User Roles for Read-Only Access | NetApp | Page 1

lofty gyro Jul 25, 2024, 4:08 PM

#

Hello All,

I have a task per a 3rd party vendor to give read-only access to a user and create a set of roles. Now some of these roles when you apply say a few things. Some say "command failed: invalid operation", others say "command failed: a Vserver admin cannot use command directory "cluster" with access level "readonly" use different access level".

The concern is the only options really for -access are none, readonly and ALL.

If I can't grant these roles with readonly then what other option do I have?

I'm running 9.14.1 of ONTAP.

security login role create -role whole -vserver SXY -access none -cmddirname DEFAULT security login role create -role whole -vserver SXY -access readonly -cmddirname "vserver show" security login role create -role whole -vserver SXY -access readonly -cmddirname "cluster show" security login role create -role whole -vserver SXY -access readonly -cmddirname "volume show" security login role create -role whole -vserver SXY -access readonly -cmddirname "cluster identity show" security login role create -role whole -vserver SXY -access readonly -cmddirname "network interface show" security login role create -role whole -vserver SXY -access readonly -cmddirname "system license show" security login role create -role whole -vserver SXY -access readonly -cmddirname "storage aggregate show" security login role create -role whole -vserver SXY -access readonly -cmddirname "version" security login role create -role whole -vserver SXY -access readonly -cmddirname "system node show" security login role create -role whole -vserver SXY -access readonly -cmddirname "volume qtree show" security login role create -role whole -vserver SXY -access readonly -cmddirname "system node autosupport show” security login role create -role whole -vserver SXY -access readonly -cmddirname "security login role show-ontapi"

mossy folio Jul 25, 2024, 4:42 PM

#

Some of these commands are not available for users within a data SVM. You probably need to create this role (and the corresponding user) on the Cluster level

lofty gyro Jul 25, 2024, 4:54 PM

#

Do you know of a document that explains that, I can't seem to find a clear guide that describes all fo this..

#

A whitepaper of some sort.

mossy folio Jul 25, 2024, 6:17 PM

#

well, you cannot assign roles for commands that the user cannot execute in the vserver context. try logging in (through SSH) with your user (or the default vsadmin user) and see what commands are available by pressing ?. Only those commands can appear in roles for VServer users.

Everything that has to do with the cluster as a whole (storage aggregate..., cluster ..., system node... etc.) cannot be delegated to users in an SVM and must be done with a cluster-wide admin user

the docs are here. I am not aware of a whitepaper but I think there might be a TR, let me check

#

hm there's only TR-4647 - Multifactor authentication in ONTAP but that's about it I think

lofty gyro Jul 25, 2024, 6:42 PM

#

Perfect, thanks for the feedback!

junior relic Jul 25, 2024, 7:22 PM

#

additionally, if you need to create a CLUSTER level role, I would expore the -query argument. You can specify commands that force the user role to use say a specific SVM. I did this with a customer. They need to grant a non-admin the ability to muck around with mirroring so we had to enable at the cluster level since snapmirror is not vserver aware.

#

And we needed to use -query on every single command. Some had -query "-vserver yz" while others might have -query "-destination-path svm:abc"

lofty gyro Jul 25, 2024, 7:36 PM

#

@junior relic Can you use that in a full command? I'm not totally clear on the query option. If I add -query "<svm>". It just tells me the SVM couldn't be queried. If I'm adding a role for cluster show.

mossy folio Jul 25, 2024, 7:40 PM

#

"cluster show" does not have a query argument. and query should be something like "-vserver foo" or "-volume bar"

junior relic Jul 25, 2024, 7:42 PM

#

When you are adding commands to the role, take the whole command and arguments into play. You need/want to specify as much of the command as you can like “network interface service-policy show” and then add the query -> -query “-vserver abc”

Which limits the role to only look at that command for only that svm

lofty gyro Jul 25, 2024, 7:54 PM

#

So you mean something like: security login role create -role whole -vserver SXY -access readonly -cmddirname "cluster show" -query "vserver SXY"

mossy folio Jul 25, 2024, 8:11 PM

#

no

#

what is cluster show -vserver SXY supposed to do? cluster show does not take a -vserver ... parameter so this command makes no sense
it should be -query "-vserver SXY" not -query "vserver SXY"
the first SXY needs to be the name of your cluster, not of the SVM (don't know if that's the case)

lofty gyro Jul 25, 2024, 8:18 PM

#

That's what I thought was a ZAPI based role, "cluster show".

mossy folio Jul 25, 2024, 8:19 PM

#

it's a command. not a role. The role is what you're building. And it has nothing to do with ZAPI. try logging in to your cluster and executing cluster show -vserver SXY

lofty gyro Jul 25, 2024, 8:24 PM

#

Well, let me rephrase, you are allowing the user you ultimately create to run that command in a read-only manner by creating the role and assigning to the user. Sorry, me typing doesn't always come out correct.

lofty gyro Jul 25, 2024, 10:38 PM

#

The SVM commands I got to work with the -query "-vserver SXY". The commands that are at the cluster level I just ran without the "vserver" or "-query" option, since they didn't work when using the -query command. Maybe that's how it's supposed to work.

junior relic Jul 25, 2024, 10:54 PM

#

Look, the -query is used to focus content.
Look at this command:
network interface show -> that shows me everything in the cluster.

If I want to limit that in the ROLE, i would use
-cmddir "network interface show" -query "-vserver data_svm1"

The "cmddir" takes ONLY a command and the "query" takes ONLY "arguments" to the command specified.

Thats why it has been said..test the WHOLE command you want to use. If you need or want to specify any arguments, they must go in the -query portion.

#

Using my example above, if the user tries to run
network interface show

I think it fails because it is not allowed. They would need to run
network interface show -vserver data_svm1

lofty gyro Jul 26, 2024, 11:53 PM

#

Could you just use one of the commands above in the beginning of my message and just type an example of the full command and how it should look? I'm sure that would get me to understand what I'm doing wrong.

mossy folio Jul 27, 2024, 12:01 AM

#

security login role create -role whole -vserver SXY -access readonly -cmddirname "volume show" ---> security login role create -role whole -vserver (clustername) -access readonly -cmddirname "volume show" -query "-vserver SXY"

#User Roles for Read-Only Access