Thomas Anders wrote:
Wes Hardaker wrote:
The VACM MIBs need extending to allow on the fly VACM
management as well.
Eight month later we don't seem to be any closer to this.
Without having looked into whether/how it could be done (yet), what
about something along the lines of
authuser * log,execute,net authNoPriv
That feels like snmp*.conf syntax, which should already be covered by the
current code. I think that what you're talking about is the MIB interface
to this (existing) behaviour.
I'd suggest that there are two (OK - three) basic approaches that could
be used:
- A simple augmentation of the standard vacmAccessTable
(with one column for each new Net-SNMP-specific behaviour)
- A new table-within-this-table, indexed by the same four vacm* index
objects, together with a fifth to indicate the NS-specific behaviour
concerned.
I'm appending suitable first-draft MIB definitions for the two approaches.
The advantage of AUGMENTing the vAT is that it's relatively simple to
implement - most of the code is there already, and we'd just need to add
extra cases to the basic switch for the new behaviour. The disadvantage is
that it's then harder to extend to cover new behaviour in the future - we'd
need to update the MIB definitions accordingly.
The advantage of a table-in-a-table is that such future extensions would
be much smoother - no MIB changes should be needed (given properly crafted
initial definitions). The disadvantage is that more new code would be
needed (if only just to parse the incoming requests).
The third option, of course, is to write something completely unrelated to
the vacmAccessTable.
Dave
netsnmpVacmAccessTable OBJECT-TYPE
SYNTAX SEQUENCE OF NetsnmpVacmAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Augmenting the standard vacmAccessTable with
extra columns for the Net-SNMP-specific access
control behaviour"
::= { xxxx 1 }
netsnmpVacmAccessEntry OBJECT-TYPE
SYNTAX NetsnmpVacmAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "A (conteptual) entry containing information
about Net-SNMP-specific access control behaviour"
AUGMENTS { vacmAccessEntry }
::= { netsnmpVacmAccessTable 1 }
NetsnmpVacmAccessEntry ::= SEQUENCE {
netsnmpVacmAccessLogViewName SnmpAdminString,
netsnmpVacmAccessExecViewName SnmpAdminString,
netsnmpVacmAccessNetViewName SnmpAdminString
}
netsnmpVacmAccessLogViewName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP context to which this
conceptual row authorizes logging of trap requests.
The identified MIB view is that one for which the
vacmViewTreeFamilyViewName has the same value as the
instance of this object; if the value is the empty
string or if there is no active MIB view having this
value of vacmViewTreeFamilyViewName, then no access
is granted.
"
DEFVAL { ''H } -- the empty string
::= { netsnmpVacmAccessEntry 1 }
netsnmpVacmAccessExecViewName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP context to which this
conceptual row authorizes the invocation of a trap
handler script.
The identified MIB view is that one for which the
vacmViewTreeFamilyViewName has the same value as the
instance of this object; if the value is the empty
string or if there is no active MIB view having this
value of vacmViewTreeFamilyViewName, then no access
is granted.
"
DEFVAL { ''H } -- the empty string
::= { netsnmpVacmAccessEntry 2 }
netsnmpVacmAccessNetViewName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP context to which this
conceptual row authorizes the forwarding of trap
requests to another trap receiver.
The identified MIB view is that one for which the
vacmViewTreeFamilyViewName has the same value as the
instance of this object; if the value is the empty
string or if there is no active MIB view having this
value of vacmViewTreeFamilyViewName, then no access
is granted.
"
DEFVAL { ''H } -- the empty string
::= { netsnmpVacmAccessEntry 3 }
netsnmpVacmAccessTable OBJECT-TYPE
SYNTAX SEQUENCE OF NetsnmpVacmAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Extending the standard vacmAccessTable model to
handle Net-SNMP-specific access control behaviour."
::= { xxxx 1 }
netsnmpVacmAccessEntry OBJECT-TYPE
SYNTAX NetsnmpVacmAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "A (conteptual) entry containing information
about Net-SNMP-specific access control behaviour.
This effectively results in a table-within-a-table
within the standard vacmAccessTable."
INDEX { vacmGroupName,
vacmAccessContextPrefix,
vacmAccessSecurityModel,
vacmAccessSecurityLevel,
netsnmpVacmAccessName }
::= { netsnmpVacmAccessTable 1 }
NetsnmpVacmAccessEntry ::= SEQUENCE {
netsnmpVacmAccessTag SnmpAdminString,
netsnmpVacmAccessViewName SnmpAdminString
}
netsnmpVacmAccessTag OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Indicates the aspect of Net-SNMP-specific behaviour
that this access control entry should be applied to.
Acceptable values will match those valid for the
'authuser' configuration file token."
::= { netsnmpVacmAccessEntry 1 }
netsnmpVacmAccessLogViewName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP context to which this
conceptual row authorizes given Net-SNMP-specific
processing. The specific behaviour concerned is
indicated by the netsnmpVacmAccessTag index value.
The identified MIB view is that one for which the
vacmViewTreeFamilyViewName has the same value as the
instance of this object; if the value is the empty
string or if there is no active MIB view having this
value of vacmViewTreeFamilyViewName, then no access
is granted.
"
DEFVAL { ''H } -- the empty string
::= { netsnmpVacmAccessEntry 2 }
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
