📄 rfc3415.txt
字号:
The notify-view represents the set of object instances authorized for the group when sending objects in a notification, such as when sending a notification (when sending Notification Class PDUs).Wijnen, et al. Standards Track [Page 6]
RFC 3415 VACM for the SNMP December 20023. Elements of Procedure This section describes the procedures followed by an Access Control module that implements the View-based Access Control Model when checking access rights as requested by an application (for example a Command Responder or a Notification Originator application). The abstract service primitive is: statusInformation = -- success or errorIndication isAccessAllowed( securityModel -- Security Model in use securityName -- principal who wants access securityLevel -- Level of Security viewType -- read, write, or notify view contextName -- context containing variableName variableName -- OID for the managed object ) The abstract data elements are: statusInformation - one of the following: accessAllowed - a MIB view was found and access is granted. notInView - a MIB view was found but access is denied. The variableName is not in the configured MIB view for the specified viewType (e.g., in the relevant entry in the vacmAccessTable). noSuchView - no MIB view found because no view has been configured for specified viewType (e.g., in the relevant entry in the vacmAccessTable). noSuchContext - no MIB view found because of no entry in the vacmContextTable for specified contextName. noGroupName - no MIB view found because no entry has been configured in the vacmSecurityToGroupTable for the specified combination of securityModel and securityName. noAccessEntry - no MIB view found because no entry has been configured in the vacmAccessTable for the specified combination of contextName, groupName (from vacmSecurityToGroupTable), securityModel and securityLevel. otherError - failure, an undefined error occurred. securityModel - Security Model under which access is requested. securityName - the principal on whose behalf access is requested. securityLevel - Level of Security under which access is requested. viewType - view to be checked (read, write or notify). contextName - context in which access is requested. variableName - object instance to which access is requested.Wijnen, et al. Standards Track [Page 7]
RFC 3415 VACM for the SNMP December 20023.1. Overview of isAccessAllowed Process The following picture shows how the decision for access control is made by the View-based Access Control Model. +--------------------------------------------------------------------+ | | | +-> securityModel -+ | | | (a) | | | who -+ +-> groupName ----+ | | (1) | | (x) | | | +-> securityName --+ | | | (b) | | | | | | where -> contextName ---------------------+ | | (2) (e) | | | | | | | | | +-> securityModel -------------------+ | | | (a) | | | how -+ +-> viewName -+ | | (3) | | (y) | | | +-> securityLevel -------------------+ | | | (c) | +-> yes/no | | | | decision | | why ---> viewType (read/write/notify) ----+ | (z) | | (4) (d) | | | | | | what --> object-type ------+ | | | (5) (m) | | | | +-> variableName (OID) ------+ | | | (f) | | which -> object-instance --+ | | (6) (n) | | | +--------------------------------------------------------------------+Wijnen, et al. Standards Track [Page 8]
RFC 3415 VACM for the SNMP December 2002 How the decision for isAccessAllowed is made. 1) Inputs to the isAccessAllowed service are: (a) securityModel -- Security Model in use (b) securityName -- principal who wants to access (c) securityLevel -- Level of Security (d) viewType -- read, write, or notify view (e) contextName -- context containing variableName (f) variableName -- OID for the managed object -- this is made up of: - object-type (m) - object-instance (n) 2) The partial "who" (1), represented by the securityModel (a) and the securityName (b), are used as the indices (a,b) into the vacmSecurityToGroupTable to find a single entry that produces a group, represented by groupName (x). 3) The "where" (2), represented by the contextName (e), the "who", represented by the groupName (x) from the previous step, and the "how" (3), represented by securityModel (a) and securityLevel (c), are used as indices (e,x,a,c) into the vacmAccessTable to find a single entry that contains three MIB views. 4) The "why" (4), represented by the viewType (d), is used to select the proper MIB view, represented by a viewName (y), from the vacmAccessEntry selected in the previous step. This viewName (y) is an index into the vacmViewTreeFamilyTable and selects the set of entries that define the variableNames which are included in or excluded from the MIB view identified by the viewName (y). 5) The "what" (5) type of management data and "which" (6) particular instance, represented by the variableName (f), is then checked to be in the MIB view or not, e.g., the yes/no decision (z).3.2. Processing the isAccessAllowed Service Request This section describes the procedure followed by an Access Control module that implements the View-based Access Control Model whenever it receives an isAccessAllowed request. 1) The vacmContextTable is consulted for information about the SNMP context identified by the contextName. If information about this SNMP context is absent from the table, then an errorIndication (noSuchContext) is returned to the calling module.Wijnen, et al. Standards Track [Page 9]
RFC 3415 VACM for the SNMP December 2002 2) The vacmSecurityToGroupTable is consulted for mapping the securityModel and securityName to a groupName. If the information about this combination is absent from the table, then an errorIndication (noGroupName) is returned to the calling module. 3) The vacmAccessTable is consulted for information about the groupName, contextName, securityModel and securityLevel. If information about this combination is absent from the table, then an errorIndication (noAccessEntry) is returned to the calling module. 4) a) If the viewType is "read", then the read view is used for checking access rights. b) If the viewType is "write", then the write view is used for checking access rights. c) If the viewType is "notify", then the notify view is used for checking access rights. If the view to be used is the empty view (zero length viewName) then an errorIndication (noSuchView) is returned to the calling module. 5) a) If there is no view configured for the specified viewType, then an errorIndication (noSuchView) is returned to the calling module. b) If the specified variableName (object instance) is not in the MIB view (see DESCRIPTION clause for vacmViewTreeFamilyTable in section 4), then an errorIndication (notInView) is returned to the calling module. Otherwise, c) The specified variableName is in the MIB view. A statusInformation of success (accessAllowed) is returned to the calling module.Wijnen, et al. Standards Track [Page 10]
RFC 3415 VACM for the SNMP December 20024. DefinitionsSNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGINIMPORTS MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MODULE-IDENTITY, OBJECT-TYPE, snmpModules FROM SNMPv2-SMI TestAndIncr, RowStatus, StorageType FROM SNMPv2-TC SnmpAdminString, SnmpSecurityLevel, SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB;snmpVacmMIB MODULE-IDENTITY LAST-UPDATED "200210160000Z" -- 16 Oct 2002, midnight ORGANIZATION "SNMPv3 Working Group" CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com Subscribe: majordomo@lists.tislabs.com In message body: subscribe snmpv3 Co-Chair: Russ Mundy Network Associates Laboratories postal: 15204 Omega Drive, Suite 300 Rockville, MD 20850-4601 USA email: mundy@tislabs.com phone: +1 301-947-7107 Co-Chair: David Harrington Enterasys Networks Postal: 35 Industrial Way P. O. Box 5004 Rochester, New Hampshire 03866-5005 USA EMail: dbh@enterasys.com Phone: +1 603-337-2614 Co-editor: Bert Wijnen Lucent Technologies postal: Schagen 33 3461 GL Linschoten Netherlands email: bwijnen@lucent.com phone: +31-348-480-685 Co-editor: Randy Presuhn BMC Software, Inc.Wijnen, et al. Standards Track [Page 11]
RFC 3415 VACM for the SNMP December 2002 postal: 2141 North First Street San Jose, CA 95131 USA email: randy_presuhn@bmc.com phone: +1 408-546-1006 Co-editor: Keith McCloghrie Cisco Systems, Inc. postal: 170 West Tasman Drive San Jose, CA 95134-1706 USA email: kzm@cisco.com phone: +1-408-526-5260 " DESCRIPTION "The management information definitions for the View-based Access Control Model for SNMP. Copyright (C) The Internet Society (2002). This version of this MIB module is part of RFC 3415; see the RFC itself for full legal notices. "-- Revision history REVISION "200210160000Z" -- 16 Oct 2002, midnight DESCRIPTION "Clarifications, published as RFC3415" REVISION "199901200000Z" -- 20 Jan 1999, midnight DESCRIPTION "Clarifications, published as RFC2575" REVISION "199711200000Z" -- 20 Nov 1997, midnight DESCRIPTION "Initial version, published as RFC2275" ::= { snmpModules 16 }-- Administrative assignments ****************************************vacmMIBObjects OBJECT IDENTIFIER ::= { snmpVacmMIB 1 }vacmMIBConformance OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -