Any authenticated user can use the snmpConfig ReST service
Description
The snmpConfig ReST service will happily give up the SNMP configuration data, including community strings (but happily not USM credentials) for a particular IP address. This fact breaks with a long-standing policy of the SNMP configuration being a "trap door" into which only admin users can put stuff and from which no user (not even an admin) can retrieve stuff except by virtue of having an operating system account on the OpenNMS server. Also, it appears that even non-admin users are allowed to do a PUT to this service, which should not be the case. At minimum I think ROLE_ADMIN should be required for a user to GET or PUT to this service.
I added a restriction to applicationContext-spring-security.xml that will only allow users with ROLE_ADMIN (admin users) or ROLE_REST (users that are granted write access to the REST interface) to view and update SNMP authentication information. Marking as fixed.
The snmpConfig ReST service will happily give up the SNMP configuration data, including community strings (but happily not USM credentials) for a particular IP address. This fact breaks with a long-standing policy of the SNMP configuration being a "trap door" into which only admin users can put stuff and from which no user (not even an admin) can retrieve stuff except by virtue of having an operating system account on the OpenNMS server. Also, it appears that even non-admin users are allowed to do a PUT to this service, which should not be the case. At minimum I think ROLE_ADMIN should be required for a user to GET or PUT to this service.