Comments (7)
First off, I am definitely not an SNMP expert. I only wrote this module in order to have something for the HP hardware monitoring tools (Support Pack for Proliant) to work with. I have a bad habit of being thorough. With that said...
With traditional access control, you can give a simple password and (optional) network restriction:
class snmp {
ro_community => 'myPassword',
ro_network => '10.0.0.0/8',
}
and it becomes this in snmpd.conf:
rocommunity myPassword 10.0.0.0/8
This says that any host on network 10.0.0.0/8 can read any SNMP value via SNMP versions 1 and 2c as long as they provide the password 'myPassword'.
With VACM, you can do this (more complex thing) instead:
class snmp {
com2sec => ['myUserName 10.0.0.0/8 myPassword'],
groups => ['myGroupName v1 myUserName',
'myGroupName v2c myUserName'],
views => ['everyThing included .'],
accesses => ['myGroupName "" any noauth exact everyThing none none'],
}
and it becomes this in snmpd.conf:
com2sec myUserName 10.0.0.0/8 myPassword
group myGroupName v1 myUserName
group myGroupName v2c myUserName
view everyThing included .
access myGroupName "" any noauth exact everyThing none none
This also says that any host on network 10.0.0.0/8 can read any SNMP value via SNMP versions 1 and 2c as long as they provide the password 'myPassword'. But it also gives you the ability to change any of those variables.
Reference: Manpage of snmpd.conf - Access Control
from puppet-snmp.
That goes a long way to clarify things. Would you please integrate that into the docs?
Another thought I had was rather than eliminating ro_community, rw_community, ro_network, and rw_network, why not permit them but have them generate the appropriate com2sec/group/view/access statements instead? It seems like it would be less error prone to have Puppet do the transformation than to let humans do it.
from puppet-snmp.
I will integrate this into the docs.
I am trying to remember why I decided to eliminate ro_community, rw_community, ro_network, and rw_network. For the life of me, I have no idea. Although you can always use the safety valve, I think I will keep them around.
from puppet-snmp.
I have been working on updated documentation. https://github.com/razorsedge/puppet-snmp/blob/feature/README.markdown/README.markdown
Let me know what you think.
from puppet-snmp.
This is a big improvement. The one aspect I would change is that it is
difficult to tell which are config file reserved keywords and which are
things a user can change. I would simply add:
- myUserName: A username you've selected.
- myGroupName A group name you assign users to.
- everyThing A "view" i.e. a list of MIBs that will be ACLed as a unit.
On Sun, Jul 5, 2015 at 3:02 AM, Mike Arnold [email protected]
wrote:
I have been working on updated documentation.
https://github.com/razorsedge/puppet-snmp/blob/feature/README.markdown/README.markdownLet me know what you think.
—
Reply to this email directly or view it on GitHub
#53 (comment)
.
Email: [email protected] Work: [email protected]
Skype: YesThatTom
Blog: http://EverythingSysadmin.com
from puppet-snmp.
README.markdown has been updated with your suggestion.
from puppet-snmp.
Thanks!
from puppet-snmp.
Related Issues (20)
- Release 4.1.1
- # Other Configuration HOT 2
- To support CentOS 8 HOT 1
- rw and ro community strings wrong and default breaks rhel7 if ipv6 off
- $facts['networking']['fqdn'] is too recent HOT 3
- Dependency on stdlib versions incorrect for version 5.1.0 ; types/ip/address/v6/cidr.pp and type Stdlib::IP::Address::V6::CIDR does not exist in 4.25.0
- Docs: Incorrect dependency (stdlib) listed on forge.puppet.com page HOT 2
- Doesn't work on ubuntu focal 20.04 HOT 1
- Cannot disable traditional access control for ro_community{,6}
- FreeBSD Support
- Support Debian Bullseye 11 (to be released in may or june) HOT 4
- systemd daemon-reload restarts snmpd HOT 15
- snmpd starts on each puppet run HOT 1
- Incorrect type of agentx_perms parameter
- Release new version HOT 4
- How to disable snmpv1 and v2 HOT 1
- Support for Ubuntu 22.04 HOT 6
- Reload snmpd config instead of restarting service by default
- $snmpv2_enable parameter does not disable snmpv2.
- snmpd_options and/or snmptrapd_options are ignored on Ubuntu and Debian due to lack of systemd support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-snmp.