9.13 required perms | NetApp | Page 1

dark oracle Aug 1, 2023, 3:12 PM

#

So since we updated Ontap to 9.12 I've had issues with sporadically failing jobs.
Ive updated the PS toolkit from 9.9.1 to 9.13 and now cannot for the life of me get a simple connect-nccontroller to be successful due to constant 401 unauthorized.

The account in testing with worked prior to updates, did required permissions / roles change?
I'm running Ontap 9.12.1p2 currently and it's bombing out on numerous clusters.

dark oracle Aug 1, 2023, 4:19 PM

#

Yeah works with -zapicall enabled

dark oracle Aug 1, 2023, 5:34 PM

#

Well, back to my issues pre-updating of running into

ERROR  ]  Execution finished with the following error (winrm-exec.py:332)[root]
[ERROR  ]  get-ncaggr : Unable to find API: aggr-get-iter on admin vserver prodfiler
At C:\scripts\username\aggr_scrape_slack_post_webhook_1.ps1:51 char:14
+     $aggrs = get-ncaggr #| Where-Object {(!($_.name -match "aggr0"))}
+              ~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (prodfiler.domain.net:NcController) [Get-NcAggr], EAPINO 
   TFOUND
    + FullyQualifiedErrorId : ApiException,DataONTAP.C.PowerShell.SDK.Cmdlets.Aggr.GetNcAggr
 
get-ncaggr : Unable to find API: aggr-get-iter on admin vserver drfiler
At C:\scripts\username\aggr_scrape_slack_post_webhook_1.ps1:51 char:14
+     $aggrs = get-ncaggr #| Where-Object {(!($_.name -match "aggr0"))}
+              ~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (drfiler.domain.net:NcController) [Get-NcAggr], EAPINO 
   TFOUND
    + FullyQualifiedErrorId : ApiException,DataONTAP.C.PowerShell.SDK.Cmdlets.Aggr.GetNcAggr_.name

celest gulch Aug 2, 2023, 5:36 AM

#

NetApp phases out ZAPI for the REST API. According to the docs ZAPI should still be working with 9.13.
https://mysupport.netapp.com/info/communications/ECMLP2880232.html

The updated toolkit will try REST API first. You need a user with application http to use the REST API.

dark oracle Aug 2, 2023, 2:22 PM

#

Rest access isn't controlled via the traditional security login command set is it

celest gulch Aug 3, 2023, 6:15 AM

#

You need http access to your cluster. Create a user:
::> security login create -user-or-group-name testuser -application http -authentication-method password -role admin

Test REST API access with curl:
# curl -X GET -u testuser:password -k "https://<ip_address>/api/cluster?fields=version"

If you need custom roles you can use "traditional" roles (security login role create) or rest-roles (security login rest-role create). ONTAP will map the traditional roles to rest access. So you should be fine with existing roles that were used for ZAPI.

#9.13 required perms