Subscribe

SDU RBAC - storage system login

Hi,

In going through the community post as well as the IAG, I almost found what I was looking for.  From the IAG:

SnapDrive for UNIX does not require root password of the storage system; it communicates with storage system using sd-<hostname> user.

This is close to what I am looking for... a login for SDU to communicate with the Storage controller (possibly several), without the Host Admin knowing the actual userID/PW.  The reason being that the Host Admin should NOT have storage provisioning privildeges (which will be controlled by RBAC via DFM).  They will be restricted only to "Backup" and "Recovery" functions.

The method for using "sd-<hostname>" on the storage controller.... will still create a lot of administration work for the OM Administrator.  Also from the IAG from the " SnapDrive for UNIX and Operations Manager interaction " section is this:

2. Operations Manager administrator then creates sd-<hostname> user on the storage system.

This is not ideal.  If SDU is installed on hundreds of hosts... then this means the OM admin will have to create a log of users on the storage systems.  MULTIPLE Storage systems in some cases.  The first step from the same section is this:

Re: SDU RBAC - storage system login

My original post was cut off for some reason.  Here's another attempt:

___________________________________________________________________

Hi,

In going through the community post as well as the IAG, I almost found what I was looking for.  From the IAG:

SnapDrive for UNIX does not require root password of the storage system; it communicates with storage system using sd-<hostname> user.

This is close to what I am looking for... a login for SDU to communicate with the Storage controller (possibly several), without the Host Admin knowing the actual userID/PW.  The reason being that the Host Admin should NOT have storage provisioning privildeges (which will be controlled by RBAC via DFM).  They will be restricted only to "Backup" and "Recovery" functions.

The method for using "sd-<hostname>" on the storage controller.... will still create a lot of administration work for the OM Administrator.  Also from the IAG from the " SnapDrive for UNIX and Operations Manager interaction " section is this:

2. Operations Manager administrator then creates sd-<hostname> user on the storage system.

This is not ideal.  If SDU is installed on hundreds of hosts... then this means the OM admin will have to create a log of users on the storage systems.  MULTIPLE Storage systems in some cases.  The first step from the same section is this:

1. Operations Manager administrator adds sd-admin user on Operations Manager.

This is good because it only requires the OM Admin to add the "sd-admin" user once (assuming there's only one OM server).  This same 'sd-admin' account could be used for SDW for consistency.

Ideally, the same 'sd-admin' account could be used on the storage controllers as well.  This would reduce the amount of administration required for the OM Admin.  Especially if there are hundreds of SDU hosts and those hosts connect to several storage systems.

I know it is possible to estabilish generic login credentials, but the ROOT admin on the host needs to enter the userID / PW credentials for logging into the storage systems.  This is NOT good.  The users on the hosts are NOT supposed to be able to access the storage systems directly.  That's what the RBAC settings in OM are being used for. 

Is there an "easy" workaround here... like copying a valid "/opt/NetApp/snapdrive/.pwfile" file?

Thanks in advance,

Kevin