create scope fpolicy limitation | NetApp | Page 1

kind scaffold Jun 21, 2024, 4:36 PM

#

hello
i try to create scope for fpolicy with

  - name: Create FPolicy scope
    netapp.ontap.na_ontap_fpolicy_scope:
        state: present
        vserver: "{{ vserver }}"
        name: blockext_{{ protocol }}_{{ version }}
        file_extensions_to_include: "{{ exclusion_list }}"
        username: "{{ netapp_username }}"
        password: "{{ netapp_password }}"
        hostname: "{{ netapp_host }}"
        use_rest: always
        validate_certs: no

but doesn't work
file_extensions_to_include is versy big list of file_extension like
ndarod,ndpyhss,nebupa,needdecrypt,needkeys,NEEH,neer,nef1lim,nefilim,NegozI,neitrino,nekochan,nelasod,nemesis,nemty,NEMTY_AJORCUS,NEMTY_VQLGC72,Nemucod,neon,NEPHILIM,neptune,neqp,ner,neras,nermer,nerz,nesa,net,NETCrypton,Netix,netlock,netn6,Netwalker,Networklock,networkmaze,new24,NewHT,newlock,newlocker,NEWRAR,news,newware,NextCry,nginxhole,NGSC,NHCR,nhHtFWV,NHLP,Nhtnwcuf,nibiru,NIGG3R,NIGGA,NIGHT_CROW,nightsky,nigra,nile,ninja,__NIST_K571__,Nitro,nitz,niwm,njkwe,njmhqbxu,nlah,nlb,nlocker,nm4,nm8kci,nmc,nmcrypt,NMO,NMoreira,nnll,nnpl,nnqp,nnuz,nnza,nobad,noblis,nobu,nochance,nochi,Node0,nohope,NOKOYAWA,NOLOST,nols,nomad,Nomikon,no_more_ransom,no_more_ransomware,non,nooa,NOOB,noos,NOOSE,nopasaran,noproblemwedecfiles,norvas,nosafe,nostro,nosu,NOT,NotAHero,_not_a_joke,notfou

if i reduce this list to less 255 caractere is ok

they are limitaion for file_extensions_to_include parameter ?

i havent no issue whe i try with CLI

have you an advice o create scope with many file extension ?

patent badge Jul 10, 2024, 9:59 AM

#

@kind scaffold hi, the mentioned issue could not be reproduced in-house as the module worked as expected for the given task.
ONTAP 9.14.1 | Ansible collection 22.11.0

vars:
  exclusion_list: ['ndarod', 'ndpyhss', 'nebupa', 'needdecrypt', 'needkeys', 'NEEH', 'neer', 'nef1lim', 'nefilim', 'NegozI', 'neitrino', 'nekochan', 'nelasod', 'nemesis', 'nemty', 'NEMTY_AJORCUS', 'NEMTY_VQLGC72', 'Nemucod', 'neon', 'NEPHILIM', 'neptune', 'neqp', 'ner', 'neras', 'nermer', 'nerz', 'nesa', 'net', 'NETCrypton', 'Netix', 'netlock', 'netn6', 'Netwalker', 'Networklock', 'networkmaze', 'new24', 'NewHT', 'newlock', 'newlocker', 'NEWRAR', 'news', 'newware', 'NextCry', 'nginxhole', 'NGSC', 'NHCR', 'nhHtFWV', 'NHLP', 'Nhtnwcuf', 'nibiru', 'NIGG3R', 'NIGGA', 'NIGHT_CROW', 'nightsky', 'nigra', 'nile', 'ninja', '__NIST_K571', 'Nitro', 'nitz', 'niwm', 'njkwe', 'njmhqbxu', 'nlah', 'nlb', 'nlocker', 'nm4', 'nm8kci', 'nmc', 'nmcrypt', 'NMO', 'NMoreira', 'nnll', 'nnpl', 'nnqp', 'nnuz', 'nnza', 'nobad', 'noblis', 'nobu', 'nochance', 'nochi', 'Node0', 'nohope', 'NOKOYAWA', 'NOLOST', 'nols', 'nomad', 'Nomikon', 'no_more_ransom', 'no_more_ransomware', 'non', 'nooa', 'NOOB', 'noos', 'NOOSE', 'nopasaran', 'noproblemwedecfiles', 'norvas', 'nosafe', 'nostro', 'nosu', 'NOT', 'NotAHero', '_not_a_joke', 'notfou']
tasks:
  - name: Create FPolicy scope
    netapp.ontap.na_ontap_fpolicy_scope:
      state: present
      name: fpolicy_policy1
      file_extensions_to_include: "{{ exclusion_list }}"
    register: result

Could you enable the REST API tracing and share /tmp/ontap_apis.log content that shows the calls being sent to REST and the responses/errors received?
https://github.com/ansible-collections/netapp.ontap/wiki/Debugging#tracing-zapi-and-rest-api-calls

GitHub

Debugging

Ansible collection to support NetApp ONTAP configuration. - ansible-collections/netapp.ontap

kind scaffold Jul 11, 2024, 11:53 AM

#

hello is work fine with your example
but when the extensions file is only in numeric i got an error

from LOG
2024-07-11 13:38:03,409 DEBUG https://xxxxxx:443 "GET /api//private/cli/vserver/fpolicy/policy/scope?vserver=vserverS&policy-name=blockext_cifs_v1.80&fields=shares-to-include%2Cshares-to-exclude%2Cvolumes-to-include%2Cvolumes-to-exclude%2Cexport-policies-to-include%2Cexport-policies-to-exclude%2Cfile-extensions-to-include%2Cfile-extensions-to-exclude%2Cis-file-extension-check-on-directories-enabled%2Cis-monitoring-of-objects-with-no-extension-enabled HTTP/11" 200 230
2024-07-11 13:38:03,410 DEBUG 200: b'{\n "records": [\n {\n "vserver": "vserver",\n "policy_name": "blockext_cifs_v1.80",\n "file_extensions_to_include": [\n 000,\n "_not_a_joke",\n "notfou"\n ],\n "is_file_extension_check_on_directories_enabled": true,\n "is_monitoring_of_objects_with_no_extension_enabled": false\n }\n ],\n "num_records": 1\n}'
2024-07-11 13:38:03,410 ERROR 200: Other error: Expecting json, got: b'{\n "records": [\n {\n "vserver": "BASNASCIFS",\n "policy_name": "blockext_cifs_v1.80",\n "file_extensions_to_include": [\n 000,\n "_not_a_joke",\n "notfou"\n ],\n "is_file_extension_check_on_directories_enabled": true,\n "is_monitoring_of_objects_with_no_extension_enabled": false\n }\n ],\n "num_records": 1\n}'

have you une idea why didnt't accept numeric extension file ?

#

ansible

 name: External Playbook
  hosts: localhost
  vars:
      state: present
      protocol: cifs
      version: v1.80
      vserver: VSERVER
      exclusion_list_dc: ['000', '_not_a_joke', 'notfou']
  
  module_defaults:
    group/netapp.ontap.netapp_ontap:
      feature_flags:
        trace_apis: true

  tasks:


  - name: Create FPolicy Event
    netapp.ontap.na_ontap_fpolicy_event:
        state: "{{ state }}"
        vserver: "{{ vserver }}" 
        name:  "fpolicy_exclude_{{ protocol }}_{{ version }}"
        file_operations: ['create', 'open', 'rename']
        protocol: cifs
        volume_monitoring: false
        use_rest: always
        validate_certs: no
        username: "{{ netapp_username }}"
        password: "{{ netapp_password }}"
        hostname: "{{ netapp_host }}"
    no_log: true 

  - name: Create Fpolicy
    netapp.ontap.na_ontap_fpolicy_policy:
        state: "{{ state }}"
        vserver: "{{ vserver }}"
        name: blockext_{{ protocol }}_{{ version }}
        events: fpolicy_exclude_{{ protocol }}_{{ version }}
        engine: native
        use_rest: always
        validate_certs: no
        username: "{{ netapp_username }}"
        password: "{{ netapp_password }}"
        hostname: "{{ netapp_host }}"

  - name: Create FPolicy scope
    netapp.ontap.na_ontap_fpolicy_scope:
      state: present
      name: blockext_{{ protocol }}_{{ version }}
      vserver: "{{ vserver }}"
      file_extensions_to_include: "{{ exclusion_list_dc }}"
      username: "{{ netapp_username }}"
      password: "{{ netapp_password }}"
      hostname: "{{ netapp_host }}"
      use_rest: always
      validate_certs: no
    register: result

#

ansible


 
  - name: Enable fPolicy policy
    netapp.ontap.na_ontap_fpolicy_status:
        state: present
        vserver: "{{ vserver }}"
        policy_name: blockext_{{ protocol }}_{{ version }}
        sequence_number: 9
        username: "{{ netapp_username }}"
        password: "{{ netapp_password }}"
        hostname: "{{ netapp_host }}"
        https: true
        use_rest: always
        validate_certs: false
        feature_flags:
          trace_apis: true
          trace_headers: true
    register: policy

patent badge Jul 12, 2024, 6:29 AM

#

    vars:
      exclusion_list_dc: ['000', '_not_a_joke', 'notfou']

Above list worked for the module. Image attached for reference.
Just to note that parameter file_extensions_to_include expects a list with its elements as string:
https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_fpolicy_scope_module.html#parameter-file_extensions_to_include

kind scaffold Jul 12, 2024, 7:07 AM

#

scope creation works ,
but when you try to activate the policy
I get the error message Expecting json
we can see that in the error message the numeric fields are not protected with "

I also get the same error message when I try to create a second scope
when the first has been created

patent badge Jul 12, 2024, 9:50 AM

#

I just ran some tests and both na_ontap_fpolicy_scope & na_ontap_fpolicy_status worked as expected with the mentioned scenario:

vars:
  exclusion_list_dc: ['000', '_not_a_joke', 'notfou']
tasks:
    - name: Create FPolicy scope
      tags: create
      netapp.ontap.na_ontap_fpolicy_scope:
        state: present
        name: fpolicy_policy1
        file_extensions_to_include: "{{ exclusion_list_dc }}"
      register: result
    - name: Enable FPolicy policy
      tags: enable
      netapp.ontap.na_ontap_fpolicy_status:
          state: present
          policy_name: fpolicy_policy1
          sequence_number: 10
      register: result

Ontap: 9.14.1 | Ansible collection: 22.11.0

kind scaffold Jul 15, 2024, 1:59 PM

#

Hello , my issue is based on my Ontap version NetApp Release 9.11.1P13: Mon Dec 04 22:12:53 UTC 2023

when i test on another vesion NetApp Release 9.13.1P9 , is work fine

thanks for your help

#create scope fpolicy limitation