Subscribe

User 'root' denied access - missing required capability: 'cli-route'

At the tail end of this successful vFiler migration (the first of 16) I noticed this in the logs of the 8.1GA destination

Permission denied, user root does not have access to route

Thu May  3 14:43:15 PDT [irt-na04:tmig.step.completed:debug]: Step: 'Unbind_Source_Vfiler' of transparent migration completed at 32815 miliseconds. 

Thu May  3 14:43:15 PDT [irt-na04:tmig.step.started:debug]: Step: 'Configure_IP_Addresses' of tranparent migration started at 32815 miliseconds. 

Thu May  3 14:43:15 PDT [irt-na04:kern.cli.cmd:debug]: Command line input: the command is 'ifconfig'. The full command line is 'ifconfig na04-vif0-64 alias 171.65.64.100 netmask 255.255.255.0'.

Thu May  3 14:43:15 PDT [irt-na04:tmig.step.completed:debug]: Step: 'Configure_IP_Addresses' of transparent migration completed at 32828 miliseconds. 

Thu May  3 14:43:15 PDT [irt-na04:tmig.step.started:debug]: Step: 'Configure_Static_Route' of tranparent migration started at 32828 miliseconds. 

Thu May  3 14:43:15 PDT [irt-na04:useradmin.unauthorized.user:warning]: User 'root' denied access - missing required capability: 'cli-route'

Should I just allocate this capability to root? (why does root not have all capabilities?)

what would be the useradmin command line incantation to fix this?

thanks


Re: User 'root' denied access - missing required capability: 'cli-route'

Odd root doesn't have access. Cli-route is not in the useradmin user role for the administrator group?

Re: User 'root' denied access - missing required capability: 'cli-route'

Did it add the vFiler routes correctly even with this error? And updated the rc file with he vfiler run route add statements?

Re: User 'root' denied access - missing required capability: 'cli-route'

root is listed with no groups

irt-na04> useradmin user list

Name: root

Info: Default system administrator.

Rid: 0

Groups:

irt-na04> useradmin role list

Name:    admin                          

Info:    Default role for administrator privileges.

Allowed Capabilities: login-*,cli-*,api-*,security-*

Name:    audit                          

Info:    Default role for audit privileges.

Allowed Capabilities: api-snmp-get,api-snmp-get-next,api-system-api-*

Name:    backup                         

Info:    Default role for NDMP privileges.

Allowed Capabilities: login-ndmp

Name:    compliance                     

Info:    Default role for compliance privileges.

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*,cli-snaplock*,api-snaplock-*,api-file-*,compliance-*

Name:    ndmp_role                      

Info:                                   

Allowed Capabilities: login-ndmp

Name:    none                           

Info:    Default role for no privileges.

Allowed Capabilities:

Name:    oracle                         

Info:                                   

Allowed Capabilities: login-ssh,cli-snap*

Name:    power                          

Info:    Default role for power user privileges.

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

Name:    root                           

Info:    Default role for root privileges.

Allowed Capabilities: *

Re: User 'root' denied access - missing required capability: 'cli-route'

Looks like /etc/rc was updated correctly, but the route commands were permission denied.

Luckily we have no static routes for our vFilers  - just the default route

This is feeling like a bug (which is not biting us - yet)

Re: User 'root' denied access - missing required capability: 'cli-route'

Agreed. Looks like a bug.

Re: User 'root' denied access - missing required capability: 'cli-route'

Can you verify what a proper user->group->role mapping is supposed to look like for root?

thanks

Re: User 'root' denied access - missing required capability: 'cli-route'

Same on my VSIM... no group for root.

fas6280> useradmin user list

Name: root

Info: Default system administrator.

Rid: 0

Groups:

Re: User 'root' denied access - missing required capability: 'cli-route'

I just opened a P1 case since this bug cutover a vFiler with failed IP/routing and its not serving data

Re: User 'root' denied access - missing required capability: 'cli-route'

You can still add the routes to fix it. But looks like a data motion bug on cutover.

Let us know the Burt # when support opens it. I would create a test vFiler with routes to test with. Support may have a workaround you can try.

Sent from my iPhone 4S