Network Working Group                                          B. Wijnen
Request for Comments: 3415                           Lucent Technologies
STD: 62                                                       R. Presuhn
Obsoletes: 2575                                       BMC Software, Inc.
Category: Standards Track                                  K. McCloghrie
                                                     Cisco Systems, Inc.
                                                           December 2002
        
Network Working Group                                          B. Wijnen
Request for Comments: 3415                           Lucent Technologies
STD: 62                                                       R. Presuhn
Obsoletes: 2575                                       BMC Software, Inc.
Category: Standards Track                                  K. McCloghrie
                                                     Cisco Systems, Inc.
                                                           December 2002
        

View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)

用于简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2002). All Rights Reserved.

版权所有(C)互联网协会(2002年)。版权所有。

Abstract

摘要

This document describes the View-based Access Control Model (VACM) for use in the Simple Network Management Protocol (SNMP) architecture. It defines the Elements of Procedure for controlling access to management information. This document also includes a Management Information Base (MIB) for remotely managing the configuration parameters for the View-based Access Control Model. This document obsoletes RFC 2575.

本文档描述了在简单网络管理协议(SNMP)体系结构中使用的基于视图的访问控制模型(VACM)。它定义了控制管理信息访问的程序要素。本文档还包括一个管理信息库(MIB),用于远程管理基于视图的访问控制模型的配置参数。本文件淘汰RFC 2575。

Table of Contents

目录

   1.  Introduction .................................................  2
   1.2.  Access Control .............................................  3
   1.3.  Local Configuration Datastore ..............................  3
   2.  Elements of the Model ........................................  4
   2.1.  Groups .....................................................  4
   2.2.  securityLevel ..............................................  4
   2.3.  Contexts ...................................................  4
   2.4.  MIB Views and View Families ................................  5
   2.4.1.  View Subtree .............................................  5
   2.4.2.  ViewTreeFamily ...........................................  6
   2.5.  Access Policy ..............................................  6
   3.  Elements of Procedure ........................................  7
   3.1.  Overview  of isAccessAllowed Process .......................  8
   3.2.  Processing the isAccessAllowed Service Request .............  9
   4.  Definitions .................................................. 11
   5.  Intellectual Property ........................................ 28
   6.  Acknowledgements ............................................. 28
   7.  Security Considerations ...................................... 30
   7.1.  Recommended Practices ...................................... 30
   7.2.  Defining Groups ............................................ 30
   7.3.  Conformance ................................................ 31
   7.4.  Access to the SNMP-VIEW-BASED-ACM-MIB ...................... 31
   8.  References ................................................... 31
   A.  Installation ................................................. 33
   B.  Change Log ................................................... 36
   Editors' Addresses ............................................... 38
   Full Copyright Statement ......................................... 39
        
   1.  Introduction .................................................  2
   1.2.  Access Control .............................................  3
   1.3.  Local Configuration Datastore ..............................  3
   2.  Elements of the Model ........................................  4
   2.1.  Groups .....................................................  4
   2.2.  securityLevel ..............................................  4
   2.3.  Contexts ...................................................  4
   2.4.  MIB Views and View Families ................................  5
   2.4.1.  View Subtree .............................................  5
   2.4.2.  ViewTreeFamily ...........................................  6
   2.5.  Access Policy ..............................................  6
   3.  Elements of Procedure ........................................  7
   3.1.  Overview  of isAccessAllowed Process .......................  8
   3.2.  Processing the isAccessAllowed Service Request .............  9
   4.  Definitions .................................................. 11
   5.  Intellectual Property ........................................ 28
   6.  Acknowledgements ............................................. 28
   7.  Security Considerations ...................................... 30
   7.1.  Recommended Practices ...................................... 30
   7.2.  Defining Groups ............................................ 30
   7.3.  Conformance ................................................ 31
   7.4.  Access to the SNMP-VIEW-BASED-ACM-MIB ...................... 31
   8.  References ................................................... 31
   A.  Installation ................................................. 33
   B.  Change Log ................................................... 36
   Editors' Addresses ............................................... 38
   Full Copyright Statement ......................................... 39
        
1. Introduction
1. 介绍

The Architecture for describing Internet Management Frameworks [RFC3411] describes that an SNMP engine is composed of:

描述Internet管理框架的体系结构[RFC3411]描述了SNMP引擎由以下部分组成:

1) a Dispatcher 2) a Message Processing Subsystem, 3) a Security Subsystem, and 4) an Access Control Subsystem.

1) 调度器2)消息处理子系统、3)安全子系统和4)访问控制子系统。

Applications make use of the services of these subsystems.

应用程序利用这些子系统的服务。

It is important to understand the SNMP architecture and its terminology to understand where the View-based Access Control Model described in this document fits into the architecture and interacts with other subsystems within the architecture. The reader is expected to have read and understood the description and terminology of the SNMP architecture, as defined in [RFC3411].

理解SNMP体系结构及其术语对于理解本文档中描述的基于视图的访问控制模型适合体系结构的位置以及与体系结构中其他子系统的交互非常重要。读者应已阅读并理解[RFC3411]中定义的SNMP体系结构的描述和术语。

The Access Control Subsystem of an SNMP engine has the responsibility for checking whether a specific type of access (read, write, notify) to a particular object (instance) is allowed.

SNMP引擎的访问控制子系统负责检查是否允许对特定对象(实例)进行特定类型的访问(读、写、通知)。

It is the purpose of this document to define a specific model of the Access Control Subsystem, designated the View-based Access Control Model. Note that this is not necessarily the only Access Control Model.

本文档旨在定义访问控制子系统的特定模型,即基于视图的访问控制模型。注意,这不一定是唯一的访问控制模型。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119.

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119中的说明进行解释。

1.2. Access Control
1.2. 访问控制

Access Control occurs (either implicitly or explicitly) in an SNMP entity when processing SNMP retrieval or modification request messages from an SNMP entity. For example a Command Responder application applies Access Control when processing requests that it received from a Command Generator application. These requests contain Read Class and Write Class PDUs as defined in [RFC3411].

当处理来自SNMP实体的SNMP检索或修改请求消息时,访问控制(隐式或显式)发生在SNMP实体中。例如,命令响应程序应用程序在处理从命令生成器应用程序接收的请求时应用访问控制。这些请求包含[RFC3411]中定义的读类和写类PDU。

Access Control also occurs in an SNMP entity when an SNMP notification message is generated (by a Notification Originator application). These notification messages contain Notification Class PDUs as defined in [RFC3411].

当生成SNMP通知消息时(由通知发起人应用程序生成),SNMP实体中也会发生访问控制。这些通知消息包含[RFC3411]中定义的通知类PDU。

The View-based Access Control Model defines a set of services that an application (such as a Command Responder or a Notification Originator application) can use for checking access rights. It is the responsibility of the application to make the proper service calls for access checking.

基于视图的访问控制模型定义了一组服务,应用程序(如命令响应程序或通知发起人应用程序)可以使用这些服务来检查访问权限。应用程序负责为访问检查发出适当的服务调用。

1.3. Local Configuration Datastore
1.3. 本地配置数据存储

To implement the model described in this document, an SNMP entity needs to retain information about access rights and policies. This information is part of the SNMP engine's Local Configuration Datastore (LCD). See [RFC3411] for the definition of LCD.

要实现本文档中描述的模型,SNMP实体需要保留有关访问权限和策略的信息。此信息是SNMP引擎本地配置数据存储(LCD)的一部分。LCD的定义见[RFC3411]。

In order to allow an SNMP entity's LCD to be remotely configured, portions of the LCD need to be accessible as managed objects. A MIB module, the View-based Access Control Model Configuration MIB, which defines these managed object types is included in this document.

为了允许远程配置SNMP实体的LCD,LCD的某些部分需要作为托管对象进行访问。本文档中包含一个MIB模块,即基于视图的访问控制模型配置MIB,它定义了这些托管对象类型。

2. Elements of the Model
2. 模型的要素

This section contains definitions to realize the access control service provided by the View-based Access Control Model.

本节包含实现基于视图的访问控制模型提供的访问控制服务的定义。

2.1. Groups
2.1. 组

A group is a set of zero or more <securityModel, securityName> tuples on whose behalf SNMP management objects can be accessed. A group defines the access rights afforded to all securityNames which belong to that group. The combination of a securityModel and a securityName maps to at most one group. A group is identified by a groupName.

组是一组零个或多个<securityModel,securityName>元组,可以代表这些元组访问SNMP管理对象。组定义为属于该组的所有SecurityName提供的访问权限。securityModel和securityName的组合最多映射到一个组。组由组名标识。

The Access Control module assumes that the securityName has already been authenticated as needed and provides no further authentication of its own.

访问控制模块假定securityName已经根据需要进行了身份验证,并且不提供其自身的进一步身份验证。

The View-based Access Control Model uses the securityModel and the securityName as inputs to the Access Control module when called to check for access rights. It determines the groupName as a function of securityModel and securityName.

基于视图的访问控制模型在调用以检查访问权限时,使用securityModel和securityName作为访问控制模块的输入。它将groupName确定为securityModel和securityName的函数。

2.2. securityLevel
2.2. 安全级别

Different access rights for members of a group can be defined for different levels of security, i.e., noAuthNoPriv, authNoPriv, and authPriv. The securityLevel identifies the level of security that will be assumed when checking for access rights. See the SNMP Architecture document [RFC3411] for a definition of securityLevel.

可以为不同的安全级别定义组成员的不同访问权限,即noAuthNoPriv、authNoPriv和authPriv。securityLevel标识检查访问权限时将采用的安全级别。有关securityLevel的定义,请参阅SNMP体系结构文档[RFC3411]。

The View-based Access Control Model requires that the securityLevel is passed as input to the Access Control module when called to check for access rights.

基于视图的访问控制模型要求在调用securityLevel以检查访问权限时将其作为输入传递给访问控制模块。

2.3. Contexts
2.3. 上下文

An SNMP context is a collection of management information accessible by an SNMP entity. An item of management information may exist in more than one context. An SNMP entity potentially has access to many contexts. Details about the naming of management information can be found in the SNMP Architecture document [RFC3411].

SNMP上下文是可由SNMP实体访问的管理信息的集合。一项管理信息可能存在于多个上下文中。SNMP实体可能可以访问许多上下文。有关管理信息命名的详细信息,请参见SNMP体系结构文档[RFC3411]。

The View-based Access Control Model defines a vacmContextTable that lists the locally available contexts by contextName.

基于视图的访问控制模型定义了一个vacmContextTable,它按contextName列出本地可用的上下文。

2.4. MIB Views and View Families
2.4. MIB视图和视图族

For security reasons, it is often valuable to be able to restrict the access rights of some groups to only a subset of the management information in the management domain. To provide this capability, access to a context is via a "MIB view" which details a specific set of managed object types (and optionally, the specific instances of object types) within that context. For example, for a given context, there will typically always be one MIB view which provides access to all management information in that context, and often there will be other MIB views each of which contains some subset of the information. So, the access allowed for a group can be restricted in the desired manner by specifying its rights in terms of the particular (subset) MIB view it can access within each appropriate context.

出于安全原因,将某些组的访问权限限制为管理域中管理信息的一个子集通常很有价值。要提供此功能,可以通过“MIB视图”访问上下文,该视图详细说明该上下文中的一组特定的托管对象类型(以及可选的对象类型的特定实例)。例如,对于给定的上下文,通常会有一个MIB视图提供对该上下文中所有管理信息的访问,并且通常会有其他MIB视图,每个MIB视图都包含一些信息子集。因此,可以通过指定组在每个适当上下文中可以访问的特定(子集)MIB视图的权限,以期望的方式限制组允许的访问。

Since managed object types (and their instances) are identified via the tree-like naming structure of ISO's OBJECT IDENTIFIERs [ISO-ASN.1, RFC2578], it is convenient to define a MIB view as the combination of a set of "view subtrees", where each view subtree is a subtree within the managed object naming tree. Thus, a simple MIB view (e.g., all managed objects within the Internet Network Management Framework) can be defined as a single view subtree, while more complicated MIB views (e.g., all information relevant to a particular network interface) can be represented by the union of multiple view subtrees.

由于托管对象类型(及其实例)通过ISO对象标识符的树状命名结构[ISO-ASN.1,RFC2578]进行标识,因此将MIB视图定义为一组“视图子树”的组合是很方便的,其中每个视图子树都是托管对象命名树中的子树。因此,简单的MIB视图(例如,Internet网络管理框架内的所有受管对象)可以定义为单个视图子树,而更复杂的MIB视图(例如,与特定网络接口相关的所有信息)可以通过多个视图子树的并集来表示。

While any set of managed objects can be described by the union of some number of view subtrees, situations can arise that would require a very large number of view subtrees. This could happen, for example, when specifying all columns in one conceptual row of a MIB table because they would appear in separate subtrees, one per column, each with a very similar format. Because the formats are similar, the required set of subtrees can easily be aggregated into one structure. This structure is named a family of view subtrees after the set of subtrees that it conceptually represents. A family of view subtrees can either be included or excluded from a MIB view.

尽管任何一组托管对象都可以通过若干视图子树的并集来描述,但可能会出现需要大量视图子树的情况。例如,当在MIB表的一个概念行中指定所有列时,可能会发生这种情况,因为它们将出现在单独的子树中,每列一个,每个子树的格式非常相似。由于格式相似,所需的子树集可以很容易地聚合到一个结构中。此结构在概念上表示的子树集之后命名为视图子树族。视图子树族可以包含在MIB视图中,也可以从MIB视图中排除。

2.4.1. View Subtree
2.4.1. 视图子树

A view subtree is the set of all MIB object instances which have a common ASN.1 OBJECT IDENTIFIER prefix to their names. A view subtree is identified by the OBJECT IDENTIFIER value which is the longest OBJECT IDENTIFIER prefix common to all (potential) MIB object instances in that subtree.

视图子树是所有MIB对象实例的集合,这些实例的名称具有通用ASN.1对象标识符前缀。视图子树由对象标识符值标识,该值是该子树中所有(潜在)MIB对象实例共有的最长对象标识符前缀。

2.4.2. ViewTreeFamily
2.4.2. ViewTreeFamily

A family of view subtrees is a pairing of an OBJECT IDENTIFIER value (called the family name) together with a bit string value (called the family mask). The family mask indicates which sub-identifiers of the associated family name are significant to the family's definition.

视图子树族是对象标识符值(称为族名称)与位字符串值(称为族掩码)的配对。族掩码指示关联族名称的哪些子标识符对族的定义很重要。

For each possible managed object instance, that instance belongs to a particular ViewTreeFamily if both of the following conditions are true:

对于每个可能的托管对象实例,如果满足以下两个条件,则该实例属于特定的ViewTreeFamily:

- the OBJECT IDENTIFIER name of the managed object instance contains at least as many sub-identifiers as does the family name, and

- 托管对象实例的对象标识符名称至少包含与族名称相同数量的子标识符,以及

- each sub-identifier in the OBJECT IDENTIFIER name of the managed object instance matches the corresponding sub-identifier of the family name whenever the corresponding bit of the associated family mask is non-zero.

- 只要关联族掩码的对应位不为零,托管对象实例的对象标识符名称中的每个子标识符都与族名称的对应子标识符匹配。

When the configured value of the family mask is all ones, the view subtree family is identical to the single view subtree identified by the family name.

当族遮罩的配置值为“所有1”时,视图子树族与由族名称标识的单个视图子树相同。

When the configured value of the family mask is shorter than required to perform the above test, its value is implicitly extended with ones. Consequently, a view subtree family having a family mask of zero length always corresponds to a single view subtree.

当族掩码的配置值短于执行上述测试所需的值时,其值将隐式扩展为1。因此,具有零长度族掩码的视图子树族始终对应于单个视图子树。

2.5. Access Policy
2.5. 访问策略

The View-based Access Control Model determines the access rights of a group, representing zero or more securityNames which have the same access rights. For a particular context, identified by contextName, to which a group, identified by groupName, has access using a particular securityModel and securityLevel, that group's access rights are given by a read-view, a write-view and a notify-view.

基于视图的访问控制模型确定组的访问权限,表示零个或多个具有相同访问权限的SecurityName。对于由contextName标识的特定上下文,由groupName标识的组可以使用特定的securityModel和securityLevel访问该上下文,该组的访问权限由读视图、写视图和通知视图提供。

The read-view represents the set of object instances authorized for the group when reading objects. Reading objects occurs when processing a retrieval operation (when handling Read Class PDUs).

读取视图表示读取对象时为组授权的对象实例集。在处理检索操作(处理读取类PDU时)时发生读取对象。

The write-view represents the set of object instances authorized for the group when writing objects. Writing objects occurs when processing a write operation (when handling Write Class PDUs).

写入视图表示写入对象时为组授权的对象实例集。在处理写操作(处理写类PDU时)时发生写对象。

The notify-view represents the set of object instances authorized for the group when sending objects in a notification, such as when sending a notification (when sending Notification Class PDUs).

notify视图表示在通知中发送对象时为组授权的对象实例集,例如在发送通知时(发送通知类PDU时)。

3. Elements of Procedure
3. 程序要素

This section describes the procedures followed by an Access Control module that implements the View-based Access Control Model when checking access rights as requested by an application (for example a Command Responder or a Notification Originator application). The abstract service primitive is:

本节描述了访问控制模块在检查应用程序(例如命令响应程序或通知发起者应用程序)请求的访问权限时所遵循的过程,该模块实现了基于视图的访问控制模型。抽象服务原语是:

statusInformation = -- success or errorIndication isAccessAllowed( securityModel -- Security Model in use securityName -- principal who wants access securityLevel -- Level of Security viewType -- read, write, or notify view contextName -- context containing variableName variableName -- OID for the managed object )

statusInformation=--允许成功或错误指示(securityModel--正在使用的安全模型securityName--希望访问securityLevel的主体--安全级别viewType--读取、写入或通知视图contextName--包含变量名称的上下文variableName--托管对象的OID)

The abstract data elements are:

抽象数据元素包括:

statusInformation - one of the following: accessAllowed - a MIB view was found and access is granted. notInView - a MIB view was found but access is denied. The variableName is not in the configured MIB view for the specified viewType (e.g., in the relevant entry in the vacmAccessTable). noSuchView - no MIB view found because no view has been configured for specified viewType (e.g., in the relevant entry in the vacmAccessTable). noSuchContext - no MIB view found because of no entry in the vacmContextTable for specified contextName. noGroupName - no MIB view found because no entry has been configured in the vacmSecurityToGroupTable for the specified combination of securityModel and securityName. noAccessEntry - no MIB view found because no entry has been configured in the vacmAccessTable for the specified combination of contextName, groupName (from vacmSecurityToGroupTable), securityModel and securityLevel. otherError - failure, an undefined error occurred. securityModel - Security Model under which access is requested. securityName - the principal on whose behalf access is requested. securityLevel - Level of Security under which access is requested. viewType - view to be checked (read, write or notify). contextName - context in which access is requested. variableName - object instance to which access is requested.

statusInformation-以下选项之一:accessAllowed-找到MIB视图并授予访问权限。notInView-找到MIB视图,但访问被拒绝。variableName不在指定viewType的配置MIB视图中(例如,在vacmAccessTable中的相关条目中)。noSuchView-找不到MIB视图,因为没有为指定的视图类型配置视图(例如,在vacmAccessTable中的相关条目中)。noSuchContext-找不到MIB视图,因为vacmContextTable中没有指定contextName的条目。noGroupName-找不到MIB视图,因为在vacmSecurityToGroupTable中没有为指定的securityModel和securityName组合配置任何条目。noAccessEntry-找不到MIB视图,因为在vacmAccessTable中没有为contextName、groupName(从vacmSecurityToGroupTable)、securityModel和securityLevel的指定组合配置条目。otherError-失败,发生未定义的错误。securityModel—请求访问的安全模型。securityName—代表其请求访问的主体。securityLevel—请求访问的安全级别。viewType—要检查的视图(读、写或通知)。contextName—请求访问的上下文。variableName—请求访问的对象实例。

3.1. Overview of isAccessAllowed Process
3.1. isAccessAllowed流程概述

The following picture shows how the decision for access control is made by the View-based Access Control Model.

下图显示了基于视图的访问控制模型如何做出访问控制决策。

  +--------------------------------------------------------------------+
  |                                                                    |
  |      +-> securityModel -+                                          |
  |      |   (a)            |                                          |
  | who -+                  +-> groupName ----+                        |
  | (1)  |                  |   (x)           |                        |
  |      +-> securityName --+                 |                        |
  |          (b)                              |                        |
  |                                           |                        |
  | where -> contextName ---------------------+                        |
  | (2)      (e)                              |                        |
  |                                           |                        |
  |                                           |                        |
  |      +-> securityModel -------------------+                        |
  |      |   (a)                              |                        |
  | how -+                                    +-> viewName -+          |
  | (3)  |                                    |   (y)       |          |
  |      +-> securityLevel -------------------+             |          |
  |          (c)                              |             +-> yes/no |
  |                                           |             | decision |
  | why ---> viewType (read/write/notify) ----+             | (z)      |
  | (4)      (d)                                            |          |
  |                                                         |          |
  | what --> object-type ------+                            |          |
  | (5)      (m)               |                            |          |
  |                            +-> variableName (OID) ------+          |
  |                            |   (f)                                 |
  | which -> object-instance --+                                       |
  | (6)      (n)                                                       |
  |                                                                    |
  +--------------------------------------------------------------------+
        
  +--------------------------------------------------------------------+
  |                                                                    |
  |      +-> securityModel -+                                          |
  |      |   (a)            |                                          |
  | who -+                  +-> groupName ----+                        |
  | (1)  |                  |   (x)           |                        |
  |      +-> securityName --+                 |                        |
  |          (b)                              |                        |
  |                                           |                        |
  | where -> contextName ---------------------+                        |
  | (2)      (e)                              |                        |
  |                                           |                        |
  |                                           |                        |
  |      +-> securityModel -------------------+                        |
  |      |   (a)                              |                        |
  | how -+                                    +-> viewName -+          |
  | (3)  |                                    |   (y)       |          |
  |      +-> securityLevel -------------------+             |          |
  |          (c)                              |             +-> yes/no |
  |                                           |             | decision |
  | why ---> viewType (read/write/notify) ----+             | (z)      |
  | (4)      (d)                                            |          |
  |                                                         |          |
  | what --> object-type ------+                            |          |
  | (5)      (m)               |                            |          |
  |                            +-> variableName (OID) ------+          |
  |                            |   (f)                                 |
  | which -> object-instance --+                                       |
  | (6)      (n)                                                       |
  |                                                                    |
  +--------------------------------------------------------------------+
        

How the decision for isAccessAllowed is made.

如何作出批准的决定。

1) Inputs to the isAccessAllowed service are:

1) isAccessAllowed服务的输入为:

      (a)       securityModel    -- Security Model in use
      (b)       securityName     -- principal who wants to access
      (c)       securityLevel    -- Level of Security
      (d)       viewType         -- read, write, or notify view
      (e)       contextName      -- context containing variableName
      (f)       variableName     -- OID for the managed object
                                 -- this is made up of:
                                    - object-type (m)
                                    - object-instance (n)
        
      (a)       securityModel    -- Security Model in use
      (b)       securityName     -- principal who wants to access
      (c)       securityLevel    -- Level of Security
      (d)       viewType         -- read, write, or notify view
      (e)       contextName      -- context containing variableName
      (f)       variableName     -- OID for the managed object
                                 -- this is made up of:
                                    - object-type (m)
                                    - object-instance (n)
        

2) The partial "who" (1), represented by the securityModel (a) and the securityName (b), are used as the indices (a,b) into the vacmSecurityToGroupTable to find a single entry that produces a group, represented by groupName (x).

2) 由securityModel(a)和securityName(b)表示的部分“who”(1)用作vacmSecurityToGroupTable中的索引(a,b),以查找生成由groupName(x)表示的组的单个条目。

3) The "where" (2), represented by the contextName (e), the "who", represented by the groupName (x) from the previous step, and the "how" (3), represented by securityModel (a) and securityLevel (c), are used as indices (e,x,a,c) into the vacmAccessTable to find a single entry that contains three MIB views.

3) 由contextName(e)表示的“where”(2)、“who”(由上一步中的groupName(x)表示)以及由securityModel(a)和securityLevel(c)表示的“how”(3)用作vacmAccessTable中的索引(e、x、a、c),以查找包含三个MIB视图的单个条目。

4) The "why" (4), represented by the viewType (d), is used to select the proper MIB view, represented by a viewName (y), from the vacmAccessEntry selected in the previous step. This viewName (y) is an index into the vacmViewTreeFamilyTable and selects the set of entries that define the variableNames which are included in or excluded from the MIB view identified by the viewName (y).

4) “为什么”(4)由viewType(d)表示,用于从上一步中选择的vacmAccessEntry中选择适当的MIB视图,由viewName(y)表示。此viewName(y)是vacmViewTreeFamilyTable的索引,并选择定义变量名称的一组条目,这些变量名称包含在由viewName(y)标识的MIB视图中或从中排除。

5) The "what" (5) type of management data and "which" (6) particular instance, represented by the variableName (f), is then checked to be in the MIB view or not, e.g., the yes/no decision (z).

5) 然后检查由variableName(f)表示的“什么”(5)类型的管理数据和“哪个”(6)特定实例是否在MIB视图中,例如,是/否决策(z)。

3.2. Processing the isAccessAllowed Service Request
3.2. 正在处理isAccessAllowed服务请求

This section describes the procedure followed by an Access Control module that implements the View-based Access Control Model whenever it receives an isAccessAllowed request.

本节介绍访问控制模块所遵循的过程,该模块在收到isAccessAllowed请求时实现基于视图的访问控制模型。

1) The vacmContextTable is consulted for information about the SNMP context identified by the contextName. If information about this SNMP context is absent from the table, then an errorIndication (noSuchContext) is returned to the calling module.

1) 有关由contextName标识的SNMP上下文的信息,请参考vacmContextTable。如果表中缺少有关此SNMP上下文的信息,则会向调用模块返回错误指示(noSuchContext)。

2) The vacmSecurityToGroupTable is consulted for mapping the securityModel and securityName to a groupName. If the information about this combination is absent from the table, then an errorIndication (noGroupName) is returned to the calling module.

2) 将securityModel和securityName映射到groupName时,请参考vacmSecurityToGroupTable。如果表中没有关于此组合的信息,则会向调用模块返回一个错误指示(noGroupName)。

3) The vacmAccessTable is consulted for information about the groupName, contextName, securityModel and securityLevel. If information about this combination is absent from the table, then an errorIndication (noAccessEntry) is returned to the calling module.

3) 有关groupName、contextName、securityModel和securityLevel的信息,请参阅vacmAccessTable。如果表中没有关于此组合的信息,则会向调用模块返回错误指示(NOACCESENTRY)。

4) a) If the viewType is "read", then the read view is used for checking access rights.

4) a) 如果viewType为“read”,则read视图用于检查访问权限。

b) If the viewType is "write", then the write view is used for checking access rights.

b) 如果视图类型为“写入”,则写入视图用于检查访问权限。

c) If the viewType is "notify", then the notify view is used for checking access rights.

c) 如果viewType为“notify”,则notify视图用于检查访问权限。

If the view to be used is the empty view (zero length viewName) then an errorIndication (noSuchView) is returned to the calling module.

如果要使用的视图是空视图(零长度视图名),则会向调用模块返回错误指示(noSuchView)。

5) a) If there is no view configured for the specified viewType, then an errorIndication (noSuchView) is returned to the calling module.

5) a) 如果没有为指定的viewType配置视图,则会向调用模块返回错误指示(noSuchView)。

b) If the specified variableName (object instance) is not in the MIB view (see DESCRIPTION clause for vacmViewTreeFamilyTable in section 4), then an errorIndication (notInView) is returned to the calling module.

b) 如果指定的variableName(对象实例)不在MIB视图中(请参阅第4节中vacmViewTreeFamilyTable的描述子句),则会向调用模块返回错误指示(notInView)。

Otherwise,

否则

c) The specified variableName is in the MIB view. A statusInformation of success (accessAllowed) is returned to the calling module.

c) 指定的variableName位于MIB视图中。成功的状态信息(accessAllowed)返回给调用模块。

4. Definitions
4. 定义
SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN
        
SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN
        

IMPORTS MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MODULE-IDENTITY, OBJECT-TYPE, snmpModules FROM SNMPv2-SMI TestAndIncr, RowStatus, StorageType FROM SNMPv2-TC SnmpAdminString, SnmpSecurityLevel, SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB;

从SNMPv2 CONF MODULE-IDENTITY导入模块遵从性、对象组、从SNMPv2 SMI TestAndIncr导入SNMPv2模块、从SNMPv2 TC导入行状态、从SNMPAdministring导入存储类型、从SNMP-FRAMEWORK-MIB导入SnmpSecurityLevel、从SnmpSecurityModel;

snmpVacmMIB MODULE-IDENTITY LAST-UPDATED "200210160000Z" -- 16 Oct 2002, midnight ORGANIZATION "SNMPv3 Working Group" CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com Subscribe: majordomo@lists.tislabs.com In message body: subscribe snmpv3

SNMPvCMIB模块标识最后更新“200210160000Z”-2002年10月16日,午夜组织“SNMPv3工作组”联系信息工作组电子邮件:snmpv3@lists.tislabs.com订阅:majordomo@lists.tislabs.com在消息正文中:订阅snmpv3

Co-Chair: Russ Mundy Network Associates Laboratories postal: 15204 Omega Drive, Suite 300 Rockville, MD 20850-4601 USA email: mundy@tislabs.com phone: +1 301-947-7107

联席主席:Russ Mundy Network Associates Laboratories邮政编码:15204美国马里兰州罗克维尔欧米茄大道300号套房20850-4601电子邮件:mundy@tislabs.com电话:+1 301-947-7107

Co-Chair: David Harrington Enterasys Networks Postal: 35 Industrial Way P. O. Box 5004 Rochester, New Hampshire 03866-5005 USA EMail: dbh@enterasys.com Phone: +1 603-337-2614

联席主席:David Harrington Enterasys Networks邮政:美国新罕布什尔州罗切斯特市工业路35号邮政信箱5004 03866-5005电子邮件:dbh@enterasys.com电话:+1603-337-2614

Co-editor: Bert Wijnen Lucent Technologies postal: Schagen 33 3461 GL Linschoten Netherlands email: bwijnen@lucent.com phone: +31-348-480-685

合编:Bert Wijnen-Lucent Technologies邮政:Schagen 33 3461 GL Linschoten荷兰电子邮件:bwijnen@lucent.com电话:+31-348-480-685

Co-editor: Randy Presuhn BMC Software, Inc.

联合编辑:兰迪·普雷森BMC软件公司。

postal: 2141 North First Street San Jose, CA 95131 USA email: randy_presuhn@bmc.com phone: +1 408-546-1006

邮政:美国加利福尼亚州圣何塞市北第一街2141号95131电子邮件:randy_presuhn@bmc.com电话:+1408-546-1006

Co-editor: Keith McCloghrie Cisco Systems, Inc. postal: 170 West Tasman Drive San Jose, CA 95134-1706 USA email: kzm@cisco.com phone: +1-408-526-5260 " DESCRIPTION "The management information definitions for the View-based Access Control Model for SNMP.

共同编辑:Keith McCloghrie Cisco Systems,Inc.邮政编码:美国加利福尼亚州圣何塞市西塔斯曼大道170号95134-1706电子邮件:kzm@cisco.com电话:+1-408-526-5260“说明”SNMP基于视图的访问控制模型的管理信息定义。

Copyright (C) The Internet Society (2002). This version of this MIB module is part of RFC 3415; see the RFC itself for full legal notices. " -- Revision history

版权所有(C)互联网协会(2002年)。此版本的MIB模块是RFC 3415的一部分;有关完整的法律通知,请参见RFC本身。“--修订历史

REVISION "200210160000Z" -- 16 Oct 2002, midnight DESCRIPTION "Clarifications, published as RFC3415"

修订版“200210160000Z”-2002年10月16日,午夜描述“澄清,发布为RFC3415”

REVISION "199901200000Z" -- 20 Jan 1999, midnight DESCRIPTION "Clarifications, published as RFC2575"

修订版“199901200000Z”-1999年1月20日,午夜描述“澄清,发布为RFC2575”

REVISION "199711200000Z" -- 20 Nov 1997, midnight DESCRIPTION "Initial version, published as RFC2275"

修订版“199711200000Z”-1997年11月20日,午夜描述“初始版本,发布为RFC2275”

    ::= { snmpModules 16 }
        
    ::= { snmpModules 16 }
        
-- Administrative assignments ****************************************
        
-- Administrative assignments ****************************************
        
vacmMIBObjects      OBJECT IDENTIFIER ::= { snmpVacmMIB 1 }
vacmMIBConformance  OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }
        
vacmMIBObjects      OBJECT IDENTIFIER ::= { snmpVacmMIB 1 }
vacmMIBConformance  OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }
        
-- Information about Local Contexts **********************************
        
-- Information about Local Contexts **********************************
        

vacmContextTable OBJECT-TYPE SYNTAX SEQUENCE OF VacmContextEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of locally available contexts.

vacmContextTable对象类型VacmContextRetry MAX-ACCESS的语法序列不可访问状态当前描述“本地可用上下文表”。

This table provides information to SNMP Command

此表为SNMP命令提供了信息

Generator applications so that they can properly configure the vacmAccessTable to control access to all contexts at the SNMP entity.

生成器应用程序,以便它们可以正确配置vacmAccessTable,以控制对SNMP实体中所有上下文的访问。

This table may change dynamically if the SNMP entity allows that contexts are added/deleted dynamically (for instance when its configuration changes). Such changes would happen only if the management instrumentation at that SNMP entity recognizes more (or fewer) contexts.

如果SNMP实体允许动态添加/删除上下文(例如,当其配置更改时),则此表可能会动态更改。只有当该SNMP实体的管理工具识别更多(或更少)上下文时,才会发生此类更改。

The presence of entries in this table and of entries in the vacmAccessTable are independent. That is, a context identified by an entry in this table is not necessarily referenced by any entries in the vacmAccessTable; and the context(s) referenced by an entry in the vacmAccessTable does not necessarily currently exist and thus need not be identified by an entry in this table.

此表中的条目和vacmAccessTable中的条目是独立的。也就是说,由该表中的条目标识的上下文不一定由vacmAccessTable中的任何条目引用;vacmAccessTable中的条目引用的上下文当前不一定存在,因此不需要通过该表中的条目来标识。

This table must be made accessible via the default context so that Command Responder applications have a standard way of retrieving the information.

必须通过默认上下文访问此表,以便命令响应程序应用程序具有检索信息的标准方式。

                 This table is read-only.  It cannot be configured via
                 SNMP.
                "
    ::= { vacmMIBObjects 1 }
        
                 This table is read-only.  It cannot be configured via
                 SNMP.
                "
    ::= { vacmMIBObjects 1 }
        
vacmContextEntry OBJECT-TYPE
    SYNTAX       VacmContextEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "Information about a particular context."
    INDEX       {
                  vacmContextName
                }
    ::= { vacmContextTable 1 }
        
vacmContextEntry OBJECT-TYPE
    SYNTAX       VacmContextEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "Information about a particular context."
    INDEX       {
                  vacmContextName
                }
    ::= { vacmContextTable 1 }
        
VacmContextEntry ::= SEQUENCE
    {
        vacmContextName SnmpAdminString
    }
        
VacmContextEntry ::= SEQUENCE
    {
        vacmContextName SnmpAdminString
    }
        

vacmContextName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-only STATUS current

vacmContextName对象类型语法SnmpAdminString(大小(0..32))最大访问只读状态当前

DESCRIPTION "A human readable name identifying a particular context at a particular SNMP entity.

DESCRIPTION“人类可读的名称,用于标识特定SNMP实体上的特定上下文。

                 The empty contextName (zero length) represents the
                 default context.
                "
    ::= { vacmContextEntry 1 }
        
                 The empty contextName (zero length) represents the
                 default context.
                "
    ::= { vacmContextEntry 1 }
        
-- Information about Groups ******************************************
        
-- Information about Groups ******************************************
        
vacmSecurityToGroupTable OBJECT-TYPE
    SYNTAX       SEQUENCE OF VacmSecurityToGroupEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "This table maps a combination of securityModel and
                 securityName into a groupName which is used to define
                 an access control policy for a group of principals.
                "
    ::= { vacmMIBObjects 2 }
        
vacmSecurityToGroupTable OBJECT-TYPE
    SYNTAX       SEQUENCE OF VacmSecurityToGroupEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "This table maps a combination of securityModel and
                 securityName into a groupName which is used to define
                 an access control policy for a group of principals.
                "
    ::= { vacmMIBObjects 2 }
        
vacmSecurityToGroupEntry OBJECT-TYPE
    SYNTAX       VacmSecurityToGroupEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "An entry in this table maps the combination of a
                 securityModel and securityName into a groupName.
                "
    INDEX       {
                  vacmSecurityModel,
                  vacmSecurityName
                }
    ::= { vacmSecurityToGroupTable 1 }
        
vacmSecurityToGroupEntry OBJECT-TYPE
    SYNTAX       VacmSecurityToGroupEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "An entry in this table maps the combination of a
                 securityModel and securityName into a groupName.
                "
    INDEX       {
                  vacmSecurityModel,
                  vacmSecurityName
                }
    ::= { vacmSecurityToGroupTable 1 }
        
VacmSecurityToGroupEntry ::= SEQUENCE
    {
        vacmSecurityModel               SnmpSecurityModel,
        vacmSecurityName                SnmpAdminString,
        vacmGroupName                   SnmpAdminString,
        vacmSecurityToGroupStorageType  StorageType,
        vacmSecurityToGroupStatus       RowStatus
    }
        
VacmSecurityToGroupEntry ::= SEQUENCE
    {
        vacmSecurityModel               SnmpSecurityModel,
        vacmSecurityName                SnmpAdminString,
        vacmGroupName                   SnmpAdminString,
        vacmSecurityToGroupStorageType  StorageType,
        vacmSecurityToGroupStatus       RowStatus
    }
        

vacmSecurityModel OBJECT-TYPE SYNTAX SnmpSecurityModel(1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Security Model, by which the vacmSecurityName referenced by this entry is provided.

vacmSecurityModel对象类型语法SnmpSecurityModel(1..2147483647)MAX-ACCESS不可访问状态当前描述“提供此条目引用的vacmSecurityName的安全模型。

                 Note, this object may not take the 'any' (0) value.
                "
    ::= { vacmSecurityToGroupEntry 1 }
        
                 Note, this object may not take the 'any' (0) value.
                "
    ::= { vacmSecurityToGroupEntry 1 }
        
vacmSecurityName OBJECT-TYPE
    SYNTAX       SnmpAdminString (SIZE(1..32))
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "The securityName for the principal, represented in a
                 Security Model independent format, which is mapped by
                 this entry to a groupName.
                "
    ::= { vacmSecurityToGroupEntry 2 }
        
vacmSecurityName OBJECT-TYPE
    SYNTAX       SnmpAdminString (SIZE(1..32))
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "The securityName for the principal, represented in a
                 Security Model independent format, which is mapped by
                 this entry to a groupName.
                "
    ::= { vacmSecurityToGroupEntry 2 }
        

vacmGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the group to which this entry (e.g., the combination of securityModel and securityName) belongs.

vacmGroupName对象类型语法SnmpAdminString(大小(1..32))MAX-ACCESS read create STATUS current DESCRIPTION“此项所属组的名称(例如securityModel和securityName的组合)。

                 This groupName is used as index into the
                 vacmAccessTable to select an access control policy.
                 However, a value in this table does not imply that an
                 instance with the value exists in table vacmAccesTable.
                "
    ::= { vacmSecurityToGroupEntry 3 }
        
                 This groupName is used as index into the
                 vacmAccessTable to select an access control policy.
                 However, a value in this table does not imply that an
                 instance with the value exists in table vacmAccesTable.
                "
    ::= { vacmSecurityToGroupEntry 3 }
        
vacmSecurityToGroupStorageType OBJECT-TYPE
    SYNTAX       StorageType
    MAX-ACCESS   read-create
    STATUS       current
    DESCRIPTION "The storage type for this conceptual row.
                 Conceptual rows having the value 'permanent' need not
                 allow write-access to any columnar objects in the row.
                "
    DEFVAL      { nonVolatile }
    ::= { vacmSecurityToGroupEntry 4 }
        
vacmSecurityToGroupStorageType OBJECT-TYPE
    SYNTAX       StorageType
    MAX-ACCESS   read-create
    STATUS       current
    DESCRIPTION "The storage type for this conceptual row.
                 Conceptual rows having the value 'permanent' need not
                 allow write-access to any columnar objects in the row.
                "
    DEFVAL      { nonVolatile }
    ::= { vacmSecurityToGroupEntry 4 }
        

vacmSecurityToGroupStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row.

vacmSecurityToGroupStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此概念行的状态。

Until instances of all corresponding columns are appropriately configured, the value of the

在正确配置所有对应列的实例之前

corresponding instance of the vacmSecurityToGroupStatus column is 'notReady'.

vacmSecurityToGroupStatus列的对应实例为“notReady”。

In particular, a newly created row cannot be made active until a value has been set for vacmGroupName.

特别是,在为vacmGroupName设置值之前,新创建的行不能被激活。

The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified:

RowStatus TC[RFC2579]要求此描述条款说明在何种情况下可以修改此行中的其他对象:

                 The value of this object has no effect on whether
                 other objects in this conceptual row can be modified.
                "
    ::= { vacmSecurityToGroupEntry 5 }
        
                 The value of this object has no effect on whether
                 other objects in this conceptual row can be modified.
                "
    ::= { vacmSecurityToGroupEntry 5 }
        
-- Information about Access Rights ***********************************
        
-- Information about Access Rights ***********************************
        

vacmAccessTable OBJECT-TYPE SYNTAX SEQUENCE OF VacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of access rights for groups.

vacmAccessTable对象类型VacmAccessEntry MAX-ACCESS的语法序列不可访问状态当前描述“组的访问权限表”。

Each entry is indexed by a groupName, a contextPrefix, a securityModel and a securityLevel. To determine whether access is allowed, one entry from this table needs to be selected and the proper viewName from that entry must be used for access control checking.

每个条目都由一个groupName、一个contextPrefix、一个securityModel和一个securityLevel索引。要确定是否允许访问,需要从该表中选择一个条目,并且必须使用该条目中的正确viewName进行访问控制检查。

To select the proper entry, follow these steps:

要选择正确的条目,请执行以下步骤:

1) the set of possible matches is formed by the intersection of the following sets of entries:

1) 可能的匹配集由以下项目集的交集构成:

the set of entries with identical vacmGroupName the union of these two sets: - the set with identical vacmAccessContextPrefix - the set of entries with vacmAccessContextMatch value of 'prefix' and matching vacmAccessContextPrefix intersected with the union of these two sets: - the set of entries with identical vacmSecurityModel - the set of entries with vacmSecurityModel value of 'any' intersected with the set of entries with vacmAccessSecurityLevel value less than or equal to the requested securityLevel

具有相同vacmGroupName的条目集这两个集合的并集:-具有相同VacMacAccessContextPrefix的集合-具有VacMacAccessContextMatch值'prefix'且与这两个集合的并集相交的匹配VacMacAccessContextPrefix的条目集:-具有相同vacmSecurityModel的条目集-这两个集合的集合vacmSecurityModel值为“any”的条目与vacmAccessSecurityLevel值小于或等于请求的securityLevel的条目集相交

2) if this set has only one member, we're done otherwise, it comes down to deciding how to weight the preferences between ContextPrefixes, SecurityModels, and SecurityLevels as follows: a) if the subset of entries with securityModel matching the securityModel in the message is not empty, then discard the rest. b) if the subset of entries with vacmAccessContextPrefix matching the contextName in the message is not empty, then discard the rest c) discard all entries with ContextPrefixes shorter than the longest one remaining in the set d) select the entry with the highest securityLevel

2) 如果这个集合只有一个成员,我们就完成了,否则,就要决定如何在ContextPrefixes、SecurityModels和SecurityLevel之间对首选项进行加权,如下所示:a)如果消息中securityModel与securityModel匹配的条目子集不为空,则放弃其余条目。b) 如果vacmAccessContextPrefix与消息中的contextName匹配的条目子集不为空,则丢弃其余条目c)丢弃ContextPrefix短于集合中剩余最长的条目d)选择securityLevel最高的条目

                 Please note that for securityLevel noAuthNoPriv, all
                 groups are really equivalent since the assumption that
                 the securityName has been authenticated does not hold.
                "
    ::= { vacmMIBObjects 4 }
        
                 Please note that for securityLevel noAuthNoPriv, all
                 groups are really equivalent since the assumption that
                 the securityName has been authenticated does not hold.
                "
    ::= { vacmMIBObjects 4 }
        

vacmAccessEntry OBJECT-TYPE SYNTAX VacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An access right configured in the Local Configuration Datastore (LCD) authorizing access to an SNMP context.

vacmAccessEntry对象类型语法vacmAccessEntry MAX-ACCESS不可访问状态当前描述“在本地配置数据存储(LCD)中配置的访问权限,授权访问SNMP上下文。

                 Entries in this table can use an instance value for
                 object vacmGroupName even if no entry in table
                 vacmAccessSecurityToGroupTable has a corresponding
                 value for object vacmGroupName.
                "
    INDEX       { vacmGroupName,
                  vacmAccessContextPrefix,
                  vacmAccessSecurityModel,
                  vacmAccessSecurityLevel
                }
    ::= { vacmAccessTable 1 }
        
                 Entries in this table can use an instance value for
                 object vacmGroupName even if no entry in table
                 vacmAccessSecurityToGroupTable has a corresponding
                 value for object vacmGroupName.
                "
    INDEX       { vacmGroupName,
                  vacmAccessContextPrefix,
                  vacmAccessSecurityModel,
                  vacmAccessSecurityLevel
                }
    ::= { vacmAccessTable 1 }
        
VacmAccessEntry ::= SEQUENCE
    {
        vacmAccessContextPrefix    SnmpAdminString,
        vacmAccessSecurityModel    SnmpSecurityModel,
        vacmAccessSecurityLevel    SnmpSecurityLevel,
        vacmAccessContextMatch     INTEGER,
        vacmAccessReadViewName     SnmpAdminString,
        vacmAccessWriteViewName    SnmpAdminString,
        
VacmAccessEntry ::= SEQUENCE
    {
        vacmAccessContextPrefix    SnmpAdminString,
        vacmAccessSecurityModel    SnmpSecurityModel,
        vacmAccessSecurityLevel    SnmpSecurityLevel,
        vacmAccessContextMatch     INTEGER,
        vacmAccessReadViewName     SnmpAdminString,
        vacmAccessWriteViewName    SnmpAdminString,
        

vacmAccessNotifyViewName SnmpAdminString, vacmAccessStorageType StorageType, vacmAccessStatus RowStatus }

vacmAccessNotifyViewName SNMPAdministring,vacmAccessStorageType StorageType,vacmAccessStatus RowStatus}

vacmAccessContextPrefix OBJECT-TYPE
    SYNTAX       SnmpAdminString (SIZE(0..32))
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "In order to gain the access rights allowed by this
                 conceptual row, a contextName must match exactly
                 (if the value of vacmAccessContextMatch is 'exact')
                 or partially (if the value of vacmAccessContextMatch
                 is 'prefix') to the value of the instance of this
                 object.
                "
    ::= { vacmAccessEntry 1 }
        
vacmAccessContextPrefix OBJECT-TYPE
    SYNTAX       SnmpAdminString (SIZE(0..32))
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "In order to gain the access rights allowed by this
                 conceptual row, a contextName must match exactly
                 (if the value of vacmAccessContextMatch is 'exact')
                 or partially (if the value of vacmAccessContextMatch
                 is 'prefix') to the value of the instance of this
                 object.
                "
    ::= { vacmAccessEntry 1 }
        
vacmAccessSecurityModel OBJECT-TYPE
    SYNTAX       SnmpSecurityModel
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "In order to gain the access rights allowed by this
                 conceptual row, this securityModel must be in use.
                "
    ::= { vacmAccessEntry 2 }
        
vacmAccessSecurityModel OBJECT-TYPE
    SYNTAX       SnmpSecurityModel
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "In order to gain the access rights allowed by this
                 conceptual row, this securityModel must be in use.
                "
    ::= { vacmAccessEntry 2 }
        

vacmAccessSecurityLevel OBJECT-TYPE SYNTAX SnmpSecurityLevel MAX-ACCESS not-accessible STATUS current DESCRIPTION "The minimum level of security required in order to gain the access rights allowed by this conceptual row. A securityLevel of noAuthNoPriv is less than authNoPriv which in turn is less than authPriv.

vacmAccessSecurityLevel对象类型语法SnmpSecurityLevel MAX-ACCESS不可访问状态当前描述“获取此概念行允许的访问权限所需的最低安全级别。noAuthNoPriv的securityLevel小于authNoPriv,后者又小于authPriv。

                 If multiple entries are equally indexed except for
                 this vacmAccessSecurityLevel index, then the entry
                 which has the highest value for
                 vacmAccessSecurityLevel is selected.
                "
    ::= { vacmAccessEntry 3 }
        
                 If multiple entries are equally indexed except for
                 this vacmAccessSecurityLevel index, then the entry
                 which has the highest value for
                 vacmAccessSecurityLevel is selected.
                "
    ::= { vacmAccessEntry 3 }
        

vacmAccessContextMatch OBJECT-TYPE SYNTAX INTEGER { exact (1), -- exact match of prefix and contextName prefix (2) -- Only match to the prefix }

vacmAccessContextMatch对象类型语法整数{exact(1),--前缀和contextName前缀的精确匹配(2)--仅匹配前缀}

MAX-ACCESS read-create STATUS current DESCRIPTION "If the value of this object is exact(1), then all rows where the contextName exactly matches vacmAccessContextPrefix are selected.

MAX-ACCESS read create STATUS current DESCRIPTION“如果此对象的值为精确值(1),则选择contextName与vacmAccessContextPrefix完全匹配的所有行。

                 If the value of this object is prefix(2), then all
                 rows where the contextName whose starting octets
                 exactly match vacmAccessContextPrefix are selected.
                 This allows for a simple form of wildcarding.
                "
    DEFVAL      { exact }
    ::= { vacmAccessEntry 4 }
        
                 If the value of this object is prefix(2), then all
                 rows where the contextName whose starting octets
                 exactly match vacmAccessContextPrefix are selected.
                 This allows for a simple form of wildcarding.
                "
    DEFVAL      { exact }
    ::= { vacmAccessEntry 4 }
        

vacmAccessReadViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes read access.

vacmAccessReadViewName对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS read create STATUS current DESCRIPTION“此对象的实例的值标识此概念行授权读取访问的SNMP上下文的MIB视图。

                 The identified MIB view is that one for which the
                 vacmViewTreeFamilyViewName has the same value as the
                 instance of this object; if the value is the empty
                 string or if there is no active MIB view having this
                 value of vacmViewTreeFamilyViewName, then no access
                 is granted.
                "
    DEFVAL      { ''H }   -- the empty string
    ::= { vacmAccessEntry 5 }
        
                 The identified MIB view is that one for which the
                 vacmViewTreeFamilyViewName has the same value as the
                 instance of this object; if the value is the empty
                 string or if there is no active MIB view having this
                 value of vacmViewTreeFamilyViewName, then no access
                 is granted.
                "
    DEFVAL      { ''H }   -- the empty string
    ::= { vacmAccessEntry 5 }
        

vacmAccessWriteViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes write access.

vacmAccessWriteViewName对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS read create STATUS current DESCRIPTION“此对象的实例的值标识此概念行授权写入访问的SNMP上下文的MIB视图。

The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string

标识的MIB视图是vacmViewTreeFamilyViewName与此对象的实例具有相同值的视图;如果该值为空字符串,或者如果没有活动MIB视图具有此值vacmViewTreeFamilyViewName,则不会授予访问权限。deffal{''H}--空字符串

    ::= { vacmAccessEntry 6 }
        
    ::= { vacmAccessEntry 6 }
        

vacmAccessNotifyViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes access for notifications.

vacmAccessNotifyViewName对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS read create STATUS current DESCRIPTION“此对象的实例的值标识SNMP上下文的MIB视图,此概念行授权访问通知。

                 The identified MIB view is that one for which the
                 vacmViewTreeFamilyViewName has the same value as the
                 instance of this object; if the value is the empty
                 string or if there is no active MIB view having this
                 value of vacmViewTreeFamilyViewName, then no access
                 is granted.
                "
    DEFVAL      { ''H }   -- the empty string
    ::= { vacmAccessEntry 7 }
        
                 The identified MIB view is that one for which the
                 vacmViewTreeFamilyViewName has the same value as the
                 instance of this object; if the value is the empty
                 string or if there is no active MIB view having this
                 value of vacmViewTreeFamilyViewName, then no access
                 is granted.
                "
    DEFVAL      { ''H }   -- the empty string
    ::= { vacmAccessEntry 7 }
        

vacmAccessStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row.

vacmAccessStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此概念行的存储类型。

                 Conceptual rows having the value 'permanent' need not
                 allow write-access to any columnar objects in the row.
                "
    DEFVAL      { nonVolatile }
    ::= { vacmAccessEntry 8 }
        
                 Conceptual rows having the value 'permanent' need not
                 allow write-access to any columnar objects in the row.
                "
    DEFVAL      { nonVolatile }
    ::= { vacmAccessEntry 8 }
        

vacmAccessStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row.

vacmAccessStatus对象类型语法RowStatus MAX-ACCESS读取创建状态当前描述“此概念行的状态。

The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified:

RowStatus TC[RFC2579]要求此描述条款说明在何种情况下可以修改此行中的其他对象:

                 The value of this object has no effect on whether
                 other objects in this conceptual row can be modified.
                "
    ::= { vacmAccessEntry 9 }
        
                 The value of this object has no effect on whether
                 other objects in this conceptual row can be modified.
                "
    ::= { vacmAccessEntry 9 }
        
-- Information about MIB views ***************************************
        
-- Information about MIB views ***************************************
        
-- Support for instance-level granularity is optional.
--
-- In some implementations, instance-level access control
-- granularity may come at a high performance cost.  Managers
-- should avoid requesting such configurations unnecessarily.
        
-- Support for instance-level granularity is optional.
--
-- In some implementations, instance-level access control
-- granularity may come at a high performance cost.  Managers
-- should avoid requesting such configurations unnecessarily.
        
vacmMIBViews     OBJECT IDENTIFIER ::= { vacmMIBObjects 5 }
        
vacmMIBViews     OBJECT IDENTIFIER ::= { vacmMIBObjects 5 }
        

vacmViewSpinLock OBJECT-TYPE SYNTAX TestAndIncr MAX-ACCESS read-write STATUS current DESCRIPTION "An advisory lock used to allow cooperating SNMP Command Generator applications to coordinate their use of the Set operation in creating or modifying views.

vacmViewSpinLock对象类型语法测试和INCR MAX-ACCESS读写状态当前描述“一种建议锁,用于允许协作的SNMP命令生成器应用程序在创建或修改视图时协调其对集合操作的使用。

When creating a new view or altering an existing view, it is important to understand the potential interactions with other uses of the view. The vacmViewSpinLock should be retrieved. The name of the view to be created should be determined to be unique by the SNMP Command Generator application by consulting the vacmViewTreeFamilyTable. Finally, the named view may be created (Set), including the advisory lock. If another SNMP Command Generator application has altered the views in the meantime, then the spin lock's value will have changed, and so this creation will fail because it will specify the wrong value for the spin lock.

创建新视图或更改现有视图时,了解与视图的其他用途的潜在交互非常重要。应检索vacmViewSpinLock。SNMP命令生成器应用程序应通过查阅vacmViewTreeFamilyTable,将要创建的视图的名称确定为唯一的。最后,可以创建(设置)命名视图,包括建议锁。如果另一个SNMP命令生成器应用程序同时更改了视图,则旋转锁的值将发生更改,因此此创建将失败,因为它将为旋转锁指定错误的值。

                 Since this is an advisory lock, the use of this lock
                 is not enforced.
                "
    ::= { vacmMIBViews 1 }
        
                 Since this is an advisory lock, the use of this lock
                 is not enforced.
                "
    ::= { vacmMIBViews 1 }
        

vacmViewTreeFamilyTable OBJECT-TYPE SYNTAX SEQUENCE OF VacmViewTreeFamilyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Locally held information about families of subtrees within MIB views.

vacmViewTreeFamilyTable VacmViewTreeFamilyEntry MAX-ACCESS的对象类型语法序列不可访问状态当前描述“有关MIB视图中子树族的本地保留信息”。

Each MIB view is defined by two sets of view subtrees: - the included view subtrees, and - the excluded view subtrees. Every such view subtree, both the included and the

每个MIB视图由两组视图子树定义:-包含的视图子树和-排除的视图子树。每个这样的视图子树,包括和

excluded ones, is defined in this table.

本表中定义了排除的。

To determine if a particular object instance is in a particular MIB view, compare the object instance's OBJECT IDENTIFIER with each of the MIB view's active entries in this table. If none match, then the object instance is not in the MIB view. If one or more match, then the object instance is included in, or excluded from, the MIB view according to the value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub-identifiers. If multiple entries match and have the same number of sub-identifiers (when wildcarding is specified with the value of vacmViewTreeFamilyMask), then the lexicographically greatest instance of vacmViewTreeFamilyType determines the inclusion or exclusion.

要确定特定对象实例是否位于特定MIB视图中,请将该对象实例的对象标识符与该表中每个MIB视图的活动项进行比较。如果不匹配,则对象实例不在MIB视图中。如果一个或多个匹配,则根据vacmViewTreeFamilyType的值(其vacmViewTreeFamilySubtree的值具有最多子标识符)中的条目中的vacmViewTreeFamilyType的值,将对象实例包括在MIB视图中或从中排除。如果多个条目匹配并且具有相同数量的子标识符(当使用vacmViewTreeFamilyMask的值指定通配符时),则vacmViewTreeFamilyType的词典编纂最大实例确定包含或排除。

An object instance's OBJECT IDENTIFIER X matches an active entry in this table when the number of sub-identifiers in X is at least as many as in the value of vacmViewTreeFamilySubtree for the entry, and each sub-identifier in the value of vacmViewTreeFamilySubtree matches its corresponding sub-identifier in X. Two sub-identifiers match either if the corresponding bit of the value of vacmViewTreeFamilyMask for the entry is zero (the 'wild card' value), or if they are equal.

当对象实例的对象标识符X中的子标识符数量至少与该条目的vacmViewTreeFamilySubtree值中的子标识符数量相同时,该对象实例的对象标识符X与该表中的活动条目相匹配,vacmViewTreeFamilySubtree值中的每个子标识符与X中对应的子标识符匹配。如果条目的vacmViewTreeFamilyMask值的对应位为零(“通配符”值),或者如果它们相等,则两个子标识符匹配。

A 'family' of subtrees is the set of subtrees defined by a particular combination of values of vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask.

子树的“族”是由vacmViewTreeFamilySubtree和vacmViewTreeFamilyMask的值的特定组合定义的子树集。

In the case where no 'wild card' is defined in the vacmViewTreeFamilyMask, the family of subtrees reduces to a single subtree.

在vacmViewTreeFamilyMask中未定义“通配符”的情况下,子树族将缩减为单个子树。

When creating or changing MIB views, an SNMP Command Generator application should utilize the vacmViewSpinLock to try to avoid collisions. See DESCRIPTION clause of vacmViewSpinLock.

创建或更改MIB视图时,SNMP命令生成器应用程序应利用vacmViewSpinLock来避免冲突。参见vacmViewSpinLock的说明条款。

When creating MIB views, it is strongly advised that first the 'excluded' vacmViewTreeFamilyEntries are created and then the 'included' entries.

创建MIB视图时,强烈建议首先创建“排除”的vacmViewTreeFamilyEntries,然后创建“包含”条目。

When deleting MIB views, it is strongly advised that first the 'included' vacmViewTreeFamilyEntries are

删除MIB视图时,强烈建议首先删除“包含的”vacmViewTreeFamilyEntries

deleted and then the 'excluded' entries.

删除,然后删除“排除”条目。

                 If a create for an entry for instance-level access
                 control is received and the implementation does not
                 support instance-level granularity, then an
                 inconsistentName error must be returned.
                "
    ::= { vacmMIBViews 2 }
        
                 If a create for an entry for instance-level access
                 control is received and the implementation does not
                 support instance-level granularity, then an
                 inconsistentName error must be returned.
                "
    ::= { vacmMIBViews 2 }
        

vacmViewTreeFamilyEntry OBJECT-TYPE SYNTAX VacmViewTreeFamilyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Information on a particular family of view subtrees included in or excluded from a particular SNMP context's MIB view.

vacmViewTreeFamilyEntry对象类型语法vacmViewTreeFamilyEntry MAX-ACCESS不可访问状态当前描述“特定SNMP上下文MIB视图中包含或排除的特定视图子树族的信息。

Implementations must not restrict the number of families of view subtrees for a given MIB view, except as dictated by resource constraints on the overall number of entries in the vacmViewTreeFamilyTable.

实现不得限制给定MIB视图的视图子树族的数量,除非vacmViewTreeFamilyTable中条目的总体数量受到资源约束。

                 If no conceptual rows exist in this table for a given
                 MIB view (viewName), that view may be thought of as
                 consisting of the empty set of view subtrees.
                "
    INDEX       { vacmViewTreeFamilyViewName,
                  vacmViewTreeFamilySubtree
                }
    ::= { vacmViewTreeFamilyTable 1 }
        
                 If no conceptual rows exist in this table for a given
                 MIB view (viewName), that view may be thought of as
                 consisting of the empty set of view subtrees.
                "
    INDEX       { vacmViewTreeFamilyViewName,
                  vacmViewTreeFamilySubtree
                }
    ::= { vacmViewTreeFamilyTable 1 }
        
VacmViewTreeFamilyEntry ::= SEQUENCE
    {
        vacmViewTreeFamilyViewName     SnmpAdminString,
        vacmViewTreeFamilySubtree      OBJECT IDENTIFIER,
        vacmViewTreeFamilyMask         OCTET STRING,
        vacmViewTreeFamilyType         INTEGER,
        vacmViewTreeFamilyStorageType  StorageType,
        vacmViewTreeFamilyStatus       RowStatus
    }
        
VacmViewTreeFamilyEntry ::= SEQUENCE
    {
        vacmViewTreeFamilyViewName     SnmpAdminString,
        vacmViewTreeFamilySubtree      OBJECT IDENTIFIER,
        vacmViewTreeFamilyMask         OCTET STRING,
        vacmViewTreeFamilyType         INTEGER,
        vacmViewTreeFamilyStorageType  StorageType,
        vacmViewTreeFamilyStatus       RowStatus
    }
        

vacmViewTreeFamilyViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The human readable name for a family of view subtrees. "

vacmViewTreeFamilyViewName对象类型语法SnmpAdminString(大小(1..32))MAX-ACCESS不可访问状态当前描述“视图子树族的可读名称。”

    ::= { vacmViewTreeFamilyEntry 1 }
        
    ::= { vacmViewTreeFamilyEntry 1 }
        
vacmViewTreeFamilySubtree OBJECT-TYPE
    SYNTAX       OBJECT IDENTIFIER
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "The MIB subtree which when combined with the
                 corresponding instance of vacmViewTreeFamilyMask
                 defines a family of view subtrees.
                "
    ::= { vacmViewTreeFamilyEntry 2 }
        
vacmViewTreeFamilySubtree OBJECT-TYPE
    SYNTAX       OBJECT IDENTIFIER
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "The MIB subtree which when combined with the
                 corresponding instance of vacmViewTreeFamilyMask
                 defines a family of view subtrees.
                "
    ::= { vacmViewTreeFamilyEntry 2 }
        

vacmViewTreeFamilyMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..16)) MAX-ACCESS read-create STATUS current DESCRIPTION "The bit mask which, in combination with the corresponding instance of vacmViewTreeFamilySubtree, defines a family of view subtrees.

VACMVIEWTREEFAMILYMAK对象类型语法八位字符串(大小(0..16))MAX-ACCESS read create STATUS current DESCRIPTION“位掩码,它与相应的vacmViewTreeFamilySubtree实例一起定义了一系列视图子树。

Each bit of this bit mask corresponds to a sub-identifier of vacmViewTreeFamilySubtree, with the most significant bit of the i-th octet of this octet string value (extended if necessary, see below) corresponding to the (8*i - 7)-th sub-identifier, and the least significant bit of the i-th octet of this octet string corresponding to the (8*i)-th sub-identifier, where i is in the range 1 through 16.

该位掩码的每一位对应于vacmViewTreeFamilySubtree的子标识符,该八位字节字符串值的第i个八位字节的最高有效位(如有必要,请扩展,见下文)对应于第(8*i-7)个子标识符,该八位字节字符串的第i个八位字节的最低有效位对应于第(8*i)个八位字节-th子标识符,其中i在1到16的范围内。

Each bit of this bit mask specifies whether or not the corresponding sub-identifiers must match when determining if an OBJECT IDENTIFIER is in this family of view subtrees; a '1' indicates that an exact match must occur; a '0' indicates 'wild card', i.e., any sub-identifier value matches.

该位掩码的每一位指定在确定对象标识符是否在该视图子树族中时,对应的子标识符是否必须匹配;“1”表示必须发生精确匹配;“0”表示“通配符”,即任何子标识符值匹配。

Thus, the OBJECT IDENTIFIER X of an object instance is contained in a family of view subtrees if, for each sub-identifier of the value of vacmViewTreeFamilySubtree, either:

因此,对象实例的对象标识符X包含在视图子树族中,如果对于vacmViewTreeFamilySubtree的值的每个子标识符:

the i-th bit of vacmViewTreeFamilyMask is 0, or

vacmViewTreeFamilyMask的第i位为0,或

the i-th sub-identifier of X is equal to the i-th sub-identifier of the value of vacmViewTreeFamilySubtree.

X的第i子标识符等于vacmViewTreeFamilySubtree值的第i子标识符。

If the value of this bit mask is M bits long and

如果此位掩码的值为M位长且

there are more than M sub-identifiers in the corresponding instance of vacmViewTreeFamilySubtree, then the bit mask is extended with 1's to be the required length.

vacmViewTreeFamilySubtree的对应实例中有超过M个子标识符,然后位掩码扩展为1,以达到所需的长度。

Note that when the value of this object is the zero-length string, this extension rule results in a mask of all-1's being used (i.e., no 'wild card'), and the family of view subtrees is the one view subtree uniquely identified by the corresponding instance of vacmViewTreeFamilySubtree.

请注意,当此对象的值为零长度字符串时,此扩展规则会导致使用all-1的掩码(即,没有“通配符”),并且视图子树族是由相应的vacmViewTreeFamilySubtree实例唯一标识的一个视图子树。

                 Note that masks of length greater than zero length
                 do not need to be supported.  In this case this
                 object is made read-only.
                "
    DEFVAL      { ''H }
    ::= { vacmViewTreeFamilyEntry 3 }
        
                 Note that masks of length greater than zero length
                 do not need to be supported.  In this case this
                 object is made read-only.
                "
    DEFVAL      { ''H }
    ::= { vacmViewTreeFamilyEntry 3 }
        
vacmViewTreeFamilyType OBJECT-TYPE
    SYNTAX       INTEGER  { included(1), excluded(2) }
    MAX-ACCESS   read-create
    STATUS       current
    DESCRIPTION "Indicates whether the corresponding instances of
                 vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask
                 define a family of view subtrees which is included in
                 or excluded from the MIB view.
                "
    DEFVAL      { included }
    ::= { vacmViewTreeFamilyEntry 4 }
        
vacmViewTreeFamilyType OBJECT-TYPE
    SYNTAX       INTEGER  { included(1), excluded(2) }
    MAX-ACCESS   read-create
    STATUS       current
    DESCRIPTION "Indicates whether the corresponding instances of
                 vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask
                 define a family of view subtrees which is included in
                 or excluded from the MIB view.
                "
    DEFVAL      { included }
    ::= { vacmViewTreeFamilyEntry 4 }
        

vacmViewTreeFamilyStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row.

vacmViewTreeFamilyStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此概念行的存储类型。

                 Conceptual rows having the value 'permanent' need not
                 allow write-access to any columnar objects in the row.
                "
    DEFVAL      { nonVolatile }
    ::= { vacmViewTreeFamilyEntry 5 }
        
                 Conceptual rows having the value 'permanent' need not
                 allow write-access to any columnar objects in the row.
                "
    DEFVAL      { nonVolatile }
    ::= { vacmViewTreeFamilyEntry 5 }
        

vacmViewTreeFamilyStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row.

vacmViewTreeFamilyStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此概念行的状态。

The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified:

RowStatus TC[RFC2579]要求此描述条款说明在何种情况下可以修改此行中的其他对象:

                 The value of this object has no effect on whether
                 other objects in this conceptual row can be modified.
                "
    ::= { vacmViewTreeFamilyEntry 6 }
        
                 The value of this object has no effect on whether
                 other objects in this conceptual row can be modified.
                "
    ::= { vacmViewTreeFamilyEntry 6 }
        
-- Conformance information *******************************************
        
-- Conformance information *******************************************
        
vacmMIBCompliances  OBJECT IDENTIFIER ::= { vacmMIBConformance 1 }
vacmMIBGroups       OBJECT IDENTIFIER ::= { vacmMIBConformance 2 }
        
vacmMIBCompliances  OBJECT IDENTIFIER ::= { vacmMIBConformance 1 }
vacmMIBGroups       OBJECT IDENTIFIER ::= { vacmMIBConformance 2 }
        
-- Compliance statements *********************************************
        
-- Compliance statements *********************************************
        

vacmMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP engines which implement the SNMP View-based Access Control Model configuration MIB. " MODULE -- this module MANDATORY-GROUPS { vacmBasicGroup }

vacmMIBCompliance MODULE-COMPLIANCE STATUS当前描述“用于实现基于SNMP视图的访问控制模型配置MIB的SNMP引擎的符合性声明”。模块——此模块为强制性组{vacmBasicGroup}

OBJECT vacmAccessContextMatch MIN-ACCESS read-only DESCRIPTION "Write access is not required."

对象vacmAccessContextMatch最小访问只读说明“不需要写入访问权限。”

OBJECT vacmAccessReadViewName MIN-ACCESS read-only DESCRIPTION "Write access is not required."

对象vacmAccessReadViewName最小访问只读说明“不需要写访问。”

OBJECT vacmAccessWriteViewName MIN-ACCESS read-only DESCRIPTION "Write access is not required."

对象vacmAccessWriteViewName最小访问只读描述“不需要写入访问。”

OBJECT vacmAccessNotifyViewName MIN-ACCESS read-only DESCRIPTION "Write access is not required."

对象vacmAccessNotifyViewName最小访问只读说明“不需要写入访问权限。”

OBJECT vacmAccessStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."

对象vacmAccessStorageType最小访问只读说明“不需要写访问。”

OBJECT vacmAccessStatus MIN-ACCESS read-only DESCRIPTION "Create/delete/modify access to the

对象vacmAccessStatus MIN-ACCESS只读说明“创建/删除/修改对

vacmAccessTable is not required. "

vacmAccessTable不是必需的。"

OBJECT vacmViewTreeFamilyMask WRITE-SYNTAX OCTET STRING (SIZE (0)) MIN-ACCESS read-only DESCRIPTION "Support for configuration via SNMP of subtree families using wild-cards is not required. "

对象vacmViewTreeFamilyMask WRITE-SYNTAX八进制字符串(大小(0))MIN-ACCESS只读说明“不需要通过SNMP对使用通配符的子树族进行配置。”

OBJECT vacmViewTreeFamilyType MIN-ACCESS read-only DESCRIPTION "Write access is not required."

对象vacmViewTreeFamilyType MIN-ACCESS只读说明“不需要写访问权限。”

OBJECT vacmViewTreeFamilyStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."

对象vacmViewTreeFamilyStorageType MIN-ACCESS只读说明“不需要写访问。”

        OBJECT        vacmViewTreeFamilyStatus
        MIN-ACCESS    read-only
        DESCRIPTION  "Create/delete/modify access to the
                      vacmViewTreeFamilyTable is not required.
                     "
    ::= { vacmMIBCompliances 1 }
        
        OBJECT        vacmViewTreeFamilyStatus
        MIN-ACCESS    read-only
        DESCRIPTION  "Create/delete/modify access to the
                      vacmViewTreeFamilyTable is not required.
                     "
    ::= { vacmMIBCompliances 1 }
        
-- Units of conformance **********************************************
        
-- Units of conformance **********************************************
        
vacmBasicGroup OBJECT-GROUP
    OBJECTS {
              vacmContextName,
              vacmGroupName,
              vacmSecurityToGroupStorageType,
              vacmSecurityToGroupStatus,
              vacmAccessContextMatch,
              vacmAccessReadViewName,
              vacmAccessWriteViewName,
              vacmAccessNotifyViewName,
              vacmAccessStorageType,
              vacmAccessStatus,
              vacmViewSpinLock,
              vacmViewTreeFamilyMask,
              vacmViewTreeFamilyType,
              vacmViewTreeFamilyStorageType,
              vacmViewTreeFamilyStatus
            }
    STATUS       current
    DESCRIPTION "A collection of objects providing for remote
                 configuration of an SNMP engine which implements
        
vacmBasicGroup OBJECT-GROUP
    OBJECTS {
              vacmContextName,
              vacmGroupName,
              vacmSecurityToGroupStorageType,
              vacmSecurityToGroupStatus,
              vacmAccessContextMatch,
              vacmAccessReadViewName,
              vacmAccessWriteViewName,
              vacmAccessNotifyViewName,
              vacmAccessStorageType,
              vacmAccessStatus,
              vacmViewSpinLock,
              vacmViewTreeFamilyMask,
              vacmViewTreeFamilyType,
              vacmViewTreeFamilyStorageType,
              vacmViewTreeFamilyStatus
            }
    STATUS       current
    DESCRIPTION "A collection of objects providing for remote
                 configuration of an SNMP engine which implements
        
                 the SNMP View-based Access Control Model.
                "
    ::= { vacmMIBGroups 1 }
        
                 the SNMP View-based Access Control Model.
                "
    ::= { vacmMIBGroups 1 }
        

END

终止

5. Intellectual Property
5. 知识产权

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。

6. Acknowledgements
6. 致谢

This document is the result of the efforts of the SNMPv3 Working Group. Some special thanks are in order to the following SNMPv3 WG members:

本文件是SNMPv3工作组努力的结果。特别感谢以下SNMPv3工作组成员:

Harald Tveit Alvestrand (Maxware) Dave Battle (SNMP Research, Inc.) Alan Beard (Disney Worldwide Services) Paul Berrevoets (SWI Systemware/Halcyon Inc.) Martin Bjorklund (Ericsson) Uri Blumenthal (IBM T.J. Watson Research Center) Jeff Case (SNMP Research, Inc.) John Curran (BBN) Mike Daniele (Compaq Computer Corporation) T. Max Devlin (Eltrax Systems) John Flick (Hewlett Packard) Rob Frye (MCI) Wes Hardaker (U.C.Davis, Information Technology - D.C.A.S.) David Harrington (Cabletron Systems Inc.)

Harald Tveit Alvestrand(Maxware)Dave Battle(SNMP Research,Inc.)Alan Beard(迪士尼全球服务)Paul Berrevoets(SWI Systemware/Halcyon Inc.)Martin Bjorklund(爱立信)Uri Blumenthal(IBM T.J.Watson研究中心)Jeff Case(SNMP Research,Inc.)John Curran(BBN)Mike Daniele(康柏电脑公司)T.Max Devlin(Eltrax Systems)John Flick(惠普)Rob Frye(MCI)Wes Hardaker(加州大学戴维斯分校,信息技术-华盛顿特区)David Harrington(Cabletron Systems Inc.)

Lauren Heintz (BMC Software, Inc.) N.C. Hien (IBM T.J. Watson Research Center) Michael Kirkham (InterWorking Labs, Inc.) Dave Levi (SNMP Research, Inc.) Louis A Mamakos (UUNET Technologies Inc.) Joe Marzot (Nortel Networks) Paul Meyer (Secure Computing Corporation) Keith McCloghrie (Cisco Systems) Bob Moore (IBM) Russ Mundy (TIS Labs at Network Associates) Bob Natale (ACE*COMM Corporation) Mike O'Dell (UUNET Technologies Inc.) Dave Perkins (DeskTalk) Peter Polkinghorne (Brunel University) Randy Presuhn (BMC Software, Inc.) David Reeder (TIS Labs at Network Associates) David Reid (SNMP Research, Inc.) Aleksey Romanov (Quality Quorum) Shawn Routhier (Epilogue) Juergen Schoenwaelder (TU Braunschweig) Bob Stewart (Cisco Systems) Mike Thatcher (Independent Consultant) Bert Wijnen (IBM T.J. Watson Research Center)

劳伦·海因茨(BMC Software,Inc.)N.C.海恩(IBM T.J.沃森研究中心)迈克尔·科克姆(InterWorking Labs,Inc.)戴夫·列维(SNMP Research,Inc.)路易斯·马马科斯(UUNET Technologies Inc.)乔·马佐特(北电网络公司)保罗·迈耶(安全计算公司)基思·麦克洛赫里(思科系统公司)鲍勃·摩尔(IBM)罗斯·蒙迪(网络协会的TIS实验室)鲍勃·纳塔莱(ACE*通信公司)迈克·奥戴尔(UUNET技术公司)戴夫·珀金斯(DeskTalk)彼得·波尔金霍恩(布鲁内尔大学)兰迪·普雷森(BMC软件公司)大卫·里德(网络协会的TIS实验室)大卫·里德(SNMP研究公司)亚历克斯·罗曼诺夫(质量仲裁)肖恩·罗希尔(结语)Juergen Schoenwaeld(图布伦瑞克大学)Bob Stewart(思科系统公司)Mike Thatcher(独立顾问)Bert Wijnen(IBM T.J.沃森研究中心)

The document is based on recommendations of the IETF Security and Administrative Framework Evolution for SNMP Advisory Team. Members of that Advisory Team were:

本文件基于IETF安全和管理框架演进SNMP咨询团队的建议。该咨询小组的成员是:

David Harrington (Cabletron Systems Inc.) Jeff Johnson (Cisco Systems) David Levi (SNMP Research Inc.) John Linn (Openvision) Russ Mundy (Trusted Information Systems) chair Shawn Routhier (Epilogue) Glenn Waters (Nortel) Bert Wijnen (IBM T. J. Watson Research Center)

David Harrington(Cabletron Systems Inc.)Jeff Johnson(Cisco Systems)David Levi(SNMP Research Inc.)John Linn(Openvision)Russ Mundy(Trusted Information Systems)Shawn Routhier(尾声)Glenn Waters(Nortel)Bert Wijnen(IBM T.J.Watson研究中心)

As recommended by the Advisory Team and the SNMPv3 Working Group Charter, the design incorporates as much as practical from previous RFCs and drafts. As a result, special thanks are due to the authors of previous designs known as SNMPv2u and SNMPv2*:

根据咨询小组和SNMPv3工作组章程的建议,该设计尽可能多地结合了先前RFC和草案中的实际内容。因此,我们特别感谢以前设计的SNMPv2u和SNMPv2*的作者:

Jeff Case (SNMP Research, Inc.) David Harrington (Cabletron Systems Inc.) David Levi (SNMP Research, Inc.) Keith McCloghrie (Cisco Systems) Brian O'Keefe (Hewlett Packard) Marshall T. Rose (Dover Beach Consulting)

Jeff Case(SNMP Research,Inc.)David Harrington(Cabletron Systems Inc.)David Levi(SNMP Research,Inc.)Keith McCloghrie(思科系统)Brian O'Keefe(惠普)Marshall T.Rose(多佛海滩咨询)

Jon Saperia (BGS Systems Inc.) Steve Waldbusser (International Network Services) Glenn W. Waters (Bell-Northern Research Ltd.)

Jon Saperia(BGS系统公司)Steve Waldbusser(国际网络服务)Glenn W.Waters(贝尔北方研究有限公司)

7. Security Considerations
7. 安全考虑
7.1. Recommended Practices
7.1. 建议做法

This document is meant for use in the SNMP architecture. The View-based Access Control Model described in this document checks access rights to management information based on:

本文档旨在用于SNMP体系结构。本文档中描述的基于视图的访问控制模型基于以下内容检查对管理信息的访问权限:

- contextName, representing a set of management information at the managed system where the Access Control module is running.

- contextName,表示运行访问控制模块的受管系统上的一组管理信息。

- groupName, representing a set of zero or more securityNames. The combination of a securityModel and a securityName is mapped into a group in the View-based Access Control Model.

- groupName,表示一组零个或多个SecurityName。securityModel和securityName的组合映射到基于视图的访问控制模型中的组中。

- securityModel under which access is requested.

- 请求访问的安全模型。

- securityLevel under which access is requested.

- 请求访问的securityLevel。

- operation performed on the management information.

- 对管理信息执行的操作。

- MIB views for read, write or notify access.

- 用于读取、写入或通知访问的MIB视图。

When the User-based Access Control module is called for checking access rights, it is assumed that the calling module has ensured the authentication and privacy aspects as specified by the securityLevel that is being passed.

当基于用户的访问控制模块被调用以检查访问权限时,假定调用模块已确保通过的securityLevel指定的身份验证和隐私方面。

When creating entries in or deleting entries from the vacmViewTreeFamilyTable it is important to do such in the sequence as recommended in the DESCRIPTION clause of the vacmViewTreeFamilyTable definition. Otherwise unwanted access may be granted while changing the entries in the table.

在vacmViewTreeFamilyTable中创建条目或从中删除条目时,必须按照vacmViewTreeFamilyTable定义的DESCRIPTION子句中建议的顺序执行此操作。否则,在更改表中的条目时,可能会授予不需要的访问权限。

7.2. Defining Groups
7.2. 定义组

The groupNames are used to give access to a group of zero or more securityNames. Within the View-Based Access Control Model, a groupName is considered to exist if that groupName is listed in the vacmSecurityToGroupTable.

GroupName用于授予对一组零个或多个SecurityName的访问权限。在基于视图的访问控制模型中,如果组名列在vacmSecurityToGroupTable中,则认为该组名存在。

By mapping the combination of a securityModel and securityName into a groupName, an SNMP Command Generator application can add/delete securityNames to/from a group, if proper access is allowed.

通过将securityModel和securityName的组合映射到groupName,如果允许正确访问,SNMP命令生成器应用程序可以在组中添加/删除securityName。

Further it is important to realize that the grouping of <securityModel, securityName> tuples in the vacmSecurityToGroupTable does not take securityLevel into account. It is therefore important that the security administrator uses the securityLevel index in the vacmAccessTable to separate noAuthNoPriv from authPriv and/or authNoPriv access.

此外,必须认识到,vacmSecurityToGroupTable中<securityModel,securityName>元组的分组不考虑securityLevel。因此,安全管理员使用VacMacAccessTable中的securityLevel索引将noAuthNoPriv与authPriv和/或authNoPriv访问分开是很重要的。

7.3. Conformance
7.3. 一致性

For an implementation of the View-based Access Control Model to be conformant, it MUST implement the SNMP-VIEW-BASED-ACM-MIB according to the vacmMIBCompliance. It also SHOULD implement the initial configuration, described in appendix A.

为了使基于视图的访问控制模型的实现符合要求,它必须根据vacmMIBCompliance实现SNMP-View-based-ACM-MIB。它还应实现附录A中所述的初始配置。

7.4. Access to the SNMP-VIEW-BASED-ACM-MIB
7.4. 访问SNMP-VIEW-BASED-ACM-MIB

The objects in this MIB control the access to all MIB data that is accessible via the SNMP engine and they may be considered sensitive in many environments. It is important to closely control (both read and write) access to these to these MIB objects by using appropriately configured Access Control models (for example the View-based Access Control Model as specified in this document).

此MIB中的对象控制对可通过SNMP引擎访问的所有MIB数据的访问,在许多环境中,这些对象可能被视为敏感对象。通过使用适当配置的访问控制模型(例如本文档中指定的基于视图的访问控制模型),密切控制(读写)对这些MIB对象的访问非常重要。

8. References
8. 工具书类
8.1. Normative References
8.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

[RFC2578]McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,1999年4月。

[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999.

[RFC2579]McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“SMIv2的文本约定”,STD 58,RFC 2579,1999年4月。

[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999.

[RFC2580]McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“SMIv2的一致性声明”,STD 58,RFC 25801999年4月。

[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.

[RFC3411]Harrington,D.,Presohn,R.和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。

[SNMP3412] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3412, December 2002.

[SNMP3412]Case,J.,Harrington,D.,Presohn,R.和B.Wijnen,“简单网络管理协议(SNMP)的消息处理和调度”,STD 62,RFC 3412,2002年12月。

[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

[RFC3414]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)版本3的基于用户的安全模型(USM)”,STD 62,RFC 3414,2002年12月。

8.2. Informative References
8.2. 资料性引用

[ISO-ASN.1] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), International Organization for Standardization. International Standard 8824, (December, 1987).

[ISO-ASN.1]信息处理系统-开放系统互连-抽象语法符号1规范(ASN.1),国际标准化组织。国际标准8824(1987年12月)。

Appendix A - Installation

附录A-安装

A.1. Installation Parameters
A.1. 安装参数

During installation, an authoritative SNMP engine which supports this View-based Access Control Model SHOULD be configured with several initial parameters. These include for the View-based Access Control Model:

在安装过程中,支持此基于视图的访问控制模型的权威SNMP引擎应配置几个初始参数。其中包括基于视图的访问控制模型:

1) A security configuration

1) 安全配置

The choice of security configuration determines if initial configuration is implemented and if so how. One of three possible choices is selected:

安全配置的选择决定了是否实现初始配置以及如何实现。选择三种可能的选择之一:

- initial-minimum-security-configuration - initial-semi-security-configuration - initial-no-access-configuration

- 初始最低安全配置-初始半安全配置-初始无访问配置

In the case of a initial-no-access-configuration, there is no initial configuration, and so the following steps are irrelevant.

在初始无访问配置的情况下,没有初始配置,因此以下步骤不相关。

2) A default context

2) 默认上下文

One entry in the vacmContextTable with a contextName of "" (the empty string), representing the default context. Note that this table gets created automatically if a default context exists.

vacmContextTable中的一个项,其contextName为“”(空字符串),表示默认上下文。请注意,如果存在默认上下文,则会自动创建此表。

vacmContextName ""

vacmContextName“”

3) An initial group

3) 最初的一组

One entry in the vacmSecurityToGroupTable to allow access to group "initial".

vacmSecurityToGroupTable中的一个条目,用于允许访问组“初始”。

vacmSecurityModel 3 (USM) vacmSecurityName "initial" vacmGroupName "initial" vacmSecurityToGroupStorageType anyValidStorageType vacmSecurityToGroupStatus active

vacmSecurityModel 3(USM)vacmSecurityName“初始”vacmGroupName“初始”vacmSecurityToGroupStorageType anyValidStorageType vacmSecurityToGroupStatus活动

4) Initial access rights

4) 初始访问权

Three entries in the vacmAccessTable as follows:

vacmAccessTable中的三个条目如下:

- read-notify access for securityModel USM, securityLevel "noAuthNoPriv" on behalf of securityNames that belong to the group "initial" to the <restricted> MIB view in the default context with contextName "".

- 在contextName为“”的默认上下文中,将属于组“initial”的SecurityName的securityModel USM、securityLevel“noAuthNoPriv”的notify access读取到<restricted>MIB视图。

- read-write-notify access for securityModel USM, securityLevel "authNoPriv" on behalf of securityNames that belong to the group "initial" to the <internet> MIB view in the default context with contextName "".

- 对于securityModel USM,securityLevel“authNoPriv”,代表属于组“initial”的securityNames对默认上下文中contextName为“”的<internet>MIB视图进行读写通知访问。

- if privacy is supported, read-write-notify access for securityModel USM, securityLevel "authPriv" on behalf of securityNames that belong to the group "initial" to the <internet> MIB view in the default context with contextName "".

- 如果支持隐私,则代表属于组“initial”的securityNames对securityModel USM、securityLevel“authPriv”的SecurityNotify access进行读写操作,以在默认上下文中使用contextName“”访问<internet>MIB视图。

That translates into the following entries in the vacmAccessTable.

这将转换为vacmAccessTable中的以下条目。

- One entry to be used for unauthenticated access (noAuthNoPriv):

- 一个用于未经验证的访问的条目(noAuthNoPriv):

vacmGroupName "initial" vacmAccessContextPrefix "" vacmAccessSecurityModel 3 (USM) vacmAccessSecurityLevel noAuthNoPriv vacmAccessContextMatch exact vacmAccessReadViewName "restricted" vacmAccessWriteViewName "" vacmAccessNotifyViewName "restricted" vacmAccessStorageType anyValidStorageType vacmAccessStatus active

vacmGroupName“初始”vacmAccessContextPrefix“vacmAccessSecurityModel 3(USM)vacmAccessSecurityLevel noAuthNoPriv vacmAccessContextMatch精确vacmAccessReadViewName“受限”vacmAccessWriteViewName“vacmAccessNotifyViewName”受限vacmAccessStorageType anyValidStorageType vacmAccessStatus活动

- One entry to be used for authenticated access (authNoPriv) with optional privacy (authPriv):

- 一个用于具有可选隐私(authPriv)的身份验证访问(authNoPriv)的条目:

vacmGroupName "initial" vacmAccessContextPrefix "" vacmAccessSecurityModel 3 (USM) vacmAccessSecurityLevel authNoPriv vacmAccessContextMatch exact vacmAccessReadViewName "internet" vacmAccessWriteViewName "internet" vacmAccessNotifyViewName "internet" vacmAccessStorageType anyValidStorageType vacmAccessStatus active

vacmGroupName“初始”vacmAccessContextPrefix“vacmAccessSecurityModel 3(USM)vacmAccessSecurityLevel authNoPriv vacmAccessContextMatch确切的vacmAccessReadViewName“internet”vacmAccessWriteViewName“internet”vacmAccessNotifyViewName“internet”vacmAccessStorageType anyValidStorageType vacmAccessStatus活动

5) Two MIB views, of which the second one depends on the security configuration.

5) 两个MIB视图,其中第二个视图取决于安全配置。

- One view, the <internet> view, for authenticated access:

- 一个视图,即<internet>视图,用于认证访问:

- the <internet> MIB view is the following subtree: "internet" (subtree 1.3.6.1)

- <internet>MIB视图是以下子树:“internet”(子树1.3.6.1)

- A second view, the <restricted> view, for unauthenticated access. This view is configured according to the selected security configuration:

- 第二个视图是<restricted>视图,用于未经验证的访问。此视图根据所选的安全配置进行配置:

- For the initial-no-access-configuration there is no default initial configuration, so no MIB views are pre-scribed.

- 对于初始无访问配置,没有默认的初始配置,因此没有预先描述MIB视图。

- For the initial-semi-secure-configuration:

- 对于初始半安全配置:

            the <restricted> MIB view is the union of these subtrees:
            (a) "system"       (subtree 1.3.6.1.2.1.1)      [RFC3918]
            (b) "snmp"         (subtree 1.3.6.1.2.1.11)     [RFC3918]
            (c) "snmpEngine"   (subtree 1.3.6.1.6.3.10.2.1) [RFC3411]
            (d) "snmpMPDStats" (subtree 1.3.6.1.6.3.11.2.1) [RFC3412]
            (e) "usmStats"     (subtree 1.3.6.1.6.3.15.1.1) [RFC3414]
        
            the <restricted> MIB view is the union of these subtrees:
            (a) "system"       (subtree 1.3.6.1.2.1.1)      [RFC3918]
            (b) "snmp"         (subtree 1.3.6.1.2.1.11)     [RFC3918]
            (c) "snmpEngine"   (subtree 1.3.6.1.6.3.10.2.1) [RFC3411]
            (d) "snmpMPDStats" (subtree 1.3.6.1.6.3.11.2.1) [RFC3412]
            (e) "usmStats"     (subtree 1.3.6.1.6.3.15.1.1) [RFC3414]
        

- For the initial-minimum-secure-configuration:

- 对于初始最低安全配置:

the <restricted> MIB view is the following subtree. "internet" (subtree 1.3.6.1)

<restricted>MIB视图是以下子树。“互联网”(子树1.3.6.1)

This translates into the following "internet" entry in the vacmViewTreeFamilyTable:

这将转换为vacmViewTreeFamilyTable中的以下“internet”条目:

                                 minimum-secure      semi-secure
                                 ----------------    ---------------
   vacmViewTreeFamilyViewName    "internet"          "internet"
   vacmViewTreeFamilySubtree     1.3.6.1             1.3.6.1
   vacmViewTreeFamilyMask        ""                  ""
   vacmViewTreeFamilyType        1 (included)        1 (included)
   vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType
   vacmViewTreeFamilyStatus      active              active
        
                                 minimum-secure      semi-secure
                                 ----------------    ---------------
   vacmViewTreeFamilyViewName    "internet"          "internet"
   vacmViewTreeFamilySubtree     1.3.6.1             1.3.6.1
   vacmViewTreeFamilyMask        ""                  ""
   vacmViewTreeFamilyType        1 (included)        1 (included)
   vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType
   vacmViewTreeFamilyStatus      active              active
        

In addition it translates into the following "restricted" entries in the vacmViewTreeFamilyTable:

此外,它在vacmViewTreeFamilyTable中转换为以下“受限”条目:

                                 minimum-secure      semi-secure
                                 ----------------    ---------------
   vacmViewTreeFamilyViewName    "restricted"        "restricted"
   vacmViewTreeFamilySubtree     1.3.6.1             1.3.6.1.2.1.1
   vacmViewTreeFamilyMask        ""                  ""
   vacmViewTreeFamilyType        1 (included)        1 (included)
   vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType
   vacmViewTreeFamilyStatus      active              active
        
                                 minimum-secure      semi-secure
                                 ----------------    ---------------
   vacmViewTreeFamilyViewName    "restricted"        "restricted"
   vacmViewTreeFamilySubtree     1.3.6.1             1.3.6.1.2.1.1
   vacmViewTreeFamilyMask        ""                  ""
   vacmViewTreeFamilyType        1 (included)        1 (included)
   vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType
   vacmViewTreeFamilyStatus      active              active
        

vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.2.1.11 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active

vacmViewTreeFamilyViewName“受限”VACMVIEWTREEFAMILY子树1.3.6.1.2.1.11 VACMVIEWTREEFAMILYMAK“vacmViewTreeFamilyType 1(包括)vacmViewTreeFamilyStorageType ANYVACMVIEWTREEFAMILYSTATUS激活

vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.10.2.1 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active

vacmViewTreeFamilyViewName“受限”VACMVIEWTREEFAMILY子树1.3.6.1.6.3.10.2.1 VACMVIEWTREEFAMILYMAK“vacmViewTreeFamilyType 1(包括)vacmViewTreeFamilyStorageType ANYVACMVIEWTREEFAMILYSTATUS激活

vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.11.2.1 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active

vacmViewTreeFamilyViewName“受限”VACMVIEWTREEFAMILY子树1.3.6.1.6.3.11.2.1 VACMVIEWTREEFAMILYMAK“vacmViewTreeFamilyType 1(包括)vacmViewTreeFamilyStorageType ANYVACMVIEWTREEFAMILYSTATUS激活

vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.15.1.1 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active

vacmViewTreeFamilyViewName“受限”VACMVIEWTREEFAMILY子树1.3.6.1.6.3.15.1.1 VACMVIEWTREEFAMILYMAK“vacmViewTreeFamilyType 1(包括)vacmViewTreeFamilyStorageType ANYVACMVIEWTREEFAMILYSTATUS激活

B. Change Log

B.更改日志

Changes made since RFC 2575:

自RFC 2575以来所做的更改:

- Removed reference from abstract as per RFC-Editor guidelines - Updated references

- 根据RFC编辑器指南从摘要中删除引用-更新引用

Changes made since RFC 2275:

自RFC 2275以来所做的更改:

- Added text to vacmSecurityToGroupStatus DESCRIPTION clause to clarify under which conditions an entry in the vacmSecurityToGroupTable can be made active. - Added REVISION clauses to MODULE-IDENTITY - Clarified text in vacmAccessTable DESCRIPTION clause. - Added a DEFVAL clause to vacmAccessContextMatch object. - Added missing columns in Appendix A and re-arranged for clarity. - Fixed oids in appendix A. - Use the PDU Class terminology instead of RFC1905 PDU types. - Added section 7.4 about access control to the MIB. - Fixed references to new/revised documents - Fix Editor contact information. - fixed spelling errors - removed one vacmAccesEntry from sample in appendix A. - made some more clarifications. - updated acknowledgement section.

- 在vacmSecurityToGroupStatus描述子句中添加了文本,以澄清在哪些条件下可以激活vacmSecurityToGroupTable中的条目。-在模块标识中添加了修订条款-在vacmAccessTable描述条款中澄清了文本。-向vacmAccessContextMatch对象添加了DEFVAL子句。-在附录A中添加缺失的列,并重新安排以清晰明了。-附录A中的固定OID。-使用PDU类术语,而不是RFC1905 PDU类型。-增加了关于MIB访问控制的第7.4节。-修复了对新文档/修订文档的引用-修复编辑器联系信息。-修复了拼写错误-从附录A中的示例中删除了一个vacmAccesEntry。-进行了更多澄清。-更新确认部分。

Editors' Addresses

编辑地址

Bert Wijnen Lucent Technologies Schagen 33 3461 GL Linschoten Netherlands

Bert Wijnen-Lucent Technologies Schagen 33 3461德国劳埃德船级社荷兰

   Phone: +31-348-480-685
   EMail: bwijnen@lucent.com
        
   Phone: +31-348-480-685
   EMail: bwijnen@lucent.com
        

Randy Presuhn BMC Software, Inc. 2141 North First Street San Jose, CA 95131 USA

美国加利福尼亚州圣何塞北第一街2141号Randy Presohn BMC软件公司,邮编95131

   Phone: +1 408-546-1006
   EMail: randy_presuhn@bmc.com
        
   Phone: +1 408-546-1006
   EMail: randy_presuhn@bmc.com
        

Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA

Keith McCloghrie Cisco Systems,Inc.美国加利福尼亚州圣何塞西塔斯曼大道170号,邮编95134-1706

   Phone: +1-408-526-5260
   EMail: kzm@cisco.com
        
   Phone: +1-408-526-5260
   EMail: kzm@cisco.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2002). All Rights Reserved.

版权所有(C)互联网协会(2002年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。