I am getting an error for permission denied when attempting to collect for NvmMirror. I checked and I have /api/private/cli set to RO for the Role I created. What else do I need to check? How do I get a list of possible /api/private/cli sub categories?

time=2026-03-12T22:42:59.584Z level=ERROR source=collector.go:435 msg="Entering standby mode" Poller=fas01-po collector=StatPerf:NvmMirror error="error in POST request: StatusCode: 403, Error: Permission denied, Message: not authorized for that command, API: /api/private/cli" task=counter

@misty moat If you want to use StatPerf collector then permissions should be as defined here https://netapp.github.io/harvest/nightly/prepare-cdot-clusters/#statperf-least-privilege-role

You need read_create permission for /api/private/cli and some other things as listed in above link.

@keen oxide It seems that perhaps I should be leveraging this: https://netapp.github.io/harvest/nightly/prepare-cdot-clusters/#ontap-910-volume-performance-metrics instead? I'm confused as to when I should use one over the other.

hi @misty moat nvm mirror stats are only available via ZapiPerf and StatPerf because of an ONTAP bug. More details here https://github.com/NetApp/harvest/issues/3869

Okay, so since we don't have FlexCache, I've decided to drop the StatPerf from my harvest.yaml config.

That will solve the permission denied for private cli

are you still using ZAPIs to collect metrics?

So that's the real question, I thought ZAPI was phasing out but how the docs read, it seems that it is still needed to some degree. I'd love to lean out how many calls harvest has to make so I can be efficient

  collectors:
    - Rest
    - RestPerf
    - Ems
    - KeyPerf

Oh, well I feel silly now, I don't even have it in my config

I'm evidnetly providing comic relief now

ZAPI EOA https://mysupport.netapp.com/info/communications/ECMLP2880232.html?access=a
Your log msg at the top of the file indicates that poller does/did since the log message says "StatPerf:NvmMirror"

So I did just remove StatPerf about 10 min ago

I guess I could ask...what I have now in my config, is that a fairly good combo?

Based on Capacity and Performance?

Yes, that's a solid config. You may be missing some perf metrics from these objects since these objects are not fully supported by RestPerf

So I know NvmMirror and FlexCache throw errors when enabled and I'd have to look back more but it's possible NicCommon did too. I see on the Role requriments that I'd have include -application ssh with pubkey auth. I prefer just being purely cert based auth...I'll look to see if I am missing any worth having

Our documenation describes how to use StatPerf with cert based too https://netapp.github.io/harvest/nightly/prepare-cdot-clusters/#statperf-least-privilege-role

If I am reading this correctly, there are two Roles created here and additional key/pub sets for the application ssh ```security login role create -role harvest2-role -access all -cmddirname "set"
security login role create -role harvest2-role -access readonly -cmddirname "statistics"

security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster
security login rest-role create -role harvest-rest-role -access read_create -api /api/private/cli
security login create -user-or-group-name harvest2 -application ssh -authentication-method password -role harvest2-role
security login create -user-or-group-name harvest2 -application http -authentication-method password -role harvest-rest-role

If you also want to use certificate authentication for the StatPerf collector, run these commands as well

security login create -user-or-group-name harvest2 -application ssh -authentication-method publickey -role harvest2-role
security login create -user-or-group-name harvest2 -application http -authentication-method cert -role harvest-rest-role```

I only have the http cert model implemented

Don't I have to run this additional command? publickey create -username harvest_ro_user -application ssh -publickey

@misty moat Commands documented work for me and other user who was using cert auth. Please check
#1475646791922876541 message
Are you still getting any error after providing these permissions?

@keen oxide Okay, so I think I understand now, the ssh login create entry is only there as a helper of sorts and that a publickey is not needed. I do not see the rrors now

I can open a new thread but since this included /api/private/cli I see that since updating to the nightly version that my SVM Grafana dashboard shows NO DATA. I see that there is nothing being collected for svm_vol_* ...not sure why this would have went away.

Yes, Please open a new thread for this.

I just saw this in another thread: #1460755572033847296 message