Enhance the ACL options to include AND and negation

Squashed commit of the following: commit 7673f3ee1e Author: Oliver Gorwits <oliver@cpan.org> Date: Sat May 6 14:19:19 2017 +0100 allow check_acl to accept Device or NetAddr::IP instance commit c31059bc01 Author: Oliver Gorwits <oliver@cpan.org> Date: Sat May 6 14:19:00 2017 +0100 update docs commit deaeab2670 Author: Oliver Gorwits <oliver@cpan.org> Date: Sat May 6 14:18:27 2017 +0100 SNMP only stanza has access to full check_acl features commit 4a44fa5863 Author: Oliver Gorwits <oliver@cpan.org> Date: Mon May 1 18:49:38 2017 +0100 add AND operator and negation support to ACLs
2017-05-06 15:00:17 +01:00
parent 3654468913
commit 03f41f1177
6 changed files with 252 additions and 147 deletions
--- a/lib/App/Netdisco/Manual/Configuration.pod
+++ b/lib/App/Netdisco/Manual/Configuration.pod
@@ -7,11 +7,7 @@ App::Netdisco::Manual::Configuration - How to Configure Netdisco
 The configuration files for Netdisco come with all options set to sensible
 default values, and just a few that you must initially set yourself.

-However as you use the system over time, there are many situations where you
-might want to tune the behaviour of Netdisco, and for that we have a lot of
-configuration settings available.
-
-=head2 GUIDANCE
+=head2 YAML GUIDANCE

 There are two configuration files: C<config.yml> (which lives inside Netdisco)
 and C<deployment.yml> (which usually lives in C<${HOME}/environments>).
@@ -22,7 +18,7 @@ file. The two are merged when Netdisco starts, with your settings in
 C<deployment.yml> overriding the defaults from C<config.yml>.

 The configuration file format for Netdisco is YAML. This is easy for humans to
-edit, but you should take care over whitespace and avoid TAB characters. YAML
+edit, but you should take care with whitespace and avoid TAB characters. YAML
 supports several data types:

 =over 4
@@ -30,24 +26,80 @@ supports several data types:
 =item *

 Boolean - True/False value, using C<1> and C<0> or C<true> and C<false>
-respectively
+respectively, e.g.:
+
+ check_userlog: true

 =item *

-List - Set of things using C<[a, b, c]> on one line or C<-> on separate lines
+List - Set of things using C<[a, b, c]> on one line or C<-> on separate lines,
+e.g.:
+
+ community: ['public', 'another']
+ 
+ discover_no:
+   - '192.0.2.0/24'
+   - '2001:db8::/32'

 =item *

-Dictionary - Key/Value pairs (like Perl Hash) using C<{key1: val1, key2:
-val2}> on one line or C<key: value> on separate lines
+Dictionary - Key/Value pairs (like Perl Hash) using C<< {key1: val1, key2:
+val2} >> on one line or C<key: value> on separate lines, e.g.:
+
+ port_control_reasons:
+   address:   'Address Allocation Abuse'
+   copyright: 'Copyright Violation'

 =item *

 String - Quoted, just like in Perl (and essential if the item contains the
-colon character)
+colon character).

 =back

+=head2 ACCESS CONTROL LISTS
+
+Access Control Lists (ACLs) appear in many places in the configuration file,
+used to select or exclude devices or hosts for certain settings. ACLs are a
+YAML list of items, which can contain:
+
+=over 4
+
+=item *
+
+Hostname, IP address, IP prefix (i.e. subnet)
+
+=item *
+
+IP address range, using a hyphen on the last octet/hextet, and no whitespace
+
+=item *
+
+Regular expression in YAML format (no enforced anchors) which will match the
+device DNS name (using a fresh DNS lookup, so works on new discovery), e.g.:
+
+ - !!perl/regexp ^sep0.*$
+
+=item *
+
+"C<property:regexp>" - matched against a device property, such as C<model> or
+C<vendor> (with enforced begin/end regexp anchors).
+
+=item *
+
+"C<op:and>" to require all items to match (or not match) the provided IP or
+device. Note that this includes IP address version mismatches (v4-v6).
+
+=back
+
+To negate any item in an ACL, prefix it with "C<!>", for example
+"C<!192.0.2.0/29>". In that case, the item must I<not> match the device. This
+does not apply to regular expressions (which you can achieve with nonmatching
+lookahead).
+
+To match any device, use "C<any>". To match no devices we suggest using
+"C<broadcast>" in the list (or "C<!any>" may work).
+
 =head1 SUPPORTED SETTINGS

 =head2 Essential Settings
@@ -647,13 +699,8 @@ devices. For more fine-grained control see the C<bulkwalk_no> setting.

 Value: List of Network Identifiers or Device Properties. Default: Empty List.

-IP addresses in the list will use C<GETNEXT> (and not C<BULKWALK>). You can
-include hostnames, IP addresses, subnets (IPv4 or IPv6), YAML Regexp to match
-the DNS name, and address ranges (using a hyphen and no whitespace) in the
-list.
-
-Alternatively include a "C<property:regex>" entry to match the named property
-of the device. The regex must match the complete value.
+IP addresses in the list will use C<GETNEXT> (and not C<BULKWALK>).  See
+L</"ACCESS CONTROL LISTS"> for what you can use here.

 =head3 C<bulkwalk_repeaters>

@@ -714,25 +761,16 @@ Number of times to retry connecting to a device before giving up.

 Value: List of Network Identifiers or Device Properties. Default: Empty List.

-IP addresses in the list will not be visited during device discovery. You can
-include hostnames, IP addresses, subnets (IPv4 or IPv6), YAML Regexp to match
-the DNS name, and address ranges (using a hyphen and no whitespace) in the
-list.
+IP addresses in the list will not be visited during device discovery.  See
+L</"ACCESS CONTROL LISTS"> for what you can use here.

-Alternatively include a "C<property:regex>" entry to match the named property
-of the device. The regex must match the complete value.

 =head3 C<discover_only>

 Value: List of Network Identifiers or Device Properties. Default: Empty List.

 If present, device discovery will be limited to IP addresses matching entries
-in this list. You can include hostnames, IP addresses, subnets (IPv4 and
-IPv6), YAML Regexp to match the DNS name, and address ranges (using a hyphen
-and no whitespace).
-
-Alternatively include a "C<property:regex>" entry to match the named property
-of the device. The regex must match the complete value.
+in this list. See L</"ACCESS CONTROL LISTS"> for what you can use here.

 =head3 C<discover_no_type>

@@ -758,24 +796,15 @@ discover jobs for a device.

 Value: List of Network Identifiers or Device Properties. Default: Empty List.

-IP addresses in the list will not be visited for macsuck. You can include
-hostnames, IP addresses, subnets (IPv4 or IPv6), YAML Regexp to match the DNS
-name, and address ranges (using a hyphen and no whitespace) in the list.
-
-Alternatively include a "C<property:regex>" entry to match the named property
-of the device. The regex must match the complete value.
+IP addresses in the list will not be visited for macsuck. See L</"ACCESS
+CONTROL LISTS"> for what you can use here.

 =head3 C<macsuck_only>

 Value: List of Network Identifiers or Device Properties. Default: Empty List.

 If present, macsuck will be limited to IP addresses matching entries in this
-list. You can include hostnames, IP addresses, subnets (IPv4 and IPv6), YAML
-Regexp to match the DNS name, and address ranges (using a hyphen and no
-whitespace).
-
-Alternatively include a "C<property:regex>" entry to match the named property
-of the device. The regex must match the complete value.
+list.  See L</"ACCESS CONTROL LISTS"> for what you can use here.

 =head3 C<macsuck_all_vlans>

@@ -815,6 +844,7 @@ Value: List of Network Identifiers or Device Properties. Default: Empty List.
 Similar to C<macsuck_no>, but instead of skipping nodes on this device, they
 are allowed to gather on the upstream device port. Useful for devices which
 can be discovered by Netdisco but do not provide a MAC address table via SNMP.
+See L</"ACCESS CONTROL LISTS"> for what you can use here.

 =head3 C<macsuck_unsupported_type>

@@ -848,24 +878,15 @@ macsuck jobs for a device.

 Value: List of Network Identifiers or Device Properties. Default: Empty List.

-IP addresses in the list will not be visited for arpnip. You can include
-hostnames, IP addresses, subnets (IPv4 or IPv6), YAML Regexp to match the DNS
-name, and address ranges (using a hyphen and no whitespace) in the list.
-
-Alternatively include a "C<property:regex>" entry to match the named property
-of the device. The regex must match the complete value.
+IP addresses in the list will not be visited for arpnip.  See L</"ACCESS
+CONTROL LISTS"> for what you can use here.

 =head3 C<arpnip_only>

 Value: List of Network Identifiers or Device Properties. Default: Empty List.

 If present, arpnip will be limited to IP addresses matching entries in this
-list. You can include hostnames, IP addresses, subnets (IPv4 and IPv6), YAML
-Regexp to match the DNS name, and address ranges (using a hyphen and no
-whitespace).
-
-Alternatively include a "C<property:regex>" entry to match the named property
-of the device. The regex must match the complete value.
+list.  See L</"ACCESS CONTROL LISTS"> for what you can use here.

 =head3 C<arpnip_min_age>

@@ -878,19 +899,15 @@ arpnip jobs for a device.

 Value: List of Network Identifiers. Default: Empty List.

-IP addresses in the list will not be visited for nbtstat. You can include
-hostnames, IP addresses, subnets (nbtstat only supports IPv4), YAML Regexp
-to match the DNS name, and address ranges (using a hyphen and no whitespace)
-in the list.
+IP addresses in the list will not be visited for nbtstat.  See L</"ACCESS
+CONTROL LISTS"> for what you can use here.

 =head3 C<nbtstat_only>

 Value: List of Network Identifiers. Default: Empty List.

 If present, nbtstat will be limited to IP addresses matching entries in this
-list. You can include hostnames, IP addresses, subnets
-(nbtstat only supports IPv4), YAML Regexp to match the DNS name, and address
-ranges (using a hyphen and no whitespace).
+list.  See L</"ACCESS CONTROL LISTS"> for what you can use here.

 =head3 C<nbtstat_max_age>