Community

Subscribe
Highlighted

"Read only" cli- user

Hello,

I would like to configure on our NetApp storage systems, an user which will be allowed to connect himself via ssh, and that will be only allowed any non-modifying commands.

For example, I would like to allow him commands like those :

vol status <volname>

aggr status -r (or -s / -f)

rdfile <filepath>

snap list

lun show -m -g <igroup_name>

But not allow him commands like those :

vol size <volname> +Xg

aggr add <aggr_name> <ndisks> / aggr offline <aggr_name>

wrfile <filepath>

snap delete

lun offline <lunpath>

Does someone knows if (or already have) such a role with corresponding capabilities exists ?

If not, where can I find an exhaustive list of all existing capabilities so that I can build such a role ?

Best Regards,

Re: "Read only" cli- user

Re: "Read only" cli- user

Hello,

As you mentioned, the "Role-Based Access Controls in Data ONTAP™: Granular Administration of Capabilities" doc is a great one.

It explains (with examples) how to implement RBAC.

At the end of the document (page 9), there's a list of all cli- capabilities.

The problem it that this document is now 4+ years old.

I'm sure that, since then, new capabilities have been implemented in DOT.

I was not able to find any up-to-date list of implemented capabilities for DOT 7.2.4 7.2.5 7.2.6 or 7.3.

I would be really interested in a per release exhaustive list of implemented capabilities.

Moreover with such year-2004 capabilities, when for example the cli-aggr-* is granted to a role users with this one assigned he will not only be able to perform "aggr status -r/-s/-f" but also aggr offline/destroy commands.

I want to be more granular than that.

I hope that this is possible with the new capabilities that were probably introduced in DOT since then.

It will be really great if someone already implemented such a role that is limited to "read-only" cli- capabilities.

Regards,

Re: "Read only" cli- user

OnTap sysadmin guide seems to be a good place to start for any changes to this capability.

I'm looking in the 7.3 sysadmin guide http://now.netapp.com/NOW/knowledge/docs/ontap/rel73/pdfs/ontap/sysadmin.pdf

There is a filerview-readonly option - GUI only of course.

On page 109:

Grants the specified role read-only access to FilerView.

This capability type includes only the

filerview-readonly capability, which grants the

specified role the capability to view but not change

manageable objects on systems managed by FilerView.

Note:

There is no predefined role or group for read-only

FilerView access. You must first assign the

filerview-readonly capability to a role and

then assign the role to a group, before you can create

a user in such a group.

Re: "Read only" cli- user

Hello,

A colleague already informed me about this filerview-readonly capability that was introduced in DOT 7.3.

At page 107 from the "Data ONTAP® 7.3 System Administration Guide", there is a short list of capabilities present in DOT 7.3.

Does anybody knows if I can find an exhaustive per-release capability list ?

Some of our systems are still running DOT 7.2, and anyway my goal is to defile a read only role for cli- commands.

It will be great if I can add a bunch of cli- capabilities into a role so that it would behave like the filerview-readonly role, but on the cli side.

I already tried with cli-readonly, also on DOT 7.3, but there's no such a capability yet defined.

To be granular I need to know all capabilities that exists, I really searched for this, and I was not able to find such a list yet.

Regards,

Re: "Read only" cli- user

It would be nice to find that exhaustive list that you are requesting.  Funny that no one from NetApp seems to have one.  Seems to be the case on a few matters that have come up.  Like things are only partially thought through.

Re: "Read only" cli- user

You can check the capabilities of a NetApp via API (or just via the ZExplore tool).

The API call to consider would be: system -> system-api-list

In the XML output, see attachment, you could grep for "<name>" and then for things like "read" and "list"... those should be your "safe APIs"

Have fun

Anton

Re: "Read only" cli- user

Where can I find info for 8.x?