#na_ontap_user, why can't it create same user with two roles?

1 messages · Page 1 of 1 (latest)

sonic narwhal May 28, 2025, 7:39 PM

Below is my ansible playbook:

    - name: create the user ci_user
      connection: local
      na_ontap_user:
        <<: *login
        state: present
        name: "ci_user"
        application_dicts:
          - application: ontapi
            authentication_methods: password
        role_name: ci_readonly
        vserver: "{{ cluster }}"
        set_password: "{{ password }}"

    - name: create the user ci_user
      connection: local
      na_ontap_user:
        <<: *login
        state: present
        name: "ci_user"
        application_dicts:
          - application: http
            authentication_methods: password
        role_name: ci_readonly_rest
        vserver: "{{ cluster }}"

But result only gets:

ci_user        http        password      ci_readonly_rest no     none

why could not the playbook create 2 user entries? like below:

User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
ci_user        http        password      ci_readonly_rest no     none
ci_user        ontapi      password      ci_readonly      no     none

it seems like the second task overwrites the first one completely. But they are different.

short steppe May 29, 2025, 4:58 AM

You can create user and give access for multiple applications in a single task like below,

name: create the user ci_user
connection: local
na_ontap_user:
<<: *login
state: present
name: "ci_user"
application_dicts:
- application: ontapi
authentication_methods: password
- application: http
authentication_methods: password
role_name: ci_readonly
vserver: "{{ cluster }}"
set_password: "{{ password }}"

If You use same user account and run tasks for the second time with different role and applications, it will overwrite the existing one.
In CLI you can create multiple roles for a user but it is actually not recommended, please find the CLI response below,
Warning: User account svm1:ci_user has 1 role(s) {"ci_readonly_rest"} that use different application(s) and authentication method(s). One role for
all applications and authentication methods is recommended for a user account.

sonic narwhal May 29, 2025, 9:53 PM

@short steppe Thanks for explanation. Makes sense. However, this is for DII, per netapp document https://docs.netapp.com/us-en/data-infrastructure-insights/task_dc_na_cdot.html#a-note-about-permissions. It asks to create the user 'ci_user' with two roles. I had to work around the issue with rest_cli.