I also tried the code that is commented-out above, which also resulted in the same failure.

tailf-aaa-annotation.yang:14: error: bad argument value "/aaa:aaa/aaa:authentication/aaa:users/aaa:user/*/aaa:password", should be of type schema-nodeid-or-wildcard

Please le me know if any suggestion on how to specify the password for all users.


You’re making things too hard for yourself:-) - from the documentation of tailf:annotate in the tailf_yang_extensions(5) manual page:

       The argument is a 'schema-nodeid', i.e. the same as for 'augment', or a
       '*'. It identifies a target node in the schema tree to annotate with
       new statements.

Since it is a path in the schema, you can’t specify keys at all, and your annotations will always take effect for all entries in a list. You just need to leave out your “key wildcard”:

tailf:annotate "/aaa:aaa/aaa:authentication/aaa:users/aaa:user/aaa:password" {

As an aside, your placement of the tailf:annotate statement in a submodule of a “normal” module should work, but is really “unusual”. Typically you use “dedicated” modules (without submodules) for annotations, with each “annotation module” holding all the annotations for a single “normal” module (with submodules, if any). This makes the build process and general management simpler and more efficient when you have many modules.

I thought I tried leaving out “key wildcard” - may be, I missed something there. I will try again.