[RFE] SNMP driver does not implement security features
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
Wishlist
|
Ilya Etingof |
Bug Description
The Ironic SNMP driver does not leverage the security features that SNMPv3 offers. Supporting them would improve the security of the management network whenever SNMP is used for power management.
Since the underlying library (pysnmp) does all the SNMPv3 heavy lifting, at the level of the Ironic SNMP driver it is merely a matter of adding additional configuration parameters to utilize all the SNMPv3 security features. Then the operator could configure SNMP driver to use either SNMP v1, v2c or v3 by way of setting the `snmp_version` option (which is already present).
SNMPv3-related options to be introduced would be:
* snmp_usm_user: user name (string)
* snmp_usm_
* snmp_usm_auth_key: ascii string
* snmp_usm_
* snmp_usm_priv_key: ascii string
* snmp_context_name: SNMP context (string) to address possibly many instances of the same MIB behind a single SNMP agent
Implementation-
The same applies to the VirtualPDU tool -- we will need to teach it picking up the options above [1], no backward incompatible changes anticipated.
The proposed change would introduce the indirect dependency on the `pycryptodomex` package which pysnmp (4.4.1+) uses for the low-level crypto operations.
1. https:/
tags: | added: snmp |
Changed in ironic: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
description: | updated |
description: | updated |
Changed in ironic: | |
assignee: | nobody → Ilya Etingof (etingof) |
description: | updated |
Changed in ironic: | |
status: | In Progress → Fix Released |
Do we need a spec for this? I'd be fine if the additional config parameters were described here and they aren't controversial :)
wrt 'pycryptodome', I see this note [1], but I don't think we are using pycrypto? (someone should verify of course)
[1] https:/ /github. com/openstack/ requirements/ blob/a5892e231b df80f6b36348b8a 1dee0ae09d4fb15 /global- requirements. txt#L224