Docs are unclear about replacement for ro_community et al

[tlimoncelli]

The docs warn that

The parameters ro_community, rw_community, ro_network, and rw_network
will be removed in version 4.0.0 of this module.

Could you give a brain-dead example or two of what parameters should be used instead? To use the Reddit phrase... explain it to me like I'm 12 years old. Thanks! (TBH, I think the com2sec stuff in the net-snmp package is badly documented in the first place.)

[razorsedge]

First off, I am definitely not an SNMP expert. I only wrote this module in order to have something for the HP hardware monitoring tools (Support Pack for Proliant) to work with. I have a bad habit of being thorough. With that said...

With traditional access control, you can give a simple password and (optional) network restriction:

class snmp {
  ro_community => 'myPassword',
  ro_network   => '10.0.0.0/8',
}

and it becomes this in snmpd.conf:

rocommunity myPassword 10.0.0.0/8

This says that any host on network 10.0.0.0/8 can read any SNMP value via SNMP versions 1 and 2c as long as they provide the password 'myPassword'.

With VACM, you can do this (more complex thing) instead:

class snmp {
  com2sec  => ['myUserName  10.0.0.0/8 myPassword'],
  groups   => ['myGroupName v1         myUserName', 
               'myGroupName v2c        myUserName'],
  views    => ['everyThing  included   .'],
  accesses => ['myGroupName ""      any   noauth  exact  everyThing  none   none'],
}

and it becomes this in snmpd.conf:

com2sec myUserName  10.0.0.0/8 myPassword
group   myGroupName v1         myUserName
group   myGroupName v2c        myUserName
view    everyThing  included   .
access  myGroupName ""      any   noauth  exact  everyThing  none   none

This also says that any host on network 10.0.0.0/8 can read any SNMP value via SNMP versions 1 and 2c as long as they provide the password 'myPassword'. But it also gives you the ability to change any of those variables.

Reference: Manpage of snmpd.conf - Access Control

[tlimoncelli]

That goes a long way to clarify things. Would you please integrate that into the docs?

Another thought I had was rather than eliminating ro_community, rw_community, ro_network, and rw_network, why not permit them but have them generate the appropriate com2sec/group/view/access statements instead? It seems like it would be less error prone to have Puppet do the transformation than to let humans do it.

[razorsedge]

I will integrate this into the docs.

I am trying to remember why I decided to eliminate ro_community, rw_community, ro_network, and rw_network. For the life of me, I have no idea. Although you can always use the safety valve, I think I will keep them around.

[razorsedge]

I have been working on updated documentation. https://github.com/razorsedge/puppet-snmp/blob/feature/README.markdown/README.markdown
Let me know what you think.

[TomOnTime]

This is a big improvement. The one aspect I would change is that it is
difficult to tell which are config file reserved keywords and which are
things a user can change. I would simply add:

• myUserName: A username you've selected.
• myGroupName A group name you assign users to.
• everyThing A "view" i.e. a list of MIBs that will be ACLed as a unit.

On Sun, Jul 5, 2015 at 3:02 AM, Mike Arnold notifications@github.com
wrote:

I have been working on updated documentation.
https://github.com/razorsedge/puppet-snmp/blob/feature/README.markdown/README.markdown

Let me know what you think.

—
Reply to this email directly or view it on GitHub
#53 (comment)
.

Email: tal@whatexit.org Work: tlimoncelli@StackOverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

[razorsedge]

README.markdown has been updated with your suggestion.

[TomOnTime]

Thanks!