AWS Fsx ONTAP filesystem : Can I only invoke FS REST API using fsxadmin user? | NetApp | Page 1

fluid cobalt Jan 29, 2024, 5:49 AM

#

is there any way to use domain users like we have under SVM?

left marlin Jan 29, 2024, 3:26 PM

#

Not sure if I understand the inquiry clearly but ... My understanding is the 'fsxadmin' user is the equivalent of the 'ontap cluster admin' and as such can only 'talk' ontap rest apis... The AWS FSx apis are of different kind, they are living and acting in AWS universe and are talking to aws using its own credentials and such.

jaunty stone Jan 29, 2024, 6:10 PM

#

I believe this is what you are looking for: Using Active Directory user accounts with your file system @ https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/roles-and-users.html#ad-tunneling

Roles and users in Amazon FSx for NetApp ONTAP - FSx for ONTAP

You can use roles and users in FSx for ONTAP to define user capabilities and privileges when using the ONTAP CLI and REST API. Every role and user is associated with your file system or a Storage Virtual Machine (SVM). By default, your FSx for ONTAP file system has one file system-level user called

fluid cobalt Jan 29, 2024, 11:15 PM

#

jaunty stone I believe this is what you are looking for: Using Active Directory user accounts...

hi Michael,

Thanks for the link. I tried the solution provided however my domain user is still unauthorised to make any cluster level calls.

::> security login domain-tunnel show
Tunnel Vserver: svmxxxxxxl101

security login create -user-or-group-name NTADMIN\xxxxxxxxx -application http -authentication-method domain -role fsxadmin

::> security login show -vserver xxx

Vserver: FsxIdxxxxx
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method

NTADMIN\xxxxx
ssh domain fsxadmin - none
NTADMIN\xxxxx
http domain fsxadmin - none

Please note that I have been successfully able to add domain users as vsadmin and make SVM level and Volume level API calls.

jaunty stone Jan 29, 2024, 11:20 PM

#

The fsxadmin role is limited, so the unauthorized error could be due to lack of access. Have you confirmed the role allows the operation you are attempting, or are you not able to login at all?

fluid cobalt Jan 29, 2024, 11:43 PM

#

jaunty stone The fsxadmin role is limited, so the unauthorized error could be due to lack of ...

hi Michael,

#

i was able to get it to work. I had an extra \ in the domain user. re created security login and worked like a charm

#

My apologies for confusion

jaunty stone Jan 30, 2024, 12:02 AM

#

fluid cobalt i was able to get it to work. I had an extra \ in the domain user. re created se...

No problem. I am glad to hear that you got it working.

fluid cobalt Jan 30, 2024, 2:58 AM

#

jaunty stone No problem. I am glad to hear that you got it working.

hi Michael, I see that we can only have one domain-tunnel added for a FSx. That would mean if the SVM is deleted for some reason we will loose the fsxadmin role for the domain users isnt it?

jaunty stone Jan 30, 2024, 3:30 AM

#

That is essentially correct. The limit applies to ONTAP in general, not just FSx. I am not sure if there are any warnings when deleting the domain tunnel SVM, but I can try to check into that tomorrow from an ONTAP perspective at least.

#AWS Fsx ONTAP filesystem : Can I only invoke FS REST API using fsxadmin user?