Subscribe

API role restriction not working for system-get-vendor-info

I'm attempting to restrict roles on my FAS DOT 9.1 to give a user as minimal permissions as possible.  One of the API calls they use is system-get-vendor-info which ONTAP claims maps to 'system node autosupport show' which I have added to my role.  Problem is it doesn't return an answer for the restricted role.... but does for the full admin user.  Do have I have to 'try' all 1307 possibilities?  Anyone got any ideas which permissions I need to add to get this to work? 

 

 

>>> system_version = nmsdk.get('10.10.1.190', 'restricteduser', 'RestrictedUserPass1', 'system-get-version')
>>> system_version
{'build-timestamp': '1482447958', 'version': 'NetApp Release 9.1: Thu Dec 22 23:05:58 UTC 2016', 'version-tuple': {'system-version-tuple': {'generation': '9', 'major': '1', 'minor': '0'}}, 'is-clustered': 'true'}
>>> vendor_info = nmsdk.get('10.10.1.190', 'restricteduser', 'RestrictedUserPass1', 'system-get-vendor-info')
>>> vendor_info
>>> vendor_info = nmsdk.get('10.10.1.190', 'admin', 'adminPass', 'system-get-vendor-info')
>>> vendor_info
{'short-name': 'NetApp', 'information-url': 'http://support.netapp.com/autosupport/', 'product-url': 'http://support.netapp.com/eservice/submitInstProd.do?moduleName=INSTPROD', 'ontap-oid-prefix': '.1.3.6.1.4.1.789', 'customer-support-name': 'NetApp technical support', 'complete-name': 'NetApp', 'autosupport-email': 'autosupport@netapp.com', 'customer-support-contact': 'Contact NetApp technical support.', 'autosupport-url': 'support.netapp.com/asupprod/post/1.0/postAsup'}

and the roles looks like this:

 

 

clustervserver   admin         DEFAULT                                       all
           restrictedrole    DEFAULT                                       none
                         cluster identity modify                       readonly
                         cluster identity show                         readonly
                         security login                                readonly
                         security login domain-tunnel                  none
                         security login password                       none
                         security login publickey                      none
                         security login role                           none
                         security login role show-ontapi               all
                         storage aggregate create                      readonly
                         storage aggregate modify                      readonly
                         storage aggregate show                        readonly
                         system license delete                         readonly
                         system license show                           readonly
                         system node autosupport modify                readonly
                         system node autosupport show                  readonly
                         system node modify                            readonly
                         system node show                              readonly
                         version                                       readonly
                         volume create                                 readonly
                         volume modify                                 readonly
                         volume qtree create                           readonly
                         volume qtree show                             readonly
                         volume show                                   readonly
                         vserver create                                readonly
                         vserver modify                                readonly
                         vserver services name-service dns hosts create
                         vserver services name-service dns hosts delete
                                                                       readonly
                         vserver services name-service dns hosts modify
                                                                       readonly
                         vserver services name-service dns hosts show  readonly
                         vserver show                                  readonly

 

 

Re: API role restriction not working for system-get-vendor-info

To document this for the world:  I found that 'cluster show' is the permission I needed to add to get this working. Appears there is a flaw in the ONTAP documentation and product.