Subscribe

RCU from VSC 2.0 problem with RBAC

Hi all, it seems that I've some problems to configure RBAC to use RCU from VSC 2.0.

I had RBAC configured from RCU 3.0 and it was working fine with that version. I've checked on the documentation and it seems that nothing changed but when I try to add a host to RCU part of VSC 2.0 I get an error saying that some role are missing.

It seems something related to some cli-* role missing from my definition. Anyone have the correct RBAC role to put on the storage to make RCU work on VSC 2.0?

Thanks

Francesco

Re: RCU from VSC 2.0 problem with RBAC

Some additional APIs have been added for the 3.1 version of RCU.  They are found in the IAG.

The additional APIs required to add a controller to RCU 3.1 are these:

  • api-cf-get-partner
  • api-disk-list-info
  • api-fcp-adapter-list-info
  • api-fcp-get-cfmode
  • api-lun-get-vdisk-attributes
  • api-nfs-exportfs-list-rules
  • api-volume-options-list-info
  • api-lun-move
  • api-lun-unmap
  • api-lun-online

    Re: RCU from VSC 2.0 problem with RBAC

    Thanks for the answer. I've checked back the installation guide for VSC and I can find those api listed in the VSC capabilities:

    • api-cf-get-partner
    • api-disk-list-info
    • api-fcp-adapter-list-info
    • api-fcp-get-cfmode
    • api-lun-get-vdisk-attributes
    • api-nfs-exportfs-list-rules
    • api-volume-options-list-info

    So should I add the entire VSC user role capability to the capability used by RCU user (we had different user for vsc/rcu/smvi defined on the storage)?

    I cannot find those in the documentation. Do you know in what specific role they need to go? create_clones/create_datastore/destroy_datastore/modify_datastore ?) :

    • api-lun-move
    • api-lun-unmap
    • api-lun-online

    To make rcu 3.0 work i had only those roles defined (and i was using all but destroy_datastore role in the rcu user):

    Name:    rcu_create_clones
    Info:
    Allowed Capabilities: login-http-admin,api-system-get-version,api-system-get-info,api-system-cli,api-license-list-info,cli-ifconfig,api-aggr-list-info,api-volume-list-info,api-lun-list-info,api-lun-map-list-info,api-igroup-list-info,api-ems-autosupport-log,api-file-get-file-info,api-clone-*,api-file-create-directory,api-file-read-file,api-file-delete-file,api-file-write-file,cli-mv,api-file-delete-directory,cli-ndmpd,cli-ndmpcopy,api-useradmin-user-list,api-cf-status,api-snapshot-list-info,api-volume-autosize-get,api-iscsi-session-list-info,api-iscsi-portal-list-info,api-fcp-service-status,api-iscsi-service-status,cli-df,api-snapmirror-get-volume-status,api-quota-report,api-qtree-list,api-system-api-list,api-vfiler-list-info

    Name:    rcu_create_datastores
    Info:
    Allowed Capabilities: api-volume-create,api-volume-set-option,api-volume-autosize-set,api-sis-enable,api-sis-start,api-snapshot-create,api-snapshot-set-reserve,api-volume-clone-create,api-nfs-exportfs-list-rules-2,api-nfs-exportfs-modify-rule-2,api-nfs-exportfs-load-exports,api-igroup-create,api-lun-create-by-size,api-lun-map,api-lun-set-comment,api-igroup-add,cli-qtree,cli-iscsi,api-nfs-exportfs-append-rules-2

    Name:    rcu_destroy_datastores
    Info:
    Allowed Capabilities: api-volume-offline,api-volume-destroy,api-lun-offline,api-lun-destroy

    Name:    rcu_modify_datastores
    Info:
    Allowed Capabilities: api-volume-size,api-sis-disable,api-sis-stop,api-lun-resize

    Thanks for the help

    Francesco

    Re: RCU from VSC 2.0 problem with RBAC

    Hi Francesco,

    All of these new capabilities (including the VSC user role) need to be added to the create_clones role.

    -George