#Cluster user requirements...

Hi there, we are currently using AIQUM for monitoring our clusters. We need to strengthen the security and it seems like AIQUM needs the admin role for "console, http and ontapi" which seems a bit much?
Is this really the case with the latest version 9.13 ? And if it is, are there other suggestions to limit the rights for this user? Because as it, you could login with this user on the cluster and act as an admin...
Suggestions are welcome...

Just like ssh authorized keys allow for an enforced source address, I think that ONTAP needs to add this. Force the AIQ UM admin account to come from x.x.x.x (or DNS name) or reject the login. I would appreciate this for my Harvest connections too.

This is not really an AIQUM question but a core ONTAP security question.

You are right, yet blocking by IP addresses is a very weak solution as it is quite easy to spoof IPs... It would be great if AIQUM could just use SSH and nothing else.. and if you could then use public-key login only, that would lock it down better... the real issue is of cause the HTTP access (which is used for REST-API) but I can also see the issue from NetApp's point of view, becuase they added new features into AIQUM to create new volumes etc.. which ofcause requires more access... all we actually need is the monitoring part of it... I might just try to lock the service account down a bit more and see if it still keeps on going which I guess it will as long as you do not try to create new volumes etc.. yet this is something that NetApp should have tought of and described in their documentation.... imho...

There are certain requirements when adding a cluster that prevent it from working with a readonly user.
UM will add itself to the application record of the cluster.
Certain EMS events will automatically be subscribed.

If you are okay with reduced functionality
-No manual EMS subscription
-No provisioning
-No restores triggered by UM
-No use of fix-it tasks for AIQ rules

You can use the following KB
https://kb.netapp.com/mgmt/AIQUM/Readonly_user_utilized_in_AIQUM_9.13

UM also takes advantage of certificate based authentication with 9.12 and newer.

I followed the KB and although Events seems to be working fine, all performance data stopped displaying in UM.
Is there something specific to allow that to still function but using minimal permissions in Ontap?

Performance requires the HTTP application be assigned to the monitoring account as UM has to query the cluster for the ccma files to download and then performs a wget to retrieve them from each node via the spi.
Errors would be seen in the au.log for Unified Manager.

So Read-only should be enough even for Performance data?

It looks like it requires the admin role for the HTTP application to access the spi which is how UM downloads the performance data. The KB article has been updated.

That is a bummer, would it be an idea to register an RFE to limit the permissions and still get performance data?
Also, I believe the KB update targeted the wrong line. The "ontapi" application has "admin" in the last output, I think it should be the "http" application instead.