[SNMP4J] vacm.addAccess not adding entry properly causing Access denied by VACM for traps (view not found)
Frank Fock
fock at agentpp.com
Wed Dec 8 23:53:38 CET 2010
Hi,
Which version of SNMP4J-Agent are you using?
Best regards,
Frank
On 08.12.2010 15:29, Alex Punnen wrote:
> Hi ,
>
> I am getting the error
> "WARN org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl - Access denied
> by VACM for 1.3.6.1.6.3.1.1.5.1" (coldStartTrap) when I use the test agent
> But am able to get this trap while using SampleAgent
>
> I debugged a bit and was trying to compare the output of *TestAgent
> *and *SampleAgent
> *.
>
> In TestAgent though I create VACm with exact contect match , in the trace I
> am getting
>
> vacm.addAccess(new OctetString("v1v2cgroup"), new OctetString("public"),
> SecurityModel.SECURITY_MODEL_SNMPv2c,
> SecurityLevel.NOAUTH_NOPRIV,
> * MutableVACM.VACM_MATCH_EXACT*,
> new OctetString("fullReadView"),
> new OctetString("fullWriteView"),
> new OctetString("fullNotifyView"),
> StorageType.permanent);
>
> Because of this I guess the method *getViewNameByGroup *in *Vacmib *is
> failing to find a match
>
> System.out.println("Matching against access entry "+row+
> " with exactContextMatch="+exactContextMatch+
> ", prefixMatch="+prefixMatch+
> ", matchSecModel="+matchSecModel+
> " and matchSecLevel="+matchSecLevel);
>
> Basically it does not go into the if loop of the mehtod (if(false& true)=
> if(false))
>
> if ((exactContextMatch || prefixMatch)&&
> (matchSecModel)&&
> matchSecLevel) {
>
> Hence it does not go into
>
> if (possibleMatch != null) {
> case VACM.VIEW_NOTIFY: {
> viewName = (OctetString)
> possibleMatch.getValue(idxVacmAccessNotifyViewName);
> break;
>
> Just to test I put, this as true and I am seeing the trap
>
> System.out.println("Matching against access entry "+row+
> " with exactContextMatch="+exactContextMatch+
> ", prefixMatch="+prefixMatch+
> ", matchSecModel="+matchSecModel+
> " and matchSecLevel="+matchSecLevel);
> * //ToDO: ACP *
> * exactContextMatch = true; //just a test*
>
>
> *1* .So the question is why does not setting
> MutableVACM.VACM_MATCH_EXACT,in vacm.addAccess giving the desired result
>
> *2* .Also I was wondering how the SampleAgent created this properly using
> the propery file ; Is it also not calling the same VacmMIB methods as
> TestAgent
>
> *3*. We need to write an SNMP agent; which approach is suggested, the
> SampleAgent way via the config file or extending from the BaseAgent
>
> .Thanks in advance for the response; else I continue to grope and post :)
>
>
> *Test Agent*
>
> *Orginal flow*
>
> A;'';';CM access requested for context=, securityName=public,
> securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
> Gropuname=v1v2cgroup
> Got views
> [DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
> fullReadView, fullWriteView, fullNotifyView, 4, 1]] for group name
> 'v1v2cgroup'
>
> Matching against access entry
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
> fullReadView, fullWriteView, fullNotifyView, 4, 1] with
> exactContextMatch=false, prefixMatch=false, matchSecModel=true and
> matchSecLevel=true
> 297 [main] WARN org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl -
> Access denied by VACM for 1.3.6.1.6.3.1.1.5.1
>
>
> *Test flow with exactContextMatch= true*
>
> VA;'';';CM access requested for context=, securityName=public,
> securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
> Gropuname=v1v2cgroup
> Got views
> [DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
> fullReadView, fullWriteView, fullNotifyView, 4, 1]] for group name
> 'v1v2cgroup'
> Matching against access entry
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.6.112.117.98.108.105.99.2.1,values=[1,
> fullReadView, fullWriteView, fullNotifyView, 4, 1] with
> exactContextMatch=false, prefixMatch=false, matchSecModel=true and
> matchSecLevel=true
> 234 [main] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for
> group name 'v1v2cgroup' is 'fullNotifyView'
> 234 [main] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access allowed for view
> 'fullNotifyView' by subtree 1.3 for OID 1.3.6.1.6.3.1.1.5.1
> 234 [main] INFO org.snmp4j.agent.mo.snmp.NotificationOriginatorImpl - Test
> -Trap Sending to address 7f:00:00:01:00:a2
> 234 [main] DEBUG org.snmp4j.Snmp - Running pending sync request with handle
> PduHandle[1360809839] and retry count left 1
>
> *Sample Agent*
>
> Orginal Flow
>
> VA;'';';CM access requested for context=, securityName=public,
> securityModel=2, securityLevel=1, viewType=0, OID=1.3.6.1.6.3.1.1.5.1
> Gropuname=v1v2cgroup
> Got views
> [DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.1.1,
> values=[1, unrestrictedReadView, unrestrictedWriteView,
> unrestrictedNotifyView, 4, 1],
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.2.1,
> values=[1, unrestrictedReadView, unrestrictedWriteView,
> unrestrictedNotifyView, 4, 1]] for group name 'v1v2cgroup'
>
>
> Matching against access entry
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.1.1,values=[1,
> unrestrictedReadView, unrestrictedWriteView, unrestrictedNotifyView, 4, 1]
> with exactContextMatch=true, prefixMatch=false, matchSecModel=false and
> matchSecLevel=true
>
> Matching against access entry
> DefaultMOMutableRow2PC[index=10.118.49.118.50.99.103.114.111.117.112.0.2.1,values=[1,
> unrestrictedReadView, unrestrictedWriteView, unrestrictedNotifyView, 4, 1]
> with exactContextMatch=true, prefixMatch=false, matchSecModel=true and
> matchSecLevel=true
>
>
>
> ------------
>
>
>
> Best Regards,
> Alex.C.P
> -----------------------------------------
> Nokia Siemens Network India Pvt Ltd,
> -----------------------------------------
> _______________________________________________
> SNMP4J mailing list
> SNMP4J at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j
--
AGENT++
http://www.agentpp.com
http://www.snmp4j.com
http://www.mibexplorer.com
http://www.mibdesigner.com
More information about the SNMP4J
mailing list