Re: state of the trapd auth speech
This is a discussion on Re: state of the trapd auth speech within the SNMP Coders forums, part of the Networking and Network Related category; This is a multi-part message in MIME format. --------------010800090201040108050801 Content-Type: text/plain; charset=ISO-8859-1; format=flowed ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-19-2006
|
|||
|
|||
Re: state of the trapd auth speech
This is a multi-part message in MIME format.
--------------010800090201040108050801 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thomas Anders wrote: >Wes Hardaker wrote: > >> >> The VACM MIBs need extending to allow on the fly VACM >>management as well. >> > >Eight month later we don't seem to be any closer to this. > >Without having looked into whether/how it could be done (yet), what >about something along the lines of > > authuser * log,execute,net authNoPriv > That feels like snmp*.conf syntax, which should already be covered by the current code. I think that what you're talking about is the MIB interface to this (existing) behaviour. I'd suggest that there are two (OK - three) basic approaches that could be used: - A simple augmentation of the standard vacmAccessTable (with one column for each new Net-SNMP-specific behaviour) - A new table-within-this-table, indexed by the same four vacm* index objects, together with a fifth to indicate the NS-specific behaviour concerned. I'm appending suitable first-draft MIB definitions for the two approaches. The advantage of AUGMENTing the vAT is that it's relatively simple to implement - most of the code is there already, and we'd just need to add extra cases to the basic switch for the new behaviour. The disadvantage is that it's then harder to extend to cover new behaviour in the future - we'd need to update the MIB definitions accordingly. The advantage of a table-in-a-table is that such future extensions would be much smoother - no MIB changes should be needed (given properly crafted initial definitions). The disadvantage is that more new code would be needed (if only just to parse the incoming requests). The third option, of course, is to write something completely unrelated to the vacmAccessTable. Dave --------------010800090201040108050801 Content-Type: text/plain; name="NS-VACM1-MIB.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="NS-VACM1-MIB.txt" netsnmpVacmAccessTable OBJECT-TYPE SYNTAX SEQUENCE OF NetsnmpVacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Augmenting the standard vacmAccessTable with extra columns for the Net-SNMP-specific access control behaviour" ::= { xxxx 1 } netsnmpVacmAccessEntry OBJECT-TYPE SYNTAX NetsnmpVacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A (conteptual) entry containing information about Net-SNMP-specific access control behaviour" AUGMENTS { vacmAccessEntry } ::= { netsnmpVacmAccessTable 1 } NetsnmpVacmAccessEntry ::= SEQUENCE { netsnmpVacmAccessLogViewName SnmpAdminString, netsnmpVacmAccessExecViewName SnmpAdminString, netsnmpVacmAccessNetViewName SnmpAdminString } netsnmpVacmAccessLogViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes logging of trap requests. The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { netsnmpVacmAccessEntry 1 } netsnmpVacmAccessExecViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes the invocation of a trap handler script. The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { netsnmpVacmAccessEntry 2 } netsnmpVacmAccessNetViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes the forwarding of trap requests to another trap receiver. The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { netsnmpVacmAccessEntry 3 } --------------010800090201040108050801 Content-Type: text/plain; name="NS-VACM2-MIB.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="NS-VACM2-MIB.txt" netsnmpVacmAccessTable OBJECT-TYPE SYNTAX SEQUENCE OF NetsnmpVacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Extending the standard vacmAccessTable model to handle Net-SNMP-specific access control behaviour." ::= { xxxx 1 } netsnmpVacmAccessEntry OBJECT-TYPE SYNTAX NetsnmpVacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A (conteptual) entry containing information about Net-SNMP-specific access control behaviour. This effectively results in a table-within-a-table within the standard vacmAccessTable." INDEX { vacmGroupName, vacmAccessContextPrefix, vacmAccessSecurityModel, vacmAccessSecurityLevel, netsnmpVacmAccessName } ::= { netsnmpVacmAccessTable 1 } NetsnmpVacmAccessEntry ::= SEQUENCE { netsnmpVacmAccessTag SnmpAdminString, netsnmpVacmAccessViewName SnmpAdminString } netsnmpVacmAccessTag OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Indicates the aspect of Net-SNMP-specific behaviour that this access control entry should be applied to. Acceptable values will match those valid for the 'authuser' configuration file token." ::= { netsnmpVacmAccessEntry 1 } netsnmpVacmAccessLogViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes given Net-SNMP-specific processing. The specific behaviour concerned is indicated by the netsnmpVacmAccessTag index value. The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { netsnmpVacmAccessEntry 2 } --------------010800090201040108050801 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --------------010800090201040108050801 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/...et-snmp-coders --------------010800090201040108050801-- 
|
Linear Mode
