[SNMP4J] Difficulty with vacmViewExcluded

Frank Fock fock at agentpp.com
Sun Oct 27 12:29:21 CET 2013 

Hi,

I cannot reproduce the issue. Are you sure that you have defined the views
and groups consistently?

Is the sysObjectID.0 instance not Null?

Best regards,
Frank

Am 25.10.2013 17:11, schrieb m k:
> Hello,
>
> I've been trying to restrict the user's read view of a subtree, with the ultimate goal of filtering out everything from 1.3.6.1.6.3.16.*, so the user could see everything but that VACM information. However, I can't seem to limit my restriction. As a small experiment, I tried to filter out sysDescr.0, while leaving everything else readable, as below:
>
>
> I added the view tree family like so:
>
> vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3.6.1.2.1.1.1.0"),
>                         new OctetString(), VacmMIB.vacmViewExcluded,
>                         StorageType.nonVolatile);
>
> Now, when the user attempts to access sysDescr.0, the following debug info shows they are denied access (as I expected):
>
> 23829 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping  - Received message from localhost/127.0.0.1/50196 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00
> 23842 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp  - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601628], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601628],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=1300601628, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/50196, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping at 11505881, tmStateReference=null]
> 23843 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB  - Looking up coexistence info for 'public'
> 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB  - Found coexistence info for 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=]
> 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB  - Address 127.0.0.1/50196 passes filter, because source address filtering is disabled
> 23851 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Found group name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2
> 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Got views [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name 'v1v2ReadOnly'
> 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Matching against access entry DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true
> 23854 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Matching view found for group name 'v1v2ReadOnly' is 'fullReadView'
> 23859 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest  - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true] from 1.3.6.1.2.1.1.1.0 = Null
> 23860 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest  - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0 = Null,status=org.snmp4j.agent.request.RequestStatus at 417f6125,query=null,index=0,targetMO=null]]
> 23862 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Access denied for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID 1.3.6.1.2.1.1.1.0
> 23864 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping  - Sending message to 127.0.0.1/50196 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00
>
> However, when the user attempts to access the very next OID, which I did not intend to block, this is the result:
>
> 82799 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping  - Received message from localhost/127.0.0.1/58177 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00
> 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp  - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601631], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601631],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=1300601631, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/58177, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping at 11505881, tmStateReference=null]
> 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB  - Looking up coexistence info for 'public'
> 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB  - Found coexistence info for 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=]
> 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB  - Address 127.0.0.1/58177 passes filter, because source address filtering is disabled
> 82801 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Found group name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2
> 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Got views [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name 'v1v2ReadOnly'
> 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Matching against access entry DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true
> 82803 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB  - Matching view found for group name 'v1v2ReadOnly' is 'fullReadView'
> 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest  - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true] from 1.3.6.1.2.1.1.2.0 = Null
> 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest  - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0 = Null,status=org.snmp4j.agent.request.RequestStatus at 316ce88a,query=null,index=0,targetMO=null]]
> 82804 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping  - Sending message to 127.0.0.1/58177 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00
>
> So, while they are not explicitly denied, it's the same failure result as if they were. To be sure, if I change the previous code to this below, both OIDs can be accessed and retrieved perfectly:
>
> // Works fine, but no restriction.
> vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"),
>                 new OctetString(), VacmMIB.vacmViewIncluded,
>                 StorageType.nonVolatile);
>
> ...
>
> What might the problem be here, and how can I achieve the restriction I am looking for? By the way, I'm using snmp4j-agent-2.0.10a.
>
>
> Thanks for your help
>   		 	   		
> _______________________________________________
> SNMP4J mailing list
> SNMP4J at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j

-- 
---
AGENT++
Maximilian-Kolbe-Str. 10
73257 Koengen, Germany
https://agentpp.com
Phone: +49 7024 8688230
Fax:   +49 7024 8688231

More information about the SNMP4J mailing list