#Read Only account for TridentBackend to only allow importing existing volumes

We are working on use-case where one of our TridentBackendConfigs is setup to inly allow importing volumes in no-manage mode. Volumes are pre-created on SVM. We would assume it should work. There is no need to write anything back to SVM from management perspective.
For this to work we:

• provisioned backend with with "vsreadonly" user (with SVM's vsadmin-readonly role assigned.)
• configured backend with autoExportPolicy: false and default policy specified.
• importing volume with -no-manage flag

Backend was created successfully, but actual import volume is failing for some reason:

`tridentctl -n trident-operator import volume ontap-svm2 k8s_c_m_j4w6bxm7_pvc_test_svm2 -f /tmp/pvc.yaml --debug --output wide --no-manage

Request body: {"backend":"ontap-svm2","internalName":"k8s_c_m_j4w6bxm7_pvc_test_svm2","noManage":true,"pvcData":"eyJhcGlWZXJzaW9uIjoidjEiLCJraW5kIjoiUGVyc2lzdGVudFZvbHVtZUNsYWltIiwibWV0YWRhdGEiOnsibmFtZSI6InB2Yy10ZXN0LXN2bTIiLCJuYW1lc3BhY2UiOiJpbmZyYS10ZXN0In0sInNwZWMiOnsiYWNjZXNzTW9kZXMiOlsiUmVhZFdyaXRlTWFueSJdLCJzdG9yYWdlQ2xhc3NOYW1lIjoib250YXAtc3ZtMi1oZGQifX0="}

Response body: {"volume":null,"error":"volume import failed to get size of volume: failed to get volume k8s_c_m_j4w6bxm7_pvc_test_svm2: error checking for existing volume: API status: failed, Reason: Insufficient privileges: user 'vsreadonly' does not have write access to this resource, Code: 13003"}`

Any ideas on what trident-operator wants here and how we can mitigate it?

seems like it is failing on trident-23.01.0/frontend/csi/controller_helpers/kubernetes/import.go

h.orchestrator.GetVolumeExternal(ctx, request.InternalName, request.Backend)
not sure why this call need write permissions

we have added:

debugTraceFlags:
api: true
method: true

to TridentBackendConfig, but we do not see additional traces. this would be really helpful to understand what API call is failing.

@quasi surge, we don't support using the vsreadonly user and have not tested Trident with that user. I'm not surprised that this is failing for you.

for this SVM's TridentBackend, it is important for us to prevent volume deletions. We though best approach here is to limit TridentBackend user with what it can do.

What most people do is to set the Reclaim Policy on the PVC to retain. That will prevent Trident from deleting the volume. Customers will then have automation that detects what volumes are in the Retain state and manage them according to their deletion policies from there

Also, using the unmanage import like you suggested will prevent Trident from deleting the storage volume.

we do tridentctl -n trident-operator import volume. I am not sure where we can specify Reclaim Policy in this case.

Retain is specified in the storage class that is referenced in the pvc.yaml listed on the command line.