#286 support only/no ACLs for snmp_auth stanza, update docs
This commit is contained in:
Oliver Gorwits
1
Changes
1
Changes
@@ -5,6 +5,7 @@
|
|||||||
* #319 better fix for acceping ACL names or values in check_acl_*
|
* #319 better fix for acceping ACL names or values in check_acl_*
|
||||||
* #311 added duplicate devices report with option to delete
|
* #311 added duplicate devices report with option to delete
|
||||||
* #263 discover neighbors advertising ipv6 management addresses
|
* #263 discover neighbors advertising ipv6 management addresses
|
||||||
|
* #286 support only/no ACLs for snmp_auth stanza, update docs
|
||||||
|
|
||||||
[BUG FIXES]
|
[BUG FIXES]
|
||||||
|
|
||||||
|
|||||||
@@ -762,6 +762,7 @@ simply a friendly name used by Netdisco when referring to the configuration.
|
|||||||
only:
|
only:
|
||||||
- 192.0.2.0/30
|
- 192.0.2.0/30
|
||||||
- 172.20.10.0/24
|
- 172.20.10.0/24
|
||||||
|
no: '172.20.10.1'
|
||||||
- tag: v2aclexample
|
- tag: v2aclexample
|
||||||
community: s3kr1t
|
community: s3kr1t
|
||||||
read: false
|
read: false
|
||||||
@@ -773,14 +774,16 @@ global C<community>/C<community_rw> setting, this is not a list but a single
|
|||||||
item. That is, to configure multiple community strings, have one stanza per
|
item. That is, to configure multiple community strings, have one stanza per
|
||||||
community, as in the examples above and below.
|
community, as in the examples above and below.
|
||||||
|
|
||||||
You can add C<read> and/or C<write> restrictions, and an IP restriction using
|
For any version of SNMP you can add C<read> and/or C<write> booleans to
|
||||||
C<only> (see L</"ACCESS CONTROL LISTS">. Giving the stanza a C<tag> name is
|
control operations for that stanza, and IP restrictions using C<only> and
|
||||||
optional, but recommended.
|
C<no> (see L</"ACCESS CONTROL LISTS"> for what you can use here).
|
||||||
|
|
||||||
For SNMPv3 the C<tag> and C<user> keys are required. You can add C<read>
|
For SNMPv3 the C<tag> and C<user> keys are required. Providing an C<auth>
|
||||||
and/or C<write> restrictions, and an IP restriction using C<only>. Providing
|
section enables the authentication security level, providing a C<priv> section
|
||||||
an C<auth> section enables the authentication security level. Providing a
|
enables the message encryption security level. When configuring multiple
|
||||||
C<priv> section enables the message encryption security level.
|
SNMPv3 stanza please use C<only> and/or C<no> ACLs for each, otherwise only
|
||||||
|
the first stanza is ever used (this is a limitation in the underlying L<SNMP>
|
||||||
|
library).
|
||||||
|
|
||||||
The default SNMPv3 authentication security method is MD5, and the default
|
The default SNMPv3 authentication security method is MD5, and the default
|
||||||
encryption protocol is DES, with AES or AES256 being common alternatives. Note
|
encryption protocol is DES, with AES or AES256 being common alternatives. Note
|
||||||
@@ -793,7 +796,7 @@ key to a stanza to override this default.
|
|||||||
|
|
||||||
Netdisco caches both the successful SNMPv2 read and write community strings,
|
Netdisco caches both the successful SNMPv2 read and write community strings,
|
||||||
as well as the C<tag> names if available. This allows for faster operations
|
as well as the C<tag> names if available. This allows for faster operations
|
||||||
once a connection has previously been made to a device.
|
once a connection has previously been made to a device. Tags are recommended.
|
||||||
|
|
||||||
If you have SNMP connect failures, or notice that devices are not appearing in
|
If you have SNMP connect failures, or notice that devices are not appearing in
|
||||||
Netdisco, take a look at the "SNMP Connect Failures" Admin Report, and also
|
Netdisco, take a look at the "SNMP Connect Failures" Admin Report, and also
|
||||||
|
|||||||
@@ -117,9 +117,9 @@ example:
|
|||||||
|
|
||||||
~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ
|
~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ
|
||||||
|
|
||||||
You will see that SNMPv2 community strings are hidden by default, to make the
|
You will see that SNMP community strings and users are hidden by default, to
|
||||||
output safe for sending to Netdisco developers. To show the community string,
|
make the output safe for sending to Netdisco developers. To show the community
|
||||||
set the C<SHOW_COMMUNITY> environment variable:
|
string and SNMPv3 protocols, set the C<SHOW_COMMUNITY> environment variable:
|
||||||
|
|
||||||
SHOW_COMMUNITY=1 ~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ
|
SHOW_COMMUNITY=1 ~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ
|
||||||
|
|
||||||
|
|||||||
@@ -136,9 +136,13 @@ sub _snmp_connect_generic {
|
|||||||
sub _try_connect {
|
sub _try_connect {
|
||||||
my ($device, $class, $comm, $mode, $snmp_args, $reclass) = @_;
|
my ($device, $class, $comm, $mode, $snmp_args, $reclass) = @_;
|
||||||
my %comm_args = _mk_info_commargs($comm);
|
my %comm_args = _mk_info_commargs($comm);
|
||||||
my $debug_comm = ( $comm->{community}
|
my $debug_comm = '<hidden>';
|
||||||
? $ENV{SHOW_COMMUNITY} ? $comm->{community} : '<hidden>'
|
if ($ENV{SHOW_COMMUNITY}) {
|
||||||
: "v3user:$comm->{user}" );
|
$debug_comm = ($comm->{community} ||
|
||||||
|
(sprintf 'v3:%s:%s/%s', ($comm->{user},
|
||||||
|
($comm->{auth}->{proto} || 'noAuth'),
|
||||||
|
($comm->{priv}->{proto} || 'noPriv'))) );
|
||||||
|
}
|
||||||
my $info = undef;
|
my $info = undef;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
@@ -293,14 +297,17 @@ sub _build_communities {
|
|||||||
$stanza->{tag} ||= $tag;
|
$stanza->{tag} ||= $tag;
|
||||||
++$seen_tags->{ $stanza->{tag} };
|
++$seen_tags->{ $stanza->{tag} };
|
||||||
$stanza->{read} = 1 if !exists $stanza->{read};
|
$stanza->{read} = 1 if !exists $stanza->{read};
|
||||||
|
$stanza->{no} ||= [];
|
||||||
$stanza->{only} ||= ['any'];
|
$stanza->{only} ||= ['any'];
|
||||||
|
$stanza->{no} = [$stanza->{no}] if ref '' eq ref $stanza->{no};
|
||||||
$stanza->{only} = [$stanza->{only}] if ref '' eq ref $stanza->{only};
|
$stanza->{only} = [$stanza->{only}] if ref '' eq ref $stanza->{only};
|
||||||
|
|
||||||
die "error: config: snmpv3 stanza in snmp_auth must have a tag\n"
|
die "error: config: snmpv3 stanza in snmp_auth must have a tag\n"
|
||||||
if not $stanza->{tag}
|
if not $stanza->{tag}
|
||||||
and !exists $stanza->{community};
|
and !exists $stanza->{community};
|
||||||
|
|
||||||
if ($stanza->{$mode} and check_acl_only($device, $stanza->{only})) {
|
if ($stanza->{$mode} and check_acl_only($device, $stanza->{only})
|
||||||
|
and not check_acl_no($device, $stanza->{no})) {
|
||||||
if ($device->in_storage and
|
if ($device->in_storage and
|
||||||
$stored_tag and $stored_tag eq $stanza->{tag}) {
|
$stored_tag and $stored_tag eq $stanza->{tag}) {
|
||||||
# last known-good by tag
|
# last known-good by tag
|
||||||
|
|||||||
Reference in New Issue
Block a user