📄 rfc2275.txt
字号:
vacmAccessTable; and the context(s) referenced by an
entry in the vacmAccessTable does not necessarily
currently exist and thus need not be identified by an
entry in this table.
This table must be made accessible via the default
context so that Command Responder applications have
a standard way of retrieving the information.
This table is read-only. It cannot be configured via
SNMP.
"
::= { vacmMIBObjects 1 }
vacmContextEntry OBJECT-TYPE
SYNTAX VacmContextEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Information about a particular context."
INDEX {
vacmContextName
}
::= { vacmContextTable 1 }
VacmContextEntry ::= SEQUENCE
{
vacmContextName SnmpAdminString
}
vacmContextName OBJECT-TYPE
Wijnen, et. al. Standards Track [Page 12]
RFC 2275 VACM for SNMPv3 January 1998
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION "A human readable name identifying a particular
context at a particular SNMP entity.
The empty contextName (zero length) represents the
default context.
"
::= { vacmContextEntry 1 }
-- Information about Groups ******************************************
vacmSecurityToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF VacmSecurityToGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "This table maps a combination of securityModel and
securityName into a groupName which is used to define
an access control policy for a group of principals.
"
::= { vacmMIBObjects 2 }
vacmSecurityToGroupEntry OBJECT-TYPE
SYNTAX VacmSecurityToGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An entry in this table maps the combination of a
securityModel and securityName into a groupName.
"
INDEX {
vacmSecurityModel,
vacmSecurityName
}
::= { vacmSecurityToGroupTable 1 }
VacmSecurityToGroupEntry ::= SEQUENCE
{
vacmSecurityModel SnmpSecurityModel,
vacmSecurityName SnmpAdminString,
vacmGroupName SnmpAdminString,
vacmSecurityToGroupStorageType StorageType,
vacmSecurityToGroupStatus RowStatus
}
vacmSecurityModel OBJECT-TYPE
SYNTAX SnmpSecurityModel(1..2147483647)
MAX-ACCESS not-accessible
Wijnen, et. al. Standards Track [Page 13]
RFC 2275 VACM for SNMPv3 January 1998
STATUS current
DESCRIPTION "The Security Model, by which the vacmSecurityName
referenced by this entry is provided.
Note, this object may not take the 'any' (0) value.
"
::= { vacmSecurityToGroupEntry 1 }
vacmSecurityName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The securityName for the principal, represented in a
Security Model independent format, which is mapped by
this entry to a groupName.
The securityName for a principal represented in a
Security Model independent format.
"
::= { vacmSecurityToGroupEntry 2 }
vacmGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The name of the group to which this entry (e.g., the
combination of securityModel and securityName)
belongs.
This groupName is used as index into the
vacmAccessTable to select an access control policy.
"
::= { vacmSecurityToGroupEntry 3 }
vacmSecurityToGroupStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The storage type for this conceptual row.
Conceptual rows having the value 'permanent' need not
allow write-access to any columnar objects in the row.
"
DEFVAL { nonVolatile }
::= { vacmSecurityToGroupEntry 4 }
vacmSecurityToGroupStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
Wijnen, et. al. Standards Track [Page 14]
RFC 2275 VACM for SNMPv3 January 1998
STATUS current
DESCRIPTION "The status of this conceptual row.
The RowStatus TC [RFC1903] requires that this
DESCRIPTION clause states under which circumstances
other objects in this row can be modified:
The value of this object has no effect on whether
other objects in this conceptual row can be modified.
"
::= { vacmSecurityToGroupEntry 5 }
-- Information about Access Rights ***********************************
vacmAccessTable OBJECT-TYPE
SYNTAX SEQUENCE OF VacmAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The table of access rights for groups.
Each entry is indexed by a contextPrefix, a groupName
a securityModel and a securityLevel. To determine
whether access is allowed, one entry from this table
needs to be selected and the proper viewName from that
entry must be used for access control checking.
To select the proper entry, follow these steps:
1) the set of possible matches is formed by the
intersection of the following sets of entries:
the set of entries with identical vacmGroupName
the union of these two sets:
- the set with identical vacmAccessContextPrefix
- the set of entries with vacmAccessContextMatch
value of 'prefix' and matching
vacmAccessContextPrefix
intersected with the union of these two sets:
- the set of entries with identical
vacmSecurityModel
- the set of entries with vacmSecurityModel
value of 'any'
intersected with the set of entries with
vacmAccessSecurityLevel value less than or equal
to the requested securityLevel
2) if this set has only one member, we're done
otherwise, it comes down to deciding how to weight
the preferences between ContextPrefixes,
Wijnen, et. al. Standards Track [Page 15]
RFC 2275 VACM for SNMPv3 January 1998
SecurityModels, and SecurityLevels as follows:
a) if the subset of entries with identical
securityModels is not empty, discard the rest.
b) if the subset of entries with identical
vacmAccessContextPrefix is not empty,
discard the rest
c) discard all entries with ContextPrefixes shorter
than the longest one remaining in the set
d) select the entry with the highest securityLevel
Please note that for securityLevel noAuthNoPriv, all
groups are really equivalent since the assumption that
the securityName has been authenticated does not hold.
"
::= { vacmMIBObjects 4 }
vacmAccessEntry OBJECT-TYPE
SYNTAX VacmAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An access right configured in the Local Configuration
Datastore (LCD) authorizing access to an SNMP context.
"
INDEX { vacmGroupName,
vacmAccessContextPrefix,
vacmAccessSecurityModel,
vacmAccessSecurityLevel
}
::= { vacmAccessTable 1 }
VacmAccessEntry ::= SEQUENCE
{
vacmAccessContextPrefix SnmpAdminString,
vacmAccessSecurityModel SnmpSecurityModel,
vacmAccessSecurityLevel SnmpSecurityLevel,
vacmAccessContextMatch INTEGER,
vacmAccessReadViewName SnmpAdminString,
vacmAccessWriteViewName SnmpAdminString,
vacmAccessNotifyViewName SnmpAdminString,
vacmAccessStorageType StorageType,
vacmAccessStatus RowStatus
}
vacmAccessContextPrefix OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "In order to gain the access rights allowed by this
Wijnen, et. al. Standards Track [Page 16]
RFC 2275 VACM for SNMPv3 January 1998
conceptual row, a contextName must match exactly
(if the value of vacmAccessContextMatch is 'exact')
or partially (if the value of vacmAccessContextMatch
is 'prefix') to the value of the instance of this
object.
"
::= { vacmAccessEntry 1 }
vacmAccessSecurityModel OBJECT-TYPE
SYNTAX SnmpSecurityModel
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "In order to gain the access rights allowed by this
conceptual row, this securityModel must be in use.
"
::= { vacmAccessEntry 2 }
vacmAccessSecurityLevel OBJECT-TYPE
SYNTAX SnmpSecurityLevel
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The minimum level of security required in order to
gain the access rights allowed by this conceptual
row. A securityLevel of noAuthNoPriv is less than
authNoPriv which in turn is less than authPriv.
If multiple entries are equally indexed except for
this vacmAccessSecurityLevel index, then the entry
which has the highest value for
vacmAccessSecurityLevel wins.
"
::= { vacmAccessEntry 3 }
vacmAccessContextMatch OBJECT-TYPE
SYNTAX INTEGER
{ exact (1), -- exact match of prefix and contextName
prefix (2) -- Only match to the prefix
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION "If the value of this object is exact(1), then all
rows where the contextName exactly matches
vacmAccessContextPrefix are selected.
If the value of this object is prefix(2), then all
rows where the contextName whose starting octets
exactly match vacmAccessContextPrefix are selected.
This allows for a simple form of wildcarding.
Wijnen, et. al. Standards Track [Page 17]
RFC 2275 VACM for SNMPv3 January 1998
See also the example in the DESCRIPTION clause of
the vacmAccessTable above.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -