#had a look to the audit logs on ontap

hi @celest vessel we'll take a look. Harvest uses ONTAP's REST cli for some REST metrics that are unavailable via the public API

that request is from the NetConnection object here https://github.com/NetApp/harvest/blob/main/conf/rest/9.12.0/netConnections.yaml#L4

if you want, you can disable in your default.yaml while we take a look

disabled NetConnections in /opt/harvest2-conf/conf/rest/default.yaml and sill have the audit log entries.

GET /api/private/cli/network/connections/active?return_records=true&fields=blocks_lb,lif_name,local_address,local_port,node,proto,remote_ip,cid,vserver,remote_host,service,lru :: Pending
GET /api/private/cli/network/connections/active?return_records=true&fields=blocks_lb,lif_name,local_address,local_port,node,proto,remote_ip,cid,vserver,remote_host,service,lru :: Error: invalid operation
GET /api/private/cli/cluster/date?return_records=true&fields=date&max_records=1 :: Pending
GET /api/private/cli/cluster/date?return_records=true&fields=date&max_records=1 :: Success:
GET /api/private/cli/cluster/date?start.node=node11&return_records=true&fields=date&max_records=1 :: Pending
GET /api/private/cli/cluster/date?start.node=node11&return_records=true&fields=date&max_records=1 :: Success:
GET /api/private/cli/cluster/date?start.node=node12&return_records=true&fields=date&max_records=1 :: Pending
GET /api/private/cli/cluster/date?start.node=node12&return_records=true&fields=date&max_records=1 :: Success:

but it´s ok if you know the problem and fix it in the future 😉

thank you

that's the only place Harvest makes that API request maybe there's still a poller running with the old template? Harvest is asking for a field that your version of ONTAP does not have and ONTAP is logging that msg as an invalid operation. What version of ONTAP is your cluster?

this is my test A220 with ontap 9.10.1P4 but i have the same log entrie with ontap 9.9.1PX

thanks

where is this default.yaml located?

$HARVEST_INSTALL/conf/rest/default.yaml

i edit the wrong default.yaml file 😫
now i don´t see any netconnect entries amymore 👍

if you get a chance, could you run the following curl command against the 9.9.1PX cluster and paste the results? When we try this curl against version NetApp Release 9.9.1P9X3: Tue Apr 19 19:05:24 UTC 2022 there are no errors
curl --insecure --user "user:password" 'https://$clusterIP/api/private/cli/network/connections/active?fields=blocks_lb,lif_name,local_address,local_port,node,proto,remote_ip,cid,vserver,remote_host,service,lru'

EDIT:

{
"error": {
"message": "API not found",
"code": "3"
}
}

the earlier log message you pasted, that was from the harvest user?

or maybe that was from the other cluster

i edit my post - sorry for that.

ths is the output on ontap 9.9.1:

curl --insecure --user "harvest2:<PASS>" 'https://<MYFILER>/api/private/cli/network/connections/active?fields=blocks_lb,lif_name,local_address,local_port,node,proto,re
mote_ip,cid,vserver,remote_host,service,lru'
{
"error": {
"message": "API not found",
"code": "3"
}
}

but when i do the same statement with the admin user i got "num_records": 923

right! perhaps your harvest2 user does not have rest permissions. Let me find those and we can check

security login show -user-or-group-name harvest2

user:
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method

harvest2 http password harvest2-role no none
harvest2 ontapi password harvest2-role no none

role:
Role Command/ Access
Name Directory Query Level

harvest2-role DEFAULT none
cluster readonly
lun readonly
network interface readonly
qos workload delete readonly
qos workload modify readonly
qos workload show readonly
security readonly
snapmirror readonly
statistics readonly
storage aggregate readonly
storage disk readonly
storage encryption disk readonly
storage shelf readonly
system health status show readonly
system health subsystem modify readonly
system health subsystem show readonly
system node readonly
version readonly
volume readonly
vserver readonly

vserver services web access show -role harvest2-role -name rest

Vserver Type Service Name Role

<MYCLUSTER> admin rest harvest2-role

you´re right! when i edit the role and give DEFAULT access ALL i see a lot of output with your curl statement. there is one command/directory missing in my harvest2-role.

nice!

yes, nice, but now i´ve to find the missing command in my role 😉

you used this list? https://netapp.github.io/harvest/22.11/prepare-cdot-clusters/#least-privilege-approach

May be your harvest user didn't have permission for api path for Rest. You can check the same from system manager.

@coarse knot , i can´t use a "normal" role like this one https://netapp.github.io/harvest/22.11/prepare-cdot-clusters/#least-privilege-approach
and a rest-role at the same time.

::> security login rest-role create -vserver <MYFILER> -role harvest2-role -api /api -access readonly

Error: command failed: Role already exists in legacy role table.

maybe it´s better to work with rest-role, but then you have to modify your documentation

same when I try locally, asking some other folks if they know how to attach rest role to an existing role

you mean create rest-role first and then attach zapi roles?

as far as i know you can´t use zapi & rest-role for the same user with the same application

right, so we need to change Harvest documentation to create an ontapi role and a rest-role separately and then associate both roles with a user

we have to find the missing zapi role for netconnection - thats all.
maybe this doesn´t work anymore with zapi - don´t know.

but thats the same:
rest-role with -api /all -access none
zapi-role with -cmddirname default -access none

i start my harvest2-role with default access none and add all the other read-only permissions like here:
https://netapp.github.io/harvest/22.11/prepare-cdot-clusters/#least-privilege-approach
and thats not enought for netconnection.

not related to zapi since we're making a rest request