[SNMP4J] Difficulty with vacmViewExcluded
Frank Fock
fock at agentpp.com
Thu Oct 31 22:13:05 CET 2013
Hi,
Again, I cannot reproduce this. You must have other modifications of the
SNMP4J sources in place than just the vacmViewExcluded statement or
the sysObjectID.0 instance is Null?
Normally you should see the following logging output as I do:
64773 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access
allowed for view 'fullReadView' by subtree 1.3 for OID 1.3.6.1.2.1.1.2.0
Best regards,
Frank
Am 31.10.2013 21:51, schrieb m k:
> Hi,
>
> I reproduced the issue by merely changing as below in TestAgent.java in the SNMP4J-Agent project. Again, I'm attempting to exclude only sysDescr.0, but I actually exclude that and everything else.
>
> // Before
> vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"),
> new OctetString(), VacmMIB.vacmViewIncluded,
> StorageType.nonVolatile);
>
> // After
> vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3.6.1.2.1.1.1.0"),
> new OctetString(), VacmMIB.vacmViewExcluded,
> StorageType.nonVolatile);
>
> I first try sysDescr.0 and get the expected denial, then I am indirectly denied again when attempting sysObjectID.0. Here is the result:
>
>
> 8803 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from /127.0.0.1/51206 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:18:56:78:81:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00
> 8815 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[408320129], stateReference=StateReference[msgID=0,pduHandle=PduHandle[408320129],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=408320129, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/51206, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping at 77fddc31, tmStateReference=null]
> 8815 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public'
> 8817 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=cpublic,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=public,transportTag=]
> 8817 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/51206 passes filter, because source address filtering is disabled
> 8822 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2group' for secName 'cpublic' and secModel 2
> 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1]] for group name 'v1v2group'
> 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true
> 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2group' is 'fullReadView'
> 8826 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true] from 1.3.6.1.2.1.1.1.0 = Null
> 8826 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0 = Null,status=org.snmp4j.agent.request.RequestStatus at 6fc5f743,query=null,index=0,targetMO=null]]
> 8827 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access denied for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID 1.3.6.1.2.1.1.1.0
> 8828 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/51206 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:18:56:78:81:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00
> 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from /127.0.0.1/51207 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:18:56:78:84:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00
> 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[408320132], stateReference=StateReference[msgID=0,pduHandle=PduHandle[408320132],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=408320132, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/51207, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping at 77fddc31, tmStateReference=null]
> 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public'
> 16652 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=cpublic,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=public,transportTag=]
> 16652 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/51207 passes filter, because source address filtering is disabled
> 16652 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2group' for secName 'cpublic' and secModel 2
> 16652 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1]] for group name 'v1v2group'
> 16653 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true
> 16653 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2group' is 'fullReadView'
> 16653 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true] from 1.3.6.1.2.1.1.2.0 = Null
> 16653 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0 = Null,status=org.snmp4j.agent.request.RequestStatus at 58ecb281,query=null,index=0,targetMO=null]]
> 16654 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/51207 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:18:56:78:84:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00
>
>> Date: Sun, 27 Oct 2013 12:29:21 +0100
>> From: fock at agentpp.com
>> To: snmp4j at agentpp.org
>> Subject: Re: [SNMP4J] Difficulty with vacmViewExcluded
>>
>> Hi,
>>
>> I cannot reproduce the issue. Are you sure that you have defined the views
>> and groups consistently?
>>
>> Is the sysObjectID.0 instance not Null?
>>
>> Best regards,
>> Frank
>>
>> Am 25.10.2013 17:11, schrieb m k:
>>> Hello,
>>>
>>> I've been trying to restrict the user's read view of a subtree, with the ultimate goal of filtering out everything from 1.3.6.1.6.3.16.*, so the user could see everything but that VACM information. However, I can't seem to limit my restriction. As a small experiment, I tried to filter out sysDescr.0, while leaving everything else readable, as below:
>>>
>>>
>>> I added the view tree family like so:
>>>
>>> vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3.6.1.2.1.1.1.0"),
>>> new OctetString(), VacmMIB.vacmViewExcluded,
>>> StorageType.nonVolatile);
>>>
>>> Now, when the user attempts to access sysDescr.0, the following debug info shows they are denied access (as I expected):
>>>
>>> 23829 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from localhost/127.0.0.1/50196 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00
>>> 23842 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601628], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601628],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=1300601628, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/50196, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping at 11505881, tmStateReference=null]
>>> 23843 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public'
>>> 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=]
>>> 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/50196 passes filter, because source address filtering is disabled
>>> 23851 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2
>>> 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name 'v1v2ReadOnly'
>>> 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true
>>> 23854 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2ReadOnly' is 'fullReadView'
>>> 23859 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true] from 1.3.6.1.2.1.1.1.0 = Null
>>> 23860 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0 = Null,status=org.snmp4j.agent.request.RequestStatus at 417f6125,query=null,index=0,targetMO=null]]
>>> 23862 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access denied for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID 1.3.6.1.2.1.1.1.0
>>> 23864 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/50196 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00
>>>
>>> However, when the user attempts to access the very next OID, which I did not intend to block, this is the result:
>>>
>>> 82799 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from localhost/127.0.0.1/58177 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00
>>> 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601631], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601631],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=1300601631, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/58177, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping at 11505881, tmStateReference=null]
>>> 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public'
>>> 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=]
>>> 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/58177 passes filter, because source address filtering is disabled
>>> 82801 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2
>>> 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name 'v1v2ReadOnly'
>>> 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true
>>> 82803 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2ReadOnly' is 'fullReadView'
>>> 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true] from 1.3.6.1.2.1.1.2.0 = Null
>>> 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0 = Null,status=org.snmp4j.agent.request.RequestStatus at 316ce88a,query=null,index=0,targetMO=null]]
>>> 82804 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/58177 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00
>>>
>>> So, while they are not explicitly denied, it's the same failure result as if they were. To be sure, if I change the previous code to this below, both OIDs can be accessed and retrieved perfectly:
>>>
>>> // Works fine, but no restriction.
>>> vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"),
>>> new OctetString(), VacmMIB.vacmViewIncluded,
>>> StorageType.nonVolatile);
>>>
>>> ...
>>>
>>> What might the problem be here, and how can I achieve the restriction I am looking for? By the way, I'm using snmp4j-agent-2.0.10a.
>>>
>>>
>>> Thanks for your help
>>>
>>> _______________________________________________
>>> SNMP4J mailing list
>>> SNMP4J at agentpp.org
>>> http://lists.agentpp.org/mailman/listinfo/snmp4j
>> --
>> ---
>> AGENT++
>> Maximilian-Kolbe-Str. 10
>> 73257 Koengen, Germany
>> https://agentpp.com
>> Phone: +49 7024 8688230
>> Fax: +49 7024 8688231
>>
>> _______________________________________________
>> SNMP4J mailing list
>> SNMP4J at agentpp.org
>> http://lists.agentpp.org/mailman/listinfo/snmp4j
>
> _______________________________________________
> SNMP4J mailing list
> SNMP4J at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j
--
---
AGENT++
Maximilian-Kolbe-Str. 10
73257 Koengen, Germany
https://agentpp.com
Phone: +49 7024 8688230
Fax: +49 7024 8688231
More information about the SNMP4J
mailing list