#na_ontap_export_policy_rule now returns 'not authorized for that command' on FSxN

I have been using this module for quite a while with many FSxN filesystems without any issue. Today when I try and run this to add a new export policy rule, I get an error stating msg: 'Error on creating export policy rule: calling: protocols/nfs/export-policies/12884901891/rules?return_records=true: got {''message'': ''not authorized for that command'', ''code'': ''6''}.' . This is supposed to add a new rule to a policy (the policy creation still works fine, only adding rules to it is broken). This user is "fsxadmin" - the only account on FSxN.

fsxadmin doesn't have needed privileges for it. Please enable and use vsadmin user for export policy rule creation

I don't think it's possible to use vsadmin on FSxN

You cannot create/modify user accounts on FSxN. You only have fsxadmin. Netapp removed this capability. It's really frustrating

It can be done in AWS console

This is an issue with the REST API itself. This is better addressed on #┊・ontap-api . Or you should open a support case with NetApp.
Which version of ONTAP is it?

@real otter I don't see how to do this in the AWS console. @weary cargo It's 9.11.1P3, freshly deployed today. I have lots of them.

https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-resources-ontap-apps.html

Please refer this for using vsadmin. Please use vserver mgmt ip when you use vsadmin

@winter basalt, just for awareness. FSxN is a AWS portfolio service offering. AWS manages the product and controls the functions. AWS support can be reached to enable these functionality if you can't get successful

Thanks @real otter . I do think that this is something which has recently changed as I've run the same playbook a hundred times before. I don't know who is to "blame" for this issue, but it's something new

It seems a really strange decision to make - removing the ability to add rules to an export policy from the main admin account for the machine and restrict it to a vsadmin account. Are there any other instances where the "admin" user does not have permissions to do a task that vsadmin can?

It looks more like an unintentional change. Are you able to revert to the version you were using before and confirm this was working?

@weary cargo apologies for the slow response. I've tested this again with multiple versions of the netapp.ontap collection and that does not seem to be the issue. It must be an API change. I'll raise a case with AWS to look

@minor otter do you have any insight on this?

I can't think of anything off the top of my head, no.

@winter basalt can you please submit a case? I will take a look at it when you do. You can use vsadmin in FSxN, FWIW.

@minor otter case raised (11782726801) thanks

Sorry, I meant ONTAP versions. But this may not be something you can control.

As Laurent mentioned this was a unintentional change. Nothing to do with Ansible but with FSxN itself. I heard there a fix in 9.12.1 GA of FSxN for this issue

I will allow team to confirm

We used vsadmin as temp fix

@winter basalt I just struggling with this issue for 1 week now, however it was all OK before. There were no firmware upgrades, no nothing related on the target systems, it's currently ONTAP 9.9.1P15. Sometimes when issuing only several jobs from Ansible Tower they run successfully, sometimes all jobs failing because of the same exact error. Have you got any update on this ?

also I've checked the audit logs for any trace and it seems those POST requests and http login attempts are not in the audit log. That makes me wonder: if we got a response from the API that would mean that the authentication succeeded, therefore it should be included in the audit log? or the audit log only shows the processed requests?