access: limit OIDs exposed over SNMP

Define a custom SNMP group with read access only to fields we need. For D-Link switches, modifying the group must be handled the same as user, i.e. the group (and user) must be removed and readded. Untested for FS S5800.
2025-10-22 13:43:07 +02:00 · 2025-10-22 13:43:07 +02:00 · 7a2223ea71
commit 7a2223ea71
parent 2c93cab682
5 changed files with 61 additions and 16 deletions
--- a/roles/access/tasks/d-link.yml
+++ b/roles/access/tasks/d-link.yml
@ -13,13 +13,27 @@
  set_fact:
    snmp_hashes: '{{ (snmp_config.stdout | from_yaml).snmpv3.hashes }}'

- name: Get SNMP users
+# check if the SNMP user and group we want to set differ from current switch config
+# in this case we have to remove them before trying to chane password or settings
+- name: Define SNMP user and group configuration commands
  set_fact:
-    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}"
-    snmp_target: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "
+    target_user: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "
+    target_group: "snmp-server group public v3  priv read public "
+
+- name: Get existing SNMP user and group entries from switch
+  set_fact:
+    current_user: "{{ ansible_net_config | split('\n')
+        | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}"
+    current_group: "{{ ansible_net_config | split('\n')
+        | select('match', '^snmp-server group public v3') }}"
+
+- name: Check if existing SNMP user and/or group should be removed
+  set_fact:
+    remove_user: "{{ current_user and target_user is not in current_user }}"
+    remove_group: "{{ current_group and target_group is not in current_group }}"

 - name: Remove existing SNMP user to reset password
-  when: 'snmp_current and snmp_target is not in snmp_current'
+  when: remove_user or remove_group # can’t change group with existing users
  block:
    - name: Remove SNMP user
      ansible.netcommon.cli_config:
@ -27,10 +41,28 @@
      notify: write config

    - set_fact:
-        snmp_current: false
+        current_user: false
+
+- name: Remove existing SNMP group to change parameters
+  when: remove_group
+  block:
+    - name: Remove existing SNMP group
+      ansible.netcommon.cli_config:
+        config: 'no snmp-server group public v3 priv'
+      notify: write config
+
+    - set_fact:
+        current_group: false
+
+# create new SNMP user and group
+- name: Create SNMP group and user
+  when: not current_group
+  ansible.netcommon.cli_config:
+    config: '{{ target_group }}'
+  notify: write config

 - name: Create SNMP user
-  when: 'not snmp_current'
+  when: not current_user
  ansible.netcommon.cli_config:
-    config: '{{ snmp_target }}'
+    config: '{{ target_user }}'
  notify: write config
--- a/roles/access/tasks/fs.yml
+++ b/roles/access/tasks/fs.yml
@ -4,11 +4,11 @@

 - name: Get existing SNMP users
  set_fact:
-    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
-    snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "
+    current_user: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
+    target_user: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "

 - name: Remove existing SNMP user to reset password
-  when: "snmp_current and snmp_target is not in snmp_current"
+  when: "current_user and target_user is not in current_user"
  block:
    - name: Remove SNMP user
      ansible.netcommon.cli_config:
@ -19,14 +19,14 @@
      notify: write config

    - set_fact:
-        snmp_current: false
+        current_user: false

 - name: Create SNMP user
-  when: "not snmp_current"
+  when: "not current_user"
  ansible.netcommon.cli_config:
    config: "{{ item }}"
  loop:
-    - "{{ snmp_target }}"
+    - "{{ target_user }}"
    - "snmp-server group public user {{ manager.snmp_user }} security-model usm"
  no_log: true
  notify: write config