Accepted Solution

Role privileges necessary to run system-cli API calls

I am attempting to run "system-cli" calls that show some statistics.  I am using a user called "monitor" that has role "readonly" [1] .  This is on ONTAP 9.2.  I keep getting "

Insufficient privileges: user \'monitor\' does not have write access to this resource" when I use the "system-cli" API [2] call but the exact same command works just fine via SSH [3].


What am I missing in the readonly role that would prevent access only when running the command via system-cli?



- Trey




netapp-home::> security login show -user-or-group-name monitor

Vserver: netapp-home
                             Authentication             Acct   Is-Nsswitch
User/Group Name  Application Method    Role Name        Locked Group
---------------- ----------- --------- ---------------- ------ -----------
monitor          console     password  readonly         no     no
monitor          http        password  readonly         no     no
monitor          ontapi      password  readonly         no     no
monitor          ssh         password  readonly         no     no
monitor          ssh         publickey readonly         -      no
5 entries were displayed.

netapp-home::> security login role show -role readonly
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
           readonly      DEFAULT                                       readonly
                         security                                      none
                         security login password                       all
                         security login role show-user-capability      all
                         set                                           all
5 entries were displayed.




>>> from NetApp.NaServer import *
>>> s = NaServer('netapp-home', 1, 31)
>>> s.set_style('LOGIN')
>>> s.set_admin_user('monitor', 'OMIT')
>>> s.set_transport_type('HTTPS')
>>> import shlex
>>> cmd = shlex.split('statistics show -object nfsv4_diag -instance nfs4_diag -counter storePool_* -raw -node netapp-home01')
>>> args = NaElement('args')
>>> for arg in cmd:
...     args.child_add(NaElement('arg', arg))
>>> cli = NaElement('system-cli')
>>> cli.child_add(args)
>>> cli.child_add(NaElement('priv', 'diagnostic'))
>>> out = s.invoke_elem(cli)
>>> out.sprintf()
u'<results status="failed" errno="13003" reason="Insufficient privileges: user \'monitor\' does not have write access to this resource"></results>\n'
>>> s.set_admin_user('admin', 'OMIT')
>>> out = s.invoke_elem(cli)
>>> out.sprintf()
u'<results status="passed">\n\t<cli-output>\n\nObject: nfsv4_diag\nInstance: nfs4_diag\nStart-time: 12/7/2017 11:11:00\nEnd-time: 12/7/2017 11:11:00\nScope: netapp-home01\n\n    Counter                                                     Value\n    -------------------------------- --------------------------------\n    storePool_ByteLockAlloc                                        11\n    storePool_ByteLockMax                                     1024005\n    storePool_ClientAlloc                                        1305\n    storePool_ClientMax                                        102402\n    storePool_CopyStateAlloc                                        0\n    storePool_CopyStateMax                                      10241\n    storePool_DelegAlloc                                        32298\n    storePool_DelegMax                                        1024002\n    storePool_DelegStateAlloc                                   32298\n    storePool_DelegStateMax                                   1024010\n    storePool_LayoutAlloc                                           0\n    storePool_LayoutMax                                       1024005\n    storePool_LayoutStateAlloc                                      0\n    storePool_LayoutStateMax                                  1024010\n    storePool_LockStateAlloc                                       11\n    storePool_LockStateMax                                    1024002\n    storePool_OpenAlloc                                        204365\n    storePool_OpenMax                                         1024002\n    storePool_OpenStateAlloc                                   204365\n    storePool_OpenStateMax                                    1024010\n    storePool_OwnerAlloc                                       129643\n    storePool_OwnerMax                                        1024002\n    storePool_StateRefHistoryAlloc                                  0\n    storePool_StateRefHistoryMax                              9216008\n    storePool_StringAlloc                                      130910\n    storePool_StringMax                                       1024002\n26 entries were displayed.\n\n</cli-output>\n\t<cli-result-value>1</cli-result-value>\n</results>\n'



$ ssh -l monitor netapp-home "set diag; statistics show -object nfsv4_diag -instance nfs4_diag -counter storePool_* -raw -node netapp-home01"

Object: nfsv4_diag
Instance: nfs4_diag
Start-time: 12/7/2017 11:07:05
End-time: 12/7/2017 11:07:05
Scope: netapp-home01

    Counter                                                     Value
    -------------------------------- --------------------------------
    storePool_ByteLockAlloc                                        11
    storePool_ByteLockMax                                     1024005
    storePool_ClientAlloc                                        1303
    storePool_ClientMax                                        102402
    storePool_CopyStateAlloc                                        0
    storePool_CopyStateMax                                      10241
    storePool_DelegAlloc                                        32145
    storePool_DelegMax                                        1024002
    storePool_DelegStateAlloc                                   32145
    storePool_DelegStateMax                                   1024010
    storePool_LayoutAlloc                                           0
    storePool_LayoutMax                                       1024005
    storePool_LayoutStateAlloc                                      0
    storePool_LayoutStateMax                                  1024010
    storePool_LockStateAlloc                                       11
    storePool_LockStateMax                                    1024002
    storePool_OpenAlloc                                        204158
    storePool_OpenMax                                         1024002
    storePool_OpenStateAlloc                                   204158
    storePool_OpenStateMax                                    1024010
    storePool_OwnerAlloc                                       129557
    storePool_OwnerMax                                        1024002
    storePool_StateRefHistoryAlloc                                  0
    storePool_StateRefHistoryMax                              9216008
    storePool_StringAlloc                                      130822
    storePool_StringMax                                       1024002
26 entries were displayed.

Re: Role privileges necessary to run system-cli API calls

Hello @treydock,


Just a couple of things before using the system-cli API...please remember that it is an unsupported, "private", API, so we do actively discourage it's use.  It also has some quirks, noteably it has a buffer in the return output that, when it overflows, may incorrectly report that the call fails.


That being said, system-cli is the CLI equivalent of "system node run", so the user executing the command must have permission to that set of commands via ONTAPI.


Hope that helps.



If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Role privileges necessary to run system-cli API calls

@asulliva Thanks.


In case others come across this I had to modify a non-builtin role and use that role to make the necessary changes:


netapp-home::> security login role create -vserver netapp-home -role monitor -access all -cmddirname "system node run" -query "-command statistics *"