From f65ef90b861db3d736f59f2d01921135e7e555d5 Mon Sep 17 00:00:00 2001 From: Oliver Gorwits Date: Sat, 22 Jul 2017 08:11:36 +0100 Subject: [PATCH] rename snmp_auth to device_auth and include a little doc on transports --- lib/App/Netdisco/Manual/Configuration.pod | 57 +++++++++++++++-------- lib/App/Netdisco/Util/SNMP.pm | 6 +-- share/config.yml | 2 +- share/environments/deployment.yml | 2 +- 4 files changed, 42 insertions(+), 25 deletions(-) diff --git a/lib/App/Netdisco/Manual/Configuration.pod b/lib/App/Netdisco/Manual/Configuration.pod index a563780a..82298662 100644 --- a/lib/App/Netdisco/Manual/Configuration.pod +++ b/lib/App/Netdisco/Manual/Configuration.pod @@ -581,7 +581,7 @@ Value: Dictionary of Access Control Lists. Default: None. Several configuration settings in Netdisco make use of L to identify lists of devices or hosts. Examples are the C<*_no> settings such as C, the C<*_only> settings such as C, -and some "C" settings which appear in C and C +and some "C" settings which appear in C and C configuration. The C setting allows for naming of groups which are then @@ -711,7 +711,7 @@ Each is tried in turn when polling the device, and then the working community string will be cached in the database. For fine-grained control over which communities are tried for which devices, -or to set SNMPv3 authentication, see C, below. +or to set SNMPv3 authentication, see C, below. =head3 C @@ -725,13 +725,13 @@ is tried in turn when writing to the device, and then the working community string will be cached in the database. For fine-grained control over which communities are tried for which devices, -or to set SNMPv3 authentication, see C, below. +or to set SNMPv3 authentication, see C, below. -=head3 C +=head3 C Value: List of Settings Trees. Default: Empty List. -This setting configures authenticaiton for all SNMP versions, and provides an +This setting configures authenticaiton for all polling, and provides an alternative fine-grained control for SNMPv1 and SNMPv2 community strings. You provide a list of authentication "I", and Netdisco will try each in turn, then cache the one which works for a device. @@ -741,7 +741,7 @@ limited to read (get) and/or write (set) operations. By default, a stanza is enabled for all device IPs, for read access only. The "tag" of a stanza is simply a friendly name used by Netdisco when referring to the configuration. - snmp_auth: + device_auth: - community: public - community: publictwo - community: mycommunity @@ -757,26 +757,23 @@ simply a friendly name used by Netdisco when referring to the configuration. priv: pass: netdiscokey2 proto: DES - - tag: v3aclexample - user: netdisco2 + - tag: aclexample + community: s3kr1t + read: false + write: true only: - 192.0.2.0/30 - 172.20.10.0/24 no: '172.20.10.1' - - tag: v2aclexample - community: s3kr1t - read: false - write: true - only: '2001:db8::/32' For SNMPv1 and SNMPv2, only the C key is required. Unlike the global C/C setting, this is not a list but a single -item. That is, to configure multiple community strings, have one stanza per +item. Therefore, to configure multiple community strings, have one stanza per community, as in the examples above and below. -For any version of SNMP you can add C and/or C booleans to -control operations for that stanza, and IP restrictions using C and -C (see L for what you can use here). +For any sanza you can add C and/or C booleans to control whether +it is used for get and/or set operations, and IP restrictions using C +and C (see L for what you can use here). For SNMPv3 the C and C keys are required. Providing an C section enables the authentication security level, providing a C section @@ -794,6 +791,26 @@ this you usually configure a common context "prefix", with Netdisco's default being "C" (i.e. C, C, etc). Add the C key to a stanza to override this default. +For other authentication mechanisms (HTTP, SSH, etc), C is also required. +Each transport will have different settings, but usually a C and +C are required, and optionally some other settings. See the +transport or driver documentation pages for further details. For example: + + device_auth: + - tag: ye_olde_snmp + community: public + - tag: sshcollector + only: 'group:sshcollectordevices' + driver: cli + method: arpnip_nodes + username: foo + password: bar + - tag: netconf_devices + only: 'vendor:juniper' + driver: netconf + username: oliver + password: letmein + Netdisco caches both the successful SNMPv2 read and write community strings, as well as the C names if available. This allows for faster operations once a connection has previously been made to a device. Tags are recommended. @@ -806,7 +823,7 @@ Finally, a reminder that multiple SNMPv2 community strings need to be in separate named stanza, as below. However for simple v2 configurations you can revert to the "C" setting, instead: - snmp_auth: + device_auth: - tag: 'default_v2_readonly1' community: 'read1' - tag: 'default_v2_readonly2' @@ -822,7 +839,7 @@ Value: String. Default none. An external program to run to get the community string for a given device. This is useful if, for example, you have you devices already configured in another NMS and you want to use that information instead of configuring -C. +C. The strings "C<%IP%>" and "C<%HOST%>" are replaced by the IP address and the hostname (or IP address if no hostname is known) of the system being @@ -836,7 +853,7 @@ The command must return output in the following form: setCommunity= If the community string is not known for the given system, the command should -return no output and the community strings configured in C, +return no output and the community strings configured in C, C, and C will be used instead. =head3 C diff --git a/lib/App/Netdisco/Util/SNMP.pm b/lib/App/Netdisco/Util/SNMP.pm index 791c11d8..d5806df2 100644 --- a/lib/App/Netdisco/Util/SNMP.pm +++ b/lib/App/Netdisco/Util/SNMP.pm @@ -264,7 +264,7 @@ sub _build_communities { $mode ||= 'read'; my $seen_tags = {}; # for cleaning community table - my $config = (setting('snmp_auth') || []); + my $config = (setting('device_auth') || []); my $tag_name = 'snmp_auth_tag_'. $mode; my $stored_tag = eval { $device->community->$tag_name }; my $snmp_comm_rw = eval { $device->community->snmp_comm_rw }; @@ -302,10 +302,10 @@ sub _build_communities { $stanza->{no} = [$stanza->{no}] if ref '' eq ref $stanza->{no}; $stanza->{only} = [$stanza->{only}] if ref '' eq ref $stanza->{only}; - die "error: config: snmpv2 community in snmp_auth must be single item, not list\n" + die "error: config: snmpv2 community in device_auth must be single item, not list\n" if ref $stanza->{community}; - die "error: config: snmpv3 stanza in snmp_auth must have a tag\n" + die "error: config: snmpv3 stanza in device_auth must have a tag\n" if not $stanza->{tag} and !exists $stanza->{community}; diff --git a/share/config.yml b/share/config.yml index dc7afbde..66bf76ed 100644 --- a/share/config.yml +++ b/share/config.yml @@ -126,7 +126,7 @@ host_groups: device_identity: [] community: ['public'] community_rw: ['private'] -snmp_auth: [] +device_auth: [] get_community: "" bulkwalk_off: false bulkwalk_no: [] diff --git a/share/environments/deployment.yml b/share/environments/deployment.yml index fa41ac7e..aa126c3d 100644 --- a/share/environments/deployment.yml +++ b/share/environments/deployment.yml @@ -30,7 +30,7 @@ safe_password_store: true # SNMP community string(s) # ```````````````````````` -snmp_auth: +device_auth: - tag: 'default_v2_readonly' community: 'public' read: true