📄 rfc2275.txt
字号:
module that implements the View-based Access Control Model when
checking access rights as requested by an application (for example a
Command Responder or a Notification Originator application). The
abstract service primitive is:
statusInformation = -- success or errorIndication
isAccessAllowed(
securityModel -- Security Model in use
securityName -- principal who wants access
securityLevel -- Level of Security
viewType -- read, write, or notify view
contextName -- context containing variableName
variableName -- OID for the managed object
)
Wijnen, et. al. Standards Track [Page 6]
RFC 2275 VACM for SNMPv3 January 1998
The abstract data elements are:
statusInformation - one of the following:
accessAllowed - a MIB view was found and access is granted.
notInView - a MIB view was found but access is denied.
The variableName is not in the configured
MIB view for the specified viewType (e.g., in
the relevant entry in the vacmAccessTable).
noSuchView - no MIB view found because no view has been
configured for specified viewType (e.g., in
the relevant entry in the vacmAccessTable).
noSuchContext - no MIB view found because of no entry in the
vacmContextTable for specified contextName.
noGroupName - no MIB view found because no entry has been
configured in the vacmSecurityToGroupTable
for the specified combination of
securityModel and securityName.
noAccessEntry - no MIB view found because no entry has been
configured in the vacmAccessTable for the
specified combination of contextName,
groupName (from vacmSecurityToGroupTable),
securityModel and securityLevel.
otherError - failure, an undefined error occurred.
securityModel - Security Model under which access is requested.
securityName - the principal on whose behalf access is requested.
securityLevel - Level of Security under which access is requested.
viewType - view to be checked (read, write or notify).
contextName - context in which access is requested.
variableName - object instance to which access is requested.
Wijnen, et. al. Standards Track [Page 7]
RFC 2275 VACM for SNMPv3 January 1998
3.1. Overview of isAccessAllowed Process
The following picture shows how the decision for access control is made
by the View-based Access Control Model.
+--------------------------------------------------------------------+
| |
| +-> securityModel -+ |
| | (a) | |
| who -+ +-> groupName ----+ |
| (1) | | (x) | |
| +-> securityName --+ | |
| (b) | |
| | |
| where -> contextName ---------------------+ |
| (2) (e) | |
| | |
| | |
| +-> securityModel -------------------+ |
| | (a) | |
| how -+ +-> viewName -+ |
| (3) | | (y) | |
| +-> securityLevel -------------------+ | |
| (c) | +-> yes/no |
| | | decision |
| why ---> viewType (read/write/notify) ----+ | (z) |
| (4) (d) | |
| | |
| what --> object-type ------+ | |
| (5) (m) | | |
| +-> variableName (OID) ------+ |
| | (f) |
| which -> object-instance --+ |
| (6) (n) |
| |
+--------------------------------------------------------------------+
How the decision for isAccessAllowed is made.
1) Inputs to the isAccessAllowed service are:
(a) securityModel -- Security Model in use
(b) securityName -- principal who wants to access
(c) securityLevel -- Level of Security
(d) viewType -- read, write, or notify view
(e) contextName -- context containing variableName
(f) variableName -- OID for the managed object
-- this is made up of:
Wijnen, et. al. Standards Track [Page 8]
RFC 2275 VACM for SNMPv3 January 1998
- object-type (m)
- object-instance (n)
2) The partial "who" (1), represented by the securityModel (a) and
the securityName (b), are used as the indices (a,b) into the
vacmSecurityToGroupTable to find a single entry that produces a
group, represented by groupName (x).
3) The "where" (2), represented by the contextName (e), the "who",
represented by the groupName (x) from the previous step, and the
"how" (3), represented by securityModel (a) and securityLevel (c),
are used as indices (e,x,a,c) into the vacmAccessTable to find a
single entry that contains three MIB views.
4) The "why" (4), represented by the viewType (d), is used to select
the proper MIB view, represented by a viewName (y), from the
vacmAccessEntry selected in the previous step. This viewName (y) is
an index into the vacmViewTreeFamilyTable and selects the set of
entries that define the variableNames which are included in or
excluded from the MIB view identified by the viewName (y).
5) The "what" (5) type of management data and "which" (6) particular
instance, represented by the variableName (f), is then checked to be
in the MIB view or not, e.g., the yes/no decision (z).
3.2. Processing the isAccessAllowed Service Request
This section describes the procedure followed by an Access Control
module that implements the View-based Access Control Model whenever
it receives an isAccessAllowed request.
1) The vacmContextTable is consulted for information about
the SNMP context identified by the contextName. If information
about this SNMP context is absent from the table, then an
errorIndication (noSuchContext) is returned to the calling module.
2) The vacmSecurityToGroupTable is consulted for mapping the
securityModel and securityName to a groupName. If the information
about this combination is absent from the table, then an
errorIndication (noGroupName) is returned to the calling module.
3) The vacmAccessTable is consulted for information about the
groupName, contextName, securityModel and securityLevel. If
information about this combination is absent from the table, then
an errorIndication (noAccessEntry) is returned to the calling
module.
Wijnen, et. al. Standards Track [Page 9]
RFC 2275 VACM for SNMPv3 January 1998
4) a) If the viewType is "read", then the read view is used for
checking access rights.
b) If the viewType is "write", then the write view is used for
checking access rights.
c) If the viewType is "notify", then the notify view is used
for checking access rights.
If the view to be used is the empty view (zero length viewName)
then an errorIndication (noSuchView) is returned to the calling
module.
5) a) If there is no view configured for the specified viewType,
then an errorIndication (noSuchView) is returned to the calling
module.
b) If the specified variableName (object instance) is not in the
MIB view (see DESCRIPTION clause for vacmViewTreeFamilyTable in
section 4), then an errorIndication (notInView) is returned to
the calling module.
Otherwise,
c) The specified variableName is in the MIB view.
A statusInformation of success (accessAllowed) is returned to
the calling module.
4. Definitions
SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPE,
snmpModules FROM SNMPv2-SMI
TestAndIncr,
RowStatus, StorageType FROM SNMPv2-TC
SnmpAdminString,
SnmpSecurityLevel,
SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB;
snmpVacmMIB MODULE-IDENTITY
LAST-UPDATED "9711200000Z" -- 20 Nov 1997, midnight
ORGANIZATION "SNMPv3 Working Group"
CONTACT-INFO "WG-email: snmpv3@tis.com
Subscribe: majordomo@tis.com
In message body: subscribe snmpv3
Wijnen, et. al. Standards Track [Page 10]
RFC 2275 VACM for SNMPv3 January 1998
Chair: Russ Mundy
Trusted Information Systems
postal: 3060 Washington Rd
Glenwood MD 21738
USA
email: mundy@tis.com
phone: +1-301-854-6889
Co-editor: Bert Wijnen
IBM T.J. Watson Research
postal: Schagen 33
3461 GL Linschoten
Netherlands
email: wijnen@vnet.ibm.com
phone: +31-348-432-794
Co-editor: Randy Presuhn
BMC Software, Inc
postal: 1190 Saratoga Avenue, Suite 130
San Jose, CA 95129-3433
USA
email: rpresuhn@bmc.com
phone: +1-408-556-0720
Co-editor: Keith McCloghrie
Cisco Systems, Inc.
postal: 170 West Tasman Drive
San Jose, CA 95134-1706
USA
email: kzm@cisco.com
phone: +1-408-526-5260
"
DESCRIPTION "The management information definitions for the
View-based Access Control Model for SNMP.
"
::= { snmpModules 16 }
-- Administrative assignments ****************************************
vacmMIBObjects OBJECT IDENTIFIER ::= { snmpVacmMIB 1 }
vacmMIBConformance OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }
-- Information about Local Contexts **********************************
vacmContextTable OBJECT-TYPE
SYNTAX SEQUENCE OF VacmContextEntry
MAX-ACCESS not-accessible
STATUS current
Wijnen, et. al. Standards Track [Page 11]
RFC 2275 VACM for SNMPv3 January 1998
DESCRIPTION "The table of locally available contexts.
This table provides information to SNMP Command
Generator applications so that they can properly
configure the vacmAccessTable to control access to
all contexts at the SNMP entity.
This table may change dynamically if the SNMP entity
allows that contexts are added/deleted dynamically
(for instance when its configuration changes). Such
changes would happen only if the management
instrumentation at that SNMP entity recognizes more
(or fewer) contexts.
The presence of entries in this table and of entries
in the vacmAccessTable are independent. That is, a
context identified by an entry in this table is not
necessarily referenced by any entries in the
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -