Subscribe

Snapcreator as a mechanism for delegating data protection operations

[ Edited ]

Hi folks,

Been looking at the SC (3.4.0) framework for a week or so. I am wondering if it is considered to be a useful platform for delegating control of filer operations (snapshots, clones, snapmirror and snapvault updates). Right now I have a handful of users that have to run such operations and as such they have accounts on various filers with the minimum privileges needed to perform such operations. However, the filer RBAC controls are far too wide and I can't limit these operations to particular volumes, for example. I like the idea of using our DFM server to set up a proxy by which all commands go through but I have to provide a simple interface so that snapshots and clones (et cetera) may be run from shell scripts.

From my research it would appear that a SC server would be required for each platform that needs to initiate such operations. Am I correct in this?

It also appears that you cannot configure DFM proxy via the GUI because it insists on a filer's credentials being entered. I have not tried CLI configuration as yet.

Has anyone else used this mechanism to delegate control in this manner or am I really trying to use the wrong tool here?

Any insight or advice would be appreciated.

Richard

Re: Snapcreator as a mechanism for delegating data protection operations

Hi Richard,

Yes SC can initiate all APIs through DFM proxy which means users would need access to the scServer or run their own scServer. This is limitted however to things Snap Creator does which I think was clear by your statment. So you cant just send any API or CLI command to DFM server through Snap Creator.

As for support in GUI, you are correct in 3.4 it is only supported through CLI. In 3.5 which releases on Jan 12 2012 it will also be fully supported in GUI. We also added RBAC capabilities in SC itself for those who want to control things more granular so that combo + DFM proxy makes an interesting use case

Regards,

Keith

Re: Snapcreator as a mechanism for delegating data protection operations

Thanks for the reply. If I ever get it working well then perhaps I will document it for everyone's benefit.

Richard

Re: Snapcreator as a mechanism for delegating data protection operations

What are the minimum rights for the OM user if you use USE_PROXY=Y?

Cant seem to find any document on that.

I created one with all of these like a GolbalSnapcreator user.

I guess i can trial end error my way but i am lazy.

Which of them can i remove and still have all SC functionality?

DFM.Alarm.Delete, DFM.Alarm.Read, DFM.Alarm.Write, DFM.BackupManager.Backup, DFM.BackupManager.Failover, DFM.BackupManager.Read, DFM.BackupManager.Restore, DFM.ConfigManagement.Delete, DFM.ConfigManagement.Read, DFM.ConfigManagement.Write, DFM.Console.Execute, DFM.Core.AccessCheck, DFM.Core.Control, DFM.Core.Delegate, DFM.Database.Delete, DFM.Database.Read, DFM.Database.Write, DFM.DataSet.Create, DFM.DataSet.Delete, DFM.DataSet.Write, DFM.Event.Read, DFM.Event.Write, DFM.Mirror.PolicyControl, DFM.Mirror.Read, DFM.PerfThreshTemplate.Read, DFM.PerfThreshTemplate.Write, DFM.PerfView.Delete, DFM.PerfView.RealTimeRead, DFM.PerfView.Write, DFM.Policy.Delete, DFM.Policy.Read, DFM.Policy.Write, DFM.Quota.FullControl, DFM.Report.Delete, DFM.Report.Read, DFM.Report.Write, DFM.Resource.Control, DFM.ResourcePool.Provision, DFM.SAN.FullControl, DFM.Schedule.Delete, DFM.Schedule.Read, DFM.Schedule.Write, DFM.SRM.Read, DFM.StorageService.Attach, DFM.StorageService.Delete, DFM.StorageService.Detach, DFM.StorageService.Read, DFM.StorageService.Write, SD.Config.Delete, SD.Config.Read, SD.Config.Write, SD.Snapshot.Clone, SD.Snapshot.Delete, SD.Snapshot.DestroyUnrestrictedClone, SD.Snapshot.DisruptBaseline, SD.Snapshot.Read, SD.Snapshot.Restore, SD.Snapshot.UnrestrictedClone, SD.Snapshot.Write, SD.Storage.Delete, SD.Storage.Read, SD.Storage.Write

Re: Snapcreator as a mechanism for delegating data protection operations

What are the minimum rights for the OM user if you use USE_PROXY=Y?

Cant seem to find any document on that.

I created one with all of these like a GolbalSnapcreator user.

I guess i can trial end error my way but i am lazy.

Which of them can i remove and still have all SC functionality?

DFM.Alarm.Delete, DFM.Alarm.Read, DFM.Alarm.Write, DFM.BackupManager.Backup, DFM.BackupManager.Failover, DFM.BackupManager.Read, DFM.BackupManager.Restore, DFM.ConfigManagement.Delete, DFM.ConfigManagement.Read, DFM.ConfigManagement.Write, DFM.Console.Execute, DFM.Core.AccessCheck, DFM.Core.Control, DFM.Core.Delegate, DFM.Database.Delete, DFM.Database.Read, DFM.Database.Write, DFM.DataSet.Create, DFM.DataSet.Delete, DFM.DataSet.Write, DFM.Event.Read, DFM.Event.Write, DFM.Mirror.PolicyControl, DFM.Mirror.Read, DFM.PerfThreshTemplate.Read, DFM.PerfThreshTemplate.Write, DFM.PerfView.Delete, DFM.PerfView.RealTimeRead, DFM.PerfView.Write, DFM.Policy.Delete, DFM.Policy.Read, DFM.Policy.Write, DFM.Quota.FullControl, DFM.Report.Delete, DFM.Report.Read, DFM.Report.Write, DFM.Resource.Control, DFM.ResourcePool.Provision, DFM.SAN.FullControl, DFM.Schedule.Delete, DFM.Schedule.Read, DFM.Schedule.Write, DFM.SRM.Read, DFM.StorageService.Attach, DFM.StorageService.Delete, DFM.StorageService.Detach, DFM.StorageService.Read, DFM.StorageService.Write, SD.Config.Delete, SD.Config.Read, SD.Config.Write, SD.Snapshot.Clone, SD.Snapshot.Delete, SD.Snapshot.DestroyUnrestrictedClone, SD.Snapshot.DisruptBaseline, SD.Snapshot.Read, SD.Snapshot.Restore, SD.Snapshot.UnrestrictedClone, SD.Snapshot.Write, SD.Storage.Delete, SD.Storage.Read, SD.Storage.Write

Re: Snapcreator as a mechanism for delegating data protection operations

   

What are the minimum rights for the OM user if you use USE_PROXY=Y?

We have only tested "Global Full Control"

You need to do two things to use DFM Proxy

1) create user with global full control

2) Add storage system login credentials, this is where you configure what user ther DFM server will use when communicating with storage

Which of them can i remove and still have all SC functionality?

Like I said we only tested "Global Full Control" but the following should be a minimum

DFM.BackupManager.Backup, DFM.BackupManager.Read, DFM.BackupManager.Restore, DFM.Console.Execute, DFM.Core.AccessCheck, DFM.Core.Control, DFM.Core.Delegate, DFM.Database.Read, DFM.Database.Write, DFM.DataSet.Create,  DFM.DataSet.Write, DFM.Event.Read, DFM.Event.Write, DFM.Mirror.PolicyControl, DFM.Mirror.Read,  DFM.Policy.Delete, DFM.Policy.Read, DFM.Policy.Write,DFM.Schedule.Read

You might even be able to get it to work with just

DFM.Console.Execute,DFM.DataSet.Create,  DFM.DataSet.Write, DFM.Event.Read, DFM.Event.Write

Regards,

Keith