I want to modify the snapdir accessible parameter on one volume using the RestAPI and I want a non-storage admin the ability to make the change. I have code that works as me but I want to limit it to a specific user and role. I tried creating an Ontap role with the command directory of volume and a query of -volume <VOLNAME> but it gives me a 401 Unauthorized when I run the code. Is this something that is possible?
#Is it possible to create an Ontap role that limits an ontapi user to modifying one volume/restapi?
serene furnace
vapid canopy
I think the lowest level you can get is a vserver level role, but you can severely limit the role commands/access.
keen spruce
Yes! You can! You need the -query argument if I recall. Let me look
You would need to have a unque role for the user, then one of the roles might look like this:
security login role create -role user1_role -cmddirname "volume show" -access all -query "-volume volume_X"
You can limit the scope of the role command with the query. Anything you need to limit scope, include it! "-volume x -vserver y" etc. They must be exact and no shorthand. Full commands
serene furnace
Thanks TMAC, I had already figured -query was involved but your statement "They must be exact and no shorthand. Full commands" led me to further experimentation. I tried assigning 2 commands to the role, one for true and one for false but it turns out you can only have one per -cmddirname, so I tried "-query -volume NFS_volume -snapdir-access true|false". This sadly fails to protect the volume and allows modification of any volume parameter including size and comment. The resolution turned out to be just dropping the 'true|false' - "-query -volume NFS_volume -snapdir-access"
The RBAC model seems quite lacking in flexibility and failing open like it did seems to be a poor choice on NetApp's part.
keen spruce
Plus...I found errors in some versions where the commands just would not work. (I think this got fix in the 9.10). I was working with a customer to create a bunch of "limited" commands to be able to test SnapMirror sync/resync. If I recall, the one command that would not work is "vserver stop"...until 9.10.