#Does UM s commonSAN name in the
narrow sorrel
this is the last entry in the audit log after I try and add the cluster to OCUM:
Tue Nov 01 20:32:16 2022 FsxId02c69182adac0fa68-01 [kern_audit:info:4247] 8503e80000007039 :: FsxId02c69182adac0fa68:ontapi :: 172.31.20.13:39456 :: FsxId02c69182adac0fa68:fsxadmin :: security-certificate-delete :: Error: not authorized for that command
...which is weird, because that user definitely has the ability to delete certs
zenith coyote
hmm, i haven't seen any FSx added to UM before.
and i think that might actually be an FSx issue, lemme read this bug real quick
narrow sorrel
thank you!
zenith coyote
is this 9.10 or later?
narrow sorrel
9.11.1p3 against both AIQUM 9.11p1 and OCUM 9.5p1
are you able to access this document? https://kb.netapp.com/@api/deki/files/1136/Ontapi_9xx.txt?revision=2 it doesn't load for me
it's linked in this KB article: https://kb.netapp.com/Advice_and_Troubleshooting/Data_Infrastructure_Management/OnCommand_Suite/Active_IQ_Unified_Manager_read-only_account_privileges_for_ONTAP
zenith coyote
ok, um 9.5 does not support newer than ontap 9.6. you'd need to go to um 9.11.
but that also means you shouldn't be on the rbac cert install bug i found.
the ontap 8 link works, i'll see if i can hunt down the 9.x. it is not working
here's the doc, i'm working on updating the kb
narrow sorrel
thank you Dawn! I'll audit (pun not really intended) the role I've created to see if it has those perms
the bad news is I skipped the audit.. and just created a new user. the good news is it worked!
narrow sorrel
well I couldn't help myself: I looked closely, and your file doesn't even include "security certificate" at all!
zenith coyote
nope, it doesn't. i don't think that's been updated for a while.
i was just thinking of going through and updating it
narrow sorrel
so I'm mystified as to how it installs a certificate without that, but like Jurassic Park it uhh finds a way
zenith coyote
the doc may predate when we starting installing the um certificate on the cluster
narrow sorrel
it's almost as if it looked to see if it could create a certificate on the cluster, saw that it could, tried to, but ran into a bug and errored out.. whereas your method doesn't even try. but the installation succeeds anyway!
zenith coyote
so, there weren't too many apis missing from the list, but those all require write permissions. these were what I added:
security login role create -role ocum_readonly -access all -query "" -cmddirname "security certificate"
security login role create -role ocum_readonly -access all -query "" -cmddirname "event notification destination"
security login role create -role ocum_readonly -access all -query "" -cmddirname "event filter create"
security login role create -role ocum_readonly -access all -query "" -cmddirname "event filter delete"
security login role create -role ocum_readonly -access all -query "" -cmddirname "event filter rule"
security login role create -role ocum_readonly -access all -query "" -cmddirname "event notification create"
security login role create -role ocum_readonly -access all -query "" -cmddirname "event notification delete"
security login role create -role ocum_readonly -access all -query "" -cmddirname "event destination delete"
narrow sorrel
@zenith coyote do you ever see customers use RO accounts for "regular" CLI access? i.e. not OCUM/AIQUM
zenith coyote
i would assume they are out there, but i just deal with the oncommand stuff.