#286 support only/no ACLs for snmp_auth stanza, update docs
This commit is contained in:
Oliver Gorwits
1
Changes
1
Changes
@@ -5,6 +5,7 @@
|
||||
* #319 better fix for acceping ACL names or values in check_acl_*
|
||||
* #311 added duplicate devices report with option to delete
|
||||
* #263 discover neighbors advertising ipv6 management addresses
|
||||
* #286 support only/no ACLs for snmp_auth stanza, update docs
|
||||
|
||||
[BUG FIXES]
|
||||
|
||||
|
||||
@@ -762,6 +762,7 @@ simply a friendly name used by Netdisco when referring to the configuration.
|
||||
only:
|
||||
- 192.0.2.0/30
|
||||
- 172.20.10.0/24
|
||||
no: '172.20.10.1'
|
||||
- tag: v2aclexample
|
||||
community: s3kr1t
|
||||
read: false
|
||||
@@ -773,14 +774,16 @@ global C<community>/C<community_rw> setting, this is not a list but a single
|
||||
item. That is, to configure multiple community strings, have one stanza per
|
||||
community, as in the examples above and below.
|
||||
|
||||
You can add C<read> and/or C<write> restrictions, and an IP restriction using
|
||||
C<only> (see L</"ACCESS CONTROL LISTS">. Giving the stanza a C<tag> name is
|
||||
optional, but recommended.
|
||||
For any version of SNMP you can add C<read> and/or C<write> booleans to
|
||||
control operations for that stanza, and IP restrictions using C<only> and
|
||||
C<no> (see L</"ACCESS CONTROL LISTS"> for what you can use here).
|
||||
|
||||
For SNMPv3 the C<tag> and C<user> keys are required. You can add C<read>
|
||||
and/or C<write> restrictions, and an IP restriction using C<only>. Providing
|
||||
an C<auth> section enables the authentication security level. Providing a
|
||||
C<priv> section enables the message encryption security level.
|
||||
For SNMPv3 the C<tag> and C<user> keys are required. Providing an C<auth>
|
||||
section enables the authentication security level, providing a C<priv> section
|
||||
enables the message encryption security level. When configuring multiple
|
||||
SNMPv3 stanza please use C<only> and/or C<no> ACLs for each, otherwise only
|
||||
the first stanza is ever used (this is a limitation in the underlying L<SNMP>
|
||||
library).
|
||||
|
||||
The default SNMPv3 authentication security method is MD5, and the default
|
||||
encryption protocol is DES, with AES or AES256 being common alternatives. Note
|
||||
@@ -793,7 +796,7 @@ key to a stanza to override this default.
|
||||
|
||||
Netdisco caches both the successful SNMPv2 read and write community strings,
|
||||
as well as the C<tag> names if available. This allows for faster operations
|
||||
once a connection has previously been made to a device.
|
||||
once a connection has previously been made to a device. Tags are recommended.
|
||||
|
||||
If you have SNMP connect failures, or notice that devices are not appearing in
|
||||
Netdisco, take a look at the "SNMP Connect Failures" Admin Report, and also
|
||||
|
||||
@@ -117,9 +117,9 @@ example:
|
||||
|
||||
~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ
|
||||
|
||||
You will see that SNMPv2 community strings are hidden by default, to make the
|
||||
output safe for sending to Netdisco developers. To show the community string,
|
||||
set the C<SHOW_COMMUNITY> environment variable:
|
||||
You will see that SNMP community strings and users are hidden by default, to
|
||||
make the output safe for sending to Netdisco developers. To show the community
|
||||
string and SNMPv3 protocols, set the C<SHOW_COMMUNITY> environment variable:
|
||||
|
||||
SHOW_COMMUNITY=1 ~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ
|
||||
|
||||
|
||||
@@ -136,9 +136,13 @@ sub _snmp_connect_generic {
|
||||
sub _try_connect {
|
||||
my ($device, $class, $comm, $mode, $snmp_args, $reclass) = @_;
|
||||
my %comm_args = _mk_info_commargs($comm);
|
||||
my $debug_comm = ( $comm->{community}
|
||||
? $ENV{SHOW_COMMUNITY} ? $comm->{community} : '<hidden>'
|
||||
: "v3user:$comm->{user}" );
|
||||
my $debug_comm = '<hidden>';
|
||||
if ($ENV{SHOW_COMMUNITY}) {
|
||||
$debug_comm = ($comm->{community} ||
|
||||
(sprintf 'v3:%s:%s/%s', ($comm->{user},
|
||||
($comm->{auth}->{proto} || 'noAuth'),
|
||||
($comm->{priv}->{proto} || 'noPriv'))) );
|
||||
}
|
||||
my $info = undef;
|
||||
|
||||
try {
|
||||
@@ -293,14 +297,17 @@ sub _build_communities {
|
||||
$stanza->{tag} ||= $tag;
|
||||
++$seen_tags->{ $stanza->{tag} };
|
||||
$stanza->{read} = 1 if !exists $stanza->{read};
|
||||
$stanza->{no} ||= [];
|
||||
$stanza->{only} ||= ['any'];
|
||||
$stanza->{no} = [$stanza->{no}] if ref '' eq ref $stanza->{no};
|
||||
$stanza->{only} = [$stanza->{only}] if ref '' eq ref $stanza->{only};
|
||||
|
||||
die "error: config: snmpv3 stanza in snmp_auth must have a tag\n"
|
||||
if not $stanza->{tag}
|
||||
and !exists $stanza->{community};
|
||||
|
||||
if ($stanza->{$mode} and check_acl_only($device, $stanza->{only})) {
|
||||
if ($stanza->{$mode} and check_acl_only($device, $stanza->{only})
|
||||
and not check_acl_no($device, $stanza->{no})) {
|
||||
if ($device->in_storage and
|
||||
$stored_tag and $stored_tag eq $stanza->{tag}) {
|
||||
# last known-good by tag
|
||||
|
||||
Reference in New Issue
Block a user