Brocade Least Privilege User account creation for OCI
2017-07-28 10:07 AM
OCI's Brocade CLI datasource uses:
SSH commands for inventory/configuration data
SNMP queries for performance collection
What you need to know about your environment before starting down the path of creating a least privilege user account for OCI to use?
Am I using Virtual Fabrics technology?
If the answer is yes - are we likely to add more VF in the future?
Are we looking to have OCI gather performance data off the switches?
If the answer is yes, AND you are using VF, you are going to have to use SNMP v3 to gather performance.
You need a user account. What does that user account need?
Permissions on all the virtual fabrics configured on the physical switch. Now, if there is any chance you are going to add more VF in the future, I would recommend granting your service account permissions on all 128 VF IDs up front - otherwise, if a new VF is created that your OCI service account will not have privileges on, your OCI datasources will fail as OCI will detect the presence of a VF it is not able to fully understand.
Chassis role - this is a boolean state. When you create an account, you may or may not grant it. OCI's service account will need it.
userconfig --add OCI -l 1-128 -h 128 -r user -c user
This creates "OCI" ,
granting permissions on all possible Virtual Fabrics (they can only be numbered 1-128) -> "-l 1-128"
sets the home VF to 128, which OCI honestly doesn't require (it is smart enough to deal with any home value) -> "-h 128"
Assigns OCI the role of "user" , a default configured role - if this role has been deleted, this command may error -> " -r user"
Assigns OCI the chassis role of "user". Again, if this has been deleted, this command may error -> " -c user"
You will be prompted to enter a password. You are done, from an *inventory* perspective.
First SNMP - SNMP supports pushing traps aka informs for alarming, and polls for pulling information. OCI is going to be exclusively polling, so any verbiage about traps/informs is irrelevant to OCI.
Brocade switches ship with 6 slots for SNMP v3 users - snmpuser[1-3] and snmpadmin[1-3]. These are not real users on the switch, and you cannot use them for performance collection by OCI, in environments where VF is in use - these users are not privileged on any VF other than the default VF, 128.
So, you need to put your OCI user account in one of the 6 user slots. We would recommend only of the 3 read only user slots, as OCI doesn't need RW access.
You do this by running the cli command
snmpConfig --set snmpv3
It is a text wizard interface, where you are prompted to either enter new values for any of the fields, or hit enter to accept the existing value.
Replace one of the snmpuser[1-3] with the username of your OCI service account you have created - it is our strongest possible recommendation to put the username you are using for inventory into one of those read only slots.
For Auth protocol:
SHA is stronger than MD5.
NoAuth means you don't want to enable authentication.
If you define a value that requires a password you will need to put that password in the "SNMP Password" field in your OCI Brocade datasource configuration
For privacy (encryption) protocol:
AES256 is stronger than AES128 which is stronger than Des which is stronger than no encryption whatsoever, NoPriv
However - OCI does not work out of the box with AES256, as the standard Java editions do not include cryptography stronger than 128bits. Going with AES256 may make maintaining and upgrading OCI more tricky
Any of the values other than "NoPriv" will require you to enter a password - this could be the same, or different from the authentication password. Document accordingly.
The privacy aka encryption password needs to go in the Advanced Configured -> "SNMP Privacy Password" field.
Build the same user account + snmp account of all the switches in the physical fabric. Consistency is good
Master level topics, or "What else could go wrong?"
It is possible the above will not work, because:
Access control lists - Brocade supports SNMP access control lists. Factory default is that there are none, and therefore the behavior is they are open. But if a single entry is added to an access control list, there is now an implicit default deny at the end - think of it as a firewall.
snmpconfig --show accessControl
If you see 6 entries that state ...No access host configured yet , you are looking at a factory default config, and this is not your problem.
If you see entries, you will need to add the IP address of the OCI point of acquisition - where does your datasource live, on the OCI server, or on a Remote Acquisition Unit?
SNMP policy - perhaps you were trying to avoid cryptography. But the switch may have a policy that requires it:
snmpconfig --show seclevel
What matters to OCI is the "GET" level.
3 disables SNMP entirely, and is incompatible with OCI performance gathering
2 requires both authentication and privacy, so if you were adding your SNMPv3 user and not specifying either, that user's configuration is therefore unusable
2 REPLIES 2