rough maple
Hi Team,
Customer wanted to implement limited privileges to a user account perform only certain task via Ansible. They have created Ansible user with custom role giving access to needed command directories. na_ontap_restit module fails with user not authorized error.
But REST API calls using this user is working as expected.
Could you please help?
rough maple
Hi Team, any updates on this?
na_ontap_restit module fails with custom role and user
@elder sky could you please help here?
vital hornet
Well, the error says User is not authorized, looks like the credentials might be wrong, can you check again and run?
rough maple
I have given you the screenshot of postman rest api logs. I'm using the correct password
This is the case for customer as well
elder sky
could you turn on the debug ontap api tracing. and send me the logs from that
Does it have permission to call (forget if it /svm or /cluster. But the very first call every modulus Is to find the ontap version.
rough maple
That makes sense. Let me try adding access to cluster folder and check
rough maple
cat /tmp/ontap_apis.log
2023-09-06 12:06:46,001 DEBUG sending: {'method': 'GET', 'url': 'https://10.216.61.65:443/api/snapmirror/relationships?return_records=true&return_timeout=30', 'verify': False, 'params': {'list_destinations_only': True, 'fields': 'source.path,destination.path', 'destination.svm.name': 'demosvm01'}, 'timeout': 60, 'json': None, 'headers': 'redacted', 'auth_args': 'redacted'}
2023-09-06 12:06:46,004 DEBUG Starting new HTTPS connection (1): 10.216.61.65:443
2023-09-06 12:06:50,806 DEBUG https://10.216.61.65:443 "GET /api/snapmirror/relationships?return_records=true&return_timeout=30&list_destinations_only=True&fields=source.path%2Cdestination.path&destination.svm.name=demosvm01 HTTP/1.1" 401 65
2023-09-06 12:06:50,808 DEBUG 401: b'{"error":{"code":"6691623", "message":"User is not authorized."}}'
2023-09-06 12:06:50,808 ERROR 401: Endpoint error: 401: {'code': '6691623', 'message': 'User is not authorized.'}
2023-09-06 21:10:36,937 DEBUG sending: {'method': 'GET', 'url': 'https://10.216.61.65:443/api/snapmirror/relationships?return_records=true&return_timeout=30', 'verify': False, 'params': {'list_destinations_only': True, 'fields': 'source.path,destination.path', 'destination.svm.name': 'demosvm01'}, 'timeout': 60, 'json': None, 'headers': 'redacted', 'auth_args': 'redacted'}
2023-09-06 21:10:36,940 DEBUG Starting new HTTPS connection (1): 10.216.61.65:443
2023-09-06 21:10:41,743 DEBUG https://10.216.61.65:443 "GET /api/snapmirror/relationships?return_records=true&return_timeout=30&list_destinations_only=True&fields=source.path%2Cdestination.path&destination.svm.name=demosvm01 HTTP/1.1" 401 65
2023-09-06 21:10:41,745 DEBUG 401: b'{"error":{"code":"6691623", "message":"User is not authorized."}}'
2023-09-06 21:10:41,745 ERROR 401: Endpoint error: 401: {'code': '6691623', 'message': 'User is not authorized.'}
cluster1::> security login role show ansiblerole
Role Command/ Access
Vserver Name Directory Query Level
cluster1 ansiblerole DEFAULT none
cluster modify readonly
cluster show readonly
job all
job show all
snapmirror all
vserver create readonly
vserver modify readonly
vserver show readonly
9 entries were displayed.
cluster1::>
@elder sky, I have added cluster and vserver show command directory access. REST API calls to /api/cluster is working fine via postman. But still Ansible playbook fails
Also, customer gave feedback the volume creation worked perfectly without any issues where user don't cluster directory access
Could you please advise?
elder sky
Not 100% how the roles part work (might be a question for the #1063542514780475493
But i believe you have to create a rest role (security login rest-role)
https://docs.netapp.com/us-en/ontap-cli-9111/security-login-rest-role-create.html
To give your self rest permission.
I don't believe (security login role) will give you access to REST.
But i would double check that with teh API team.
rough maple
Hi @elder sky , I tested this and this worked with restit module. But before providing an action plan to customer I wanted to clarify couple of things as this role will not support ZAPi switch in our Ansible modules.
I did reach out to REST API engineering team already and added above custom role. After this I'm able make REST API calls via postman tool to /api/cluster & /api/snapmirror/relationships using that user. So it works with it direct REST API call, but Ansible restit module fails. So I would like to know what is the difference.
I passed the comment you provided me that all module check cluster version, but customer informed me that volume, export_policy_rule creation playbook worked without any issue when there is no access /api/cluster. Error is only with restit while calling "/api/snapmirror/relationships.
elder sky
I'm going to be on PTO for the rest of the week.
2023-09-06 21:10:36,937 DEBUG sending: {'method': 'GET', 'url': 'https://10.216.61.65/api/snapmirror/relationships?return_records=true&return_timeout=30', 'verify': False, 'params': {'list_destinations_only': True, 'fields': 'source.path,destination.path', 'destination.svm.name': 'demosvm01'}, 'timeout': 60, 'json': None, 'headers': 'redacted', 'auth_args': 'redacted'}
but just looking at what we are seeing from the REST API. THe above is what we are passing in to the REST API Get function for snapmirror
And the REST API return an error 401 errer that the user is not authorized to issue that command (which either is they don't have the correct permission or the wrong password is being used)
2023-09-06 21:10:41,745 DEBUG 401: b'{"error":{"code":"6691623", "message":"User is not authorized."}}'
If the above API command (exactly as we are passing them to rest) is working in postman, but not ansible i don't know what would be Different
rough maple
Thanks Chris! I was able find the issue. The vsim in lab had the issue. I tested the custom role in new vsim and it worked. Now playbook is successful.
FYI.. Custom role works with REST API as well.
When you come back I would like to understand why volume and export-policy modules didn't have this issue?
Have a good vacation! 😎
elder sky
I don't know why it would work for one and fail for the other.
WE only test the moduels with the admin user. So when it comes to a user we limited permission were not 100% sure what it work or not.
drifting prawn
Would be great if the ansible modules came with documentation about which permissions are needed.
rough maple
I don't know why it would work for one and fail for the other.
WE only test th...
Hi Chris, May be I was not clear. The custom role worked as expected now.
But customer informed us that without cluster api permission na_ontap_volume and na_ontap_export_policy_rule modules worked without any errors.
Customers question was don't volume and export policy rule module check ontap version?
elder sky
Not sure. The only thing i could think of is thouse functions ended up using Zapi instead of rest
All modules under the cover call a is_rest* function which ends up calling _is_rest https://github.com/ansible-collections/netapp.ontap/blob/main/plugins/module_utils/netapp.py#L1025
Assuming the if statement on line:
1026 -- which would return an error
1029 -- which would return an error
1032 -- which would swtich to Zapi
line 1036 will call the following function https://github.com/ansible-collections/netapp.ontap/blob/main/plugins/module_utils/netapp.py#L978
To get an Ontap version using GET /Cluster
