2011-08-22 08:07 PM
In a nutshell this is what I want to do,
We have snapdrive installed on our Windows boxes. The service account has admin privileges.
The problem with this is that a server admin can access storage systems via snapdrive.
From what I have read you can use RBAC and DFM integration.
This is where I get stuck. I have no clue how DFM was setup and nobody bothered to document it.
Looking at the Snapdrive Admin Guide it says the first thing that needs to be done is enable RBAC.
That does not seem to work for us. We can connect to the system through storacl.exe and we use dfmrbac command to enable it
but the AccessControl.xml file is not created. We used the Create -stor command from storacl with root credentials.
Not sure if there is something wrong here cos we get no indication!
I have installed snapdrive with service account that has admin priviliges.
I specified the same account for DFM integration and setup completes.
When we log on to server with account that has server admin privileges but no storage admin rights we can still access storage.
Not sure whether this is because of the fact that there is no AccessControl.xml file...
Where do we go from here? All help appreciated. I am not a storage admin, I just want to secure it from a server side.
Data Ontap 126.96.36.199 p5
2011-08-23 10:26 AM
from the documentation:
"HTTPS must be enabled using the options ssl.enable command and secureadmin setup ssl command on the storage system."
if you don't see the AccessControl.xml then snapdrive will not work properly with RBAC so you'll need to troubleshoot the connectivity / protocol between storacl and the controller.
2011-08-23 01:26 PM
Where exactly can I find the statement about HTTPS?
It is not mentioned on the pages that covers "Enabling RBAC for use with Snapdrive" Page 83-88
In the storacl guide I do find a reference that says HTTPS is used by default. Can I somehow do this over HTTP?
Storage engineer says that they cannot turn HTTPS on because it conflicts with something else ( What I don't know)
2011-08-24 01:53 PM
Yeah I have specified RPC when installing Snapdrive. HTTPS is not enabled on the filers at this stage so changing this will not affect anything I presume?
With that I mean that this setting in Snapdrive as to match the protocol on the filer. Is there a way of using RPC or http with the storacl tool?