2008-12-11 05:04 AM
I would like to configure on our NetApp storage systems, an user which will be allowed to connect himself via ssh, and that will be only allowed any non-modifying commands.
For example, I would like to allow him commands like those :
vol status <volname>
aggr status -r (or -s / -f)
lun show -m -g <igroup_name>
But not allow him commands like those :
vol size <volname> +Xg
aggr add <aggr_name> <ndisks> / aggr offline <aggr_name>
lun offline <lunpath>
Does someone knows if (or already have) such a role with corresponding capabilities exists ?
If not, where can I find an exhaustive list of all existing capabilities so that I can build such a role ?
2008-12-11 06:12 AM
As you mentioned, the "Role-Based Access Controls in Data ONTAP™: Granular Administration of Capabilities" doc is a great one.
It explains (with examples) how to implement RBAC.
At the end of the document (page 9), there's a list of all cli- capabilities.
The problem it that this document is now 4+ years old.
I'm sure that, since then, new capabilities have been implemented in DOT.
I was not able to find any up-to-date list of implemented capabilities for DOT 7.2.4 7.2.5 7.2.6 or 7.3.
I would be really interested in a per release exhaustive list of implemented capabilities.
Moreover with such year-2004 capabilities, when for example the cli-aggr-* is granted to a role users with this one assigned he will not only be able to perform "aggr status -r/-s/-f" but also aggr offline/destroy commands.
I want to be more granular than that.
I hope that this is possible with the new capabilities that were probably introduced in DOT since then.
It will be really great if someone already implemented such a role that is limited to "read-only" cli- capabilities.
2008-12-11 06:30 AM
OnTap sysadmin guide seems to be a good place to start for any changes to this capability.
I'm looking in the 7.3 sysadmin guide http://now.netapp.com/NOW/knowledge/docs/ontap/rel73/pdfs/ontap/sysadmin.pdf
There is a filerview-readonly option - GUI only of course.
On page 109:
Grants the specified role read-only access to FilerView.
This capability type includes only the
filerview-readonly capability, which grants the
specified role the capability to view but not change
manageable objects on systems managed by FilerView.
There is no predefined role or group for read-only
FilerView access. You must first assign the
filerview-readonly capability to a role and
then assign the role to a group, before you can create
a user in such a group.
2008-12-11 07:11 AM
A colleague already informed me about this filerview-readonly capability that was introduced in DOT 7.3.
At page 107 from the "Data ONTAP® 7.3 System Administration Guide", there is a short list of capabilities present in DOT 7.3.
Does anybody knows if I can find an exhaustive per-release capability list ?
Some of our systems are still running DOT 7.2, and anyway my goal is to defile a read only role for cli- commands.
It will be great if I can add a bunch of cli- capabilities into a role so that it would behave like the filerview-readonly role, but on the cli side.
I already tried with cli-readonly, also on DOT 7.3, but there's no such a capability yet defined.
To be granular I need to know all capabilities that exists, I really searched for this, and I was not able to find such a list yet.
2012-03-01 09:04 AM
It would be nice to find that exhaustive list that you are requesting. Funny that no one from NetApp seems to have one. Seems to be the case on a few matters that have come up. Like things are only partially thought through.
2012-03-02 02:14 AM
You can check the capabilities of a NetApp via API (or just via the ZExplore tool).
The API call to consider would be: system -> system-api-list
In the XML output, see attachment, you could grep for "<name>" and then for things like "read" and "list"... those should be your "safe APIs"