StatPerf security login role configs | NetApp | Page 1

ivory tide Feb 24, 2026, 12:13 AM

#

I am trying to use Harvest 26.02 to collect the following diag stat via StatPerf:
set diag -confirmations off; statistics catalog object show object_store_client_op_stats
Looking at the "least prvilege configuration role" for StatPerf, I see there is a line for ssh with auth-method of password.

security login create -user-or-group-name harvest2 -application ssh -authentication-method password -role harvest2-role
security login create -user-or-group-name harvest2 -application http -authentication-method password -role harvest-rest-role

Does StatPerf only work with SSH and/or password auth? Do I have to use ZapiPerf to support cert-only auth? I'm trying to get off ONTAPI as much as possible.

vital iron Feb 24, 2026, 6:47 AM

#

@ivory tide Could you try below permissions instead of the password one and see if they work

security login create -user-or-group-name harvest2 -application ssh -authentication-method publickey -role harvest2-role
security login create -user-or-group-name harvest2 -application http -authentication-method cert -role harvest-rest-role

ivory tide Feb 24, 2026, 5:03 PM

#

seems to work thanks

hard delta Feb 24, 2026, 5:06 PM

#

Thanks for reporting @ivory tide, we'll update the documenation to include these

ivory tide Feb 24, 2026, 7:29 PM

#

One of my coworkers was wondering why SSH was needed for this. My guess is something to do with the internals of ONTAP and Private CLI via REST. Either way, this problem can be mitigated by just not specifying a publickey for that user? There's no actual SSH access granted?

#

StatPerf security login role configs

real bridge Feb 24, 2026, 7:36 PM

#

ivory tide One of my coworkers was wondering why SSH was needed for this. My guess is somet...

Just an fyi, we use readonly role for Private CLI, it works just fine. However, statistics might require Raw Private CLI, which seem to require different privs. If that is indeed the case, the question will be what else will become possible of we add those extra privs ?

vital iron Feb 25, 2026, 5:05 AM

#

StatPerf requires SSH because it sends CLI commands via the REST API request body. One example is shown below. Without SSH permissions, it won’t work.

{
  "input" : "set -showseparator \"!\" -showallfields true -rows 0 diagnostic -confirmations off;statistics settings modify -counter-display all; statistics catalog counter show -object system:node -fields counter,base-counter,properties,type,is-deprecated,replaced-by,label,description"
}

real bridge Feb 26, 2026, 7:04 AM

#

vital iron StatPerf requires SSH because it sends CLI commands via the REST API request bod...

thank you Rahul, will it work with application 'ssh' and role 'readonly' ? ie
security login create -user-or-group-name harvest2 -application ssh -authentication-method publickey -role readonly

vital iron Feb 26, 2026, 4:09 PM

#

@real bridge It won’t work with the read-only role. In addition to the other read permissions, the following write permissions are required for the StatPerf collector to work.

security login role create -role harvest2-role -access all -cmddirname "set"
security login rest-role create -role harvest-rest-role -access read_create -api /api/private/cli

real bridge Feb 26, 2026, 11:29 PM

#

thank you again Rahul, can you please clarify what that read_create access for private cli would allow this account to do ?

#StatPerf security login role configs