Community

Announcements
Welcome to the new NetApp Community. Learn how to get started.

RBAC User Creator for Data ONTAP

by NetApp Employee on ‎2012-09-17 09:55 PM - last edited 4 weeks ago by Community Manager

I’ve created a new C# application that will assist you in creating RBAC usernames for Data ONTAP. It is called the RBAC User Creator for Data ONTAP®.   This application can be used to create usernames in both 7-mode and Clustered Data ONTAP environments. It takes care of the small differences between the Data ONTAP versions as well as the variances with the NetApp products using them.

 

This is actually the second release.  The first version was limited to creating Data ONTAP usernames only for VSC. Version 2 supports multiple OFFTAP products.    Before I delve too much into what else is new in version 2.0, let me tell you a little about how the application works.  

 

The lists of privileges being created are stored in XML (ontapPrivs.xml).   This was done for two primary reasons: 

     1. You can clearly see the privileges so there is complete transparency with regards to the new user RBAC User Creator is creating

     2. Additional privileges and products can be added later without the need to recompile the application.

 

Please make note of the last sentence.   Additional products can be added without needing to recompile the application.   This is an important aspect of version 2.0.   You can think of RBAC User Creator being a framework of sorts.  All the products and privileges for those products are listed in the XML file. Adding support for another product or product version is as simple as adding the information in the XML file. Out of the box, RBAC User Creator has native support for the following products:

  • Virtual Storage Console for VMware vSphere
  • OnCommand Balance
  • Snap Creator Framework
  • SnapDrive for Windows
  • VASA Provider for VMware vCenter
  • Storage Replication Adapter for VMware Site Recovery Manager
  • Virtual Storage Console for Citrix XenServer   (*NEW*)
  • Virtual Storage Console for RHEV (*NEW*)
  • NetApp Recovery Manager for Citrix Sharefile (*NEW*)
  • OnCommand Unified Manager (DFM) 5.1
  • VMTurbo Operations Manager (*NEW*)

 

 

In just a few short clicks you can create ONTAP usernames with all the required privileges needed by VSC.

 

 

In order to guide you along, the non-relevant sections are greyed out.  Simply enter the root or admin username and IP of the storage system you want to create the user on.   Click the LOGIN button, and it will login and determine the controller type.   If the storage system is running Clustered Data ONTAP, the list of Vservers will be displayed.   RBAC User Creator supports creating users on the Cluster-Admin Vserver as well as on Data Vservers. Simply select the Vserver from the pull-down list.

 

NOTE: RBAC User Creator requires root/admin storage credentials for creating new usernames.

 

Remember, RBAC User Creator handles all the differences between 7-mode and Clustered Data ONTAP.  Simply select your VSC version you're using, and the roles you want the new user to have.   Then, select the product and product version.

RBAC User Creator will merge all the privileges from the selected roles and combine them in a sorted list.   Since there is an ONTAP limit in the number to privileges in a role, RBAC User Creator will create iterated roles names in the form of <rolename>.X.   In the case of Clustered Data ONTAP, it handles both the read-only and all-access privileges.

 

If you are unsure on what privileges the new user will have, you can click on the PREVIEW button to preview the list.   It will show you the sorted list of all the privileges to be added.

 

If the storage system is running 7-mode, it will create an EMS log detailing the creation of this new username.   Hopefully, I'll be able to add this functionality for Clustered Data ONTAP soon.

 

After the username is created, simply login into you application and add the storage system using the new username.

 

If anything goes wrong, post the ONTAPUserCreator.log file here in this thread.

 

 

The following articles (TRs, IAG, and KBs) were used to generate the XML.    Please let me know if any are missing. 

 

SnapDrive for Windows

NetApp TR#3864

 

VSC for VMware vSphere

NetApp KB#1010575

 

7-Mode SRA for SRM 4

NetApp KB#1010829

7-Mode SRA for SRM 5

NetApp KB#1013325

Clustered Data ONTAP SRA for SRM 5

NetApp KB#1014549

 

OnCommand Balance

NetApp KB#3012802

 

VASA

NetApp KB#1013766

 

 

Change Log

2.7.5171.15605

- Added a true Offline Mode.  A list of commands can be generated without logging in the controller.

- Fixed an issue where a cDOT 'all' privilege could not override a 'read-only' privilege of the same command.  This was mainly seen

  when initially creating a username with say only the 'Discovery' role, then later adding the other roles.

- Fixed several broken privileges for Direct Vservers

- Fixed several "reset" bugs when switching from one controller to another.

- Added code to prevent the cDOT built-in vsadmin* roles from being selected.

 

2.7.5163.24551

- Added support for the PBM role for VSC 5.0

- Added a number of new privileges for VSC 5.0

- Locked usernames are now skipped

- Blocked cDOT built-in role ‘vsadmin’ from being selected.

- Passwords are no longer printed in open text in the log file

- Improved the status messaging when creating multiple usernames

- Add code to prevent the group/role/user from being named the same on 7-mode

- Added EMS logging for cDOT.    Note: the EMS log will only be sent to the first node in the cluster.  If Direct Vservers are used that are running cDOT 8.2 or greater, the EMS log will be sent to the Vserver.

- Fixed an issue where privileges with ONTAP dependencies were not being processed correctly for cDOT.

- Added proper support for DOT 8.2.1

- Improved the error messaging when the connection fails due to port and SSL misconfigurations

- Added limited support for creating Domain users.

- Added a new checkbox to generate a scriptable list of commands that is exported to a file.   This is useful for customers that want to use the benefits of the RUC tool, but do not want to directly use it to generate the ONTAP username.

- Added support for VMTurbo Operations Manager!

- Added support for SRA 2.1

- Added support for VSC for CloudStack 1.0

- Added support for VSC for RHEV 1.0

- Added support for VSC for VMware 5.0

- Added support for VSC for Citrix XenServer 2.0.1

- Added support for MetroCluster Plug-in for vSphere 1.0

 

2.4.5017.13845

- Added support for VSC 4.2.1 and VSC 5.0 Beta

- Added missing privileges for VSC and OnCommand Balance

 

2.3.4896.22885 (5/28/2013)

- Fixed a error in the XML file for VSC 4.2 Backup-Recovery Role

 

2.3.4881.28244 (5/13/2013)

- Added support for OnCommand Unified Manager 5.1

 

2.3.4873.26587 (5/9/2013)

- Added support for VSC 4.2 for VMware vSphere

- Added support for SRC for VMware SRM

- Added support for Snap Creator Framework 4.0

- Added support for VSC for Citrix XenServer

- Added support for NetApp Recovery Manager for Citrix ShareFile

- Removed clear text passwords in the log file

- Fixed the XML syntax error for VSC 4.1P1

- Other miscellaneous bug fixes

 

2.2.4789.19622 (2/10/2013)

- Added support for VSC 4.1P1

 

2.1.4707.19047 (11/20/2012)

- Fixed an issue where the controller validation would fail if MultiStore was not licensed.

 

2.0.0 (11/17/2012)

- Changed the application name to RBAC User Creator for Data ONTAP®

- Added support for multiple products.   Natively, RBAC User Creator supports VSC, SDW, SRA, Balance, VASA, and Snap Creator.   Additional products can be added to the XML.

- Added support for modifying existing DOT username, roles and groups.

- Bug fixes

 

 

1.1.4646 (9/20/2012)

- Updated InstallShield to auto-generated the correct package name,

- Fixed a minor issue where privilege 'cluster identity show' was not being loaded

 

1.1.4645 (9/19/2012)

- Updated ONTAPUserCreator.  Added validation checks when clicking the submit button.   Any missing fields should now be flagged.

 

1.0.0000 (9/18/2012)

- Initial release

 

 

DOWNLOAD HERE: http://support.netapp.com/NOW/download/tools/rbac/

 

 

 

Comments
maliu
on ‎2012-09-18 08:41 PM

Thanks for this application. Makes life a lot easier.

Will be great to be able to use this also for SRM as well as creating other RBAC username for backup softwares like (NetBackup etc).

Regards,

dbkelly
NetApp Employee on ‎2012-11-01 01:18 PM

Maliu,

Thank you for the kind words.   Version 2 is coming soon.   One of the new features will be the ability to suppor multiple products.    More details to come

dbkelly
NetApp Employee on ‎2012-11-19 05:41 AM

Version 2.0 is posted!

What's new?

Changed the application name to RBAC User Creator for Data ONTAP®

Added support for multiple products.   Natively, RBAC User Creator supports VSC, SDW, SRA, Balance, VASA, and Snap Creator.   Additional products can be added to the XML.

Added support for modifying existing DOT username, roles and groups.

Bug fixes

maliu
on ‎2012-11-19 11:09 AM

This is just getting better and better. Thank you.

Does the added support to modify existing username, roles &amp; group also has the option to remove them? I haven't tested this yet.

sgardnert2
on ‎2012-11-20 05:57 AM

This looks very promising. Unfortunately, I am getting the following error when attempting to Login: API Failed: Api vfiler-list-info requires license for multistore.

ScreenShot247.png

This is for a FAS3140 with NetApp Release 8.0.2P5 7-Mode. The progress bar just sits there and doesn't time out.

I googled the error and searched the log file but nothing showed up. Any assistance or direction will be greatly appreciated. If there's any other information I can provide please let me know.

Thanks very much.

Sean

dbkelly
NetApp Employee on ‎2012-11-20 06:34 AM

Glad you like it maliu.  Unfortunately, no.  This tool only modifies existing users, it does not delete or remove them.   If you want to remove a username/role/group, you will need to do that manually with tools like the CLI, CEM, or SysMgr.

dbkelly
NetApp Employee on ‎2012-11-20 06:45 AM

Sean,

Ah... you don't have a MultiStore license.  This is a bad assumption on my part.   In order for DOT to process the vfiler-list-info ZAPI, it needs access to that license.   This error is causing the controller validation to fail.    Give me a few days and let me see what I can come up with.   It should be fairly easy to skip this check if the MultiStore is not licensed.     Of course, dealing with the fact that the vFiler list will be empty will be a whole other sets of issues to deal with in the GUI.    I'm travelling for the Thanksgiving holiday break, so it'll likely be a week or more before I can get to it.

Can you send me the log file?

-David

dbkelly
NetApp Employee on ‎2012-11-20 12:20 PM

Sean,  scratch my previous comment.  This was easier to fix than expected.   I fixed this over lunch today.    Please give version 2.1 a try.

sgardnert2
on ‎2012-11-21 02:45 AM

It works a treat! Thanks so much!

I have used it to create the role, group and user on both of my controllers as well as modified the credentials for VSC authentication in the plugin itself.

I really appreciate your time and effort on this. We have about 20 NetApps in the business connected to ESXi hosts so I will be communicating this to all storage/VMware admins.

Thanks again.

Sean

mrinal
NetApp Employee on ‎2012-11-21 08:20 AM

Hi David,

Thank you for building this.

Would you happen to have the time frame for including SnapDrive for Windows here? The software shows up in the drop-down but it seems that the XML definitions have not been included in the shipping version.

dbkelly
NetApp Employee on ‎2012-11-26 05:14 PM

Glad to hear you are finding it useful.    Thanks Sean!

dbkelly
NetApp Employee on ‎2012-11-26 05:23 PM

Mrinal,

I'm confused by your comment.   Please make sure you are using version 2.0+.     SDW v6.4.2 support is builtin.Screen Shot 2012-11-26 at 8.22.08 PM.png

mrinal
NetApp Employee on ‎2012-11-27 01:04 AM

I get the following message. Have reinstalled the utility. It works well for VSC 4.

dbkelly
NetApp Employee on ‎2012-11-27 06:27 AM

Mrinal,

Oh, you're running Clustered Data ONTAP.    My screenshot was from a 7-mode system.   There are definitely c-mode privileges listed in the XML file, but it doesn't look like it able to be parsed.  Let me take a look and I'll be back in touch. 

dbkelly
NetApp Employee on ‎2012-11-27 06:46 AM

I apologize, I should have noticed this earlier.    You are trying to create a username on a direct Vserver.    There are no privs defined for that; hence the error message.   I'll have to double-check with the SDW PM.  Previously, I was only sent privileges for Cluster-Admin users.  

mrinal
NetApp Employee on ‎2012-11-27 10:31 AM

You are correct. The utility works if the user and role are created on the cluster itself.

scheckel
NetApp Employee on ‎2013-01-29 05:15 AM

Hi,

great tool. I am having issues with the connection.

I try to connect to the admin vserver´with port 443 and ssl:

013-01-21 14:08:26,120 DEBUG [ZapiUtils.getNaServer]: NaServer Hostname : derotnpc0001a

2013-01-21 14:08:26,120 DEBUG [ZapiUtils.getNaServer]: NaServer Type: FILER

2013-01-21 14:08:26,120 DEBUG [ZapiUtils.getNaServer]: NaServer TransportType: HTTPS

2013-01-21 14:08:26,121 DEBUG [ZapiUtils.getNaServer]: NaServer Port: 443

2013-01-21 14:08:26,121 DEBUG [ZapiUtils.getNaServer]:

2013-01-21 14:08:26,121 DEBUG [ZapiUtils.getNaServer]:

2013-01-21 14:08:26,139 DEBUG [ZapiUtils.getSystemVersion]: <system-get-version/>

2013-01-21 14:09:41,110 ERROR [ZapiUtils.getSystemVersion]: Failed invoking API

Firewall from thei host is open for port 443.

Select ACL Protokoll Source Ip Destination Ip Source Port Destination Port

InfoThis communication is already permitted. Any change of ACL is not needed. permitted tcp 10.68.84.47 (dewdfgwp00236.wdf.sap.corp) 10.66.213.12 (derotnpc0001a.wdf.sap.corp) 1045 443

So are there other ports to be open for the initial communication?

Best wishes,

Markus.

dbkelly
NetApp Employee on ‎2013-02-10 05:26 PM

Updated to version 2.2.4789.19622.  Added support for VSC 4.1P1

sw4tenetapp
on ‎2013-03-06 04:36 AM

Hi,

I have tried to update an existing user (which was created with All privileges for VSC 4.1) to all All privileges for VSC 4.1P1. The rule name which I had used for VSC 4.1 was vsc41 (vsc41.1 and vsc41.2 was generated by RBAC User Creator for Data ONTAP®p). It will add 3 capabilities. Here the log:

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: Role Description Name : This is an auto-generated role created by RBAC User Creator for Virtual Storage Console for VMware vSphere.

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: Role Name : vsc41.3

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: Privs : api-volume-list-iter-start,api-volume-list-iter-next,api-volume-list-iter-end

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: UseradminCapabilityInfo: api-volume-list-iter-start

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: UseradminCapabilityInfo: api-volume-list-iter-next

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: UseradminCapabilityInfo: api-volume-list-iter-end

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: <useradmin-role-add>

    <useradmin-role>

        <useradmin-role-info>

            <allowed-capabilities>

                <useradmin-capability-info>

                    <name>api-volume-list-iter-start</name>

                </useradmin-capability-info>

                <useradmin-capability-info>

                    <name>api-volume-list-iter-next</name>

                </useradmin-capability-info>

                <useradmin-capability-info>

                    <name>api-volume-list-iter-end</name>

                </useradmin-capability-info>

            </allowed-capabilities>

            <comment>This is an auto-generated role created by RBAC User Creator for Virtual Storage Console for VMware vSphere.</comment>

            <name>vsc41.3</name>

        </useradmin-role-info>

    </useradmin-role>

</useradmin-role-add>

2013-03-06 12:51:14,654 ERROR [ZapiUtils.create7ModeLoginRole]: API FAILED: Could not add role <vsc41.3>. Error: Invalid capability

2013-03-06 12:52:06,280 DEBUG [UserCreator.ValidateTextbox]: Clearing Validation field

2013-03-06 12:52:06,280 DEBUG [UserCreator.roleName_Validating]: Setting role name :  vsc41

We use ONTAP 8.0.1. It is the same on both heads.

TIA, Silvio

dbkelly
NetApp Employee on ‎2013-03-11 04:47 PM

Silvio,

I apologize for not responding earlier...  I've enabled email notifications, but I'm not seeing an email when someone posts a comment. 

I don't know if I ever specifically tested "upgrading" a VSC 4.1 user  to VSC 4.1P1, but I will give it a shot tonight.

dbkelly
NetApp Employee on ‎2013-03-11 04:50 PM

If you haven't heard already, VSC 4.2 Beta has been released. 

https://communities.netapp.com/community/products_and_solutions/virtualization/vsc

I'm in the process of updating the tool to support VSC 4.2.  I should have something ready by the end of the week.   Stay tuned.


chao
NetApp Employee on ‎2013-03-13 03:10 AM

Hi David

how to use your tool to assign a AD account with a certain role?

BR

TC

chao
NetApp Employee on ‎2013-03-13 03:31 AM

I tried to create a VSC4.1P1 account but get the following error:

but for VSC 4.0 and 4.1, it works well to create account.RBACtool.JPG

in the log: 2013-03-13 18:14:08,856 ERROR [ZapiUtils.create7ModeLoginRole]: API FAILED: Could not add role <role1>. Error: Invalid capability

BTW, the ONTAP version is 7.3.6

IVENTSTORAGE
on ‎2013-03-17 03:11 AM

We ran into issues when we used a AD account. We made a group and added the AD account in the group. (adexample\aduser) and when we used this user in the VSC everything became slow and unresponsive. When we made a local user and added this in the administrator group local on the Netapp controller we also got some VSC plugin features working again like show privileges.

When you don't get to see the confirmation what privileges you have it seems the plugin fails to work in combination with AD authentication.

However we would like to see AD and VSC working together as this is our standard security authentication. We are on 8.1.2 7-mode.

Next week going to do some testing with the group created by this RBAC user creator and a local account.

any idea what causing AD account failures with VSC ? We did use RBAC User creator which delivered an great job in creating roles and such.

thanks

dbkelly
NetApp Employee on ‎2013-03-26 06:05 AM

chao, it looks like something in the XML is messed up.   Can you upload the RBACUserCreator.log and the ontapPrivs.xml file.  Thanks

chao
NetApp Employee on ‎2013-03-28 11:44 PM

I just find I could not upload file in reply. I send to you by email seperately.

maliu
on ‎2013-04-12 09:19 AM

Hi Dave,

Any way to prevent the clear text storage root password written on the log files during validation.

dbkelly
NetApp Employee on ‎2013-04-12 01:03 PM

maliu - I already have this fixed in my sandbox build.   This will be addressed inversion 2.3.

CHRIS_K_AU
on ‎2013-04-18 09:10 PM

I'm also having the invalid capablity issue when trying to create a user for VSC 4.1P1.

I have determined that there is indeed an error in the XML defining the capabilities for 4.1P1. The fix is as / follows:

Replace the following 3 lines:

            <api>api-volume-list-iter-end</api>
            <api>api-volume-list-iter-next</api>
            <api>api-volume-list-iter-start</api>

With these 3 lines:

            <api>api-volume-list-info-iter-end</api>
            <api>api-volume-list-info-iter-next</api>
            <api>api-volume-list-info-iter-start</api>

You should find each one twice, 6 replacements total.

I just used this to create a user from scratch for VSC 4.1P1 roles: Discover, Clone, Create Storage and Modify Storage.

Enjoy.

dbkelly
NetApp Employee on ‎2013-05-09 10:15 AM

Version 2.3 has been posted.

What's New?

- Added support for VSC 4.2 for VMware vSphere

- Added support for SRA for VMware SRM

- Added support for Snap Creator Framework 4.0  (Thanks John)

- Added support for VSC for Citrix XenServer (Thanks Gabe)

- Added support for NetApp Recovery Manager for Citrix ShareFile (Thanks Gabe)

- Removed clear text passwords in the log file

- Fixed the XML syntax error for VSC 4.1P1

- Other miscellaneous bug fixes

dbkelly
NetApp Employee on ‎2013-05-13 02:17 PM

Special thanks to Chris Knowling for adding support for OnCommand Unified Manager (DFM) 5.1.    This is the first community contribution for the RUC tool!    

Version 2.3.4881.28244 has been posted.

What's New?

- Added support for OnCommand Unified Manager 5.1


chao
NetApp Employee on ‎2013-05-19 10:19 PM

Hi Kelly

I installed 2.3 and love it.  I have a question for OnCommand Unified manager for Cluster-mode.  I found I could not select version when I want to create a account for UM in cluster-mode environment.  Any tips?

BR

TC

chao
NetApp Employee on ‎2013-05-19 10:33 PM

Is there a RBAC user creator list that which software are supported in cluster-mode?  Thanks a lot!

dbkelly
NetApp Employee on ‎2013-05-20 04:39 AM

chao,

Although the RUC tool supports both 7-mode and cDOT, I only have 7-mode privs for OnCommand Unified Manager.  If you or someone else here can point me to a KB where the cDOT privs are listed, I'd be happy to add it. 

I can pull a list together on which products I have cluster-mode privs for. We need to be careful when we talk about support for cluster-mode.   The product supporting cluster-mode and the RUC tool having privs for cluster-mode may be two different things.   For instance, OnCommand Unified Manager supports both 7-mode and cDOT, the RUC tool only has privs for 7-mode at this point.

chao
NetApp Employee on ‎2013-05-20 06:03 AM

I see and fully understand.  I really love this tool and help it could help us everywhere.      I also drop a question in UM  space and hope someone could reply.

https://communities.netapp.com/thread/29386

Yes, would you please provide list (even an "unofficial list") about which products you already develop for Cluster-mode?  It will be helpful.

CHRIS_K_AU
on ‎2013-05-20 08:31 PM

I got the 7mode privs from the DFM install manual. I’m too busy at present to actually look that up for you though.

Chris Knowling

f_duranti
on ‎2013-05-27 07:32 AM

Hi, I've installed VSC 4.2 and was creating a new user to manage it and configure all the necessary to make it work.

Creating the user/role/group and using it on the controller in VSC 4.2 tell me that some permission are missing for the backup/recovery:

api-fcp-node-get-name,api-file-list-directory-iter-end,api-file-list-directory-iter-next,api-file-list-directory-iter-start,api-igroup-destroy,api-iscsi-initiator-list-info,api-iscsi-node-get-name,api-lun-create-from-snapshot,api-lun-get-serial-number,api-lun-restore-status,api-net-ifconfig-get,api-nfs-exportfs-storage-path,api-snapmirror-list-destinations,api-snapshot-delete,api-snapshot-rename,api-snapshot-restore-file,api-snapshot-restore-volume,api-system-api-list,api-vfiler-create,cli-snap,cli-system

The controller is a 7-mode version 8.1.2.

dbkelly
NetApp Employee on ‎2013-05-28 06:30 AM

Francesco, Sorry to hear you are having problems, I'll take a look and try to reproduce this issue.   In the meantime, can you send me a screenshot of the tool and the log file? 

dbkelly
NetApp Employee on ‎2013-05-28 10:04 AM

I just reproduced the issue in my lab.   It appears to be isolated to the B&R role only.   The other roles are being created correctly.   

dbkelly
NetApp Employee on ‎2013-05-28 11:21 AM

I just uploaded a new version of the tool.   Basically, I messed up the label in the XML for the Backup & recovery role.  This is fixed in version 2.3.4896.22885.   

cecil
NetApp Employee on ‎2013-06-12 11:01 AM

For half my systems the tool works create, on the others I get a "Failed to invoke API" error after the attempt to "system-get-version". Obviously it's a filer side issue but do you have any tips on tracking this down? All of my controllers are running 8.1.1 7-mode. Thank you!

dbkelly
NetApp Employee on ‎2013-06-12 02:46 PM

Cecil, send me the logs and I will take a look.

bernardo
NetApp Employee on ‎2013-06-13 12:26 PM

Using the latest RBAC User tool to create a a vscadmin user and get missing rights when this user

is used in VSC4.2. 

This is an 8.1.2P4  cdot cluster and The missing rights are

system license show;  volume efficiency show

I checked the RBAC User tool xml file and those commands seem to be there.

I added these missing rights using "security login role modify -role vscadmin -cmddirname"

which solved my problem.

Has anybody seen this before?

dbkelly
NetApp Employee on ‎2013-06-14 05:49 AM

bernardo,

I just double-checked the ontapPrivs.xml; you're right, those privileges are listed there.   Curious, what ONTAP roles are you selecting?   Could I get a screenshot of the RUC tool, perhaps?

I'm really curious about what could be happening here.    Can you email the logs to me?

f_duranti
on ‎2013-06-17 12:20 AM

I have some problems with the OnCommand role definition. We use oncommand also to manage backup with snapcreator and it seems there are some needed api that are missing:

'api-volume-size' 

'api-snapshot-delete' 

'api-perf-object-instance-list-info' 

'cli-vfiler' 

'api-clock-get-timezone' 

'cli-options' 

f_duranti
on ‎2013-06-17 12:27 AM

I had another problem related to the user creation for a Site Recovery Manager SRA account. The user is not created because the comment field seems too long (>128 char).

dbkelly
NetApp Employee on ‎2013-06-25 05:11 AM

Francesco,  thanks for the feedback.   I don't recall seeing those privileges when I was testing the OnCommand role.   Perhaps, it has something to do with using OnCommand and SnapCreator?   I don't know.   Anyway, I will get those added for the next release.    In the meantime, you can add those missing privs yourself.   Just follow the XML format and you should be all set.  

Interesting comment about the comment field.   Yes, it is delimited to 128 characters.    I use the roleDescription field in the XML file for the comment.    I guess "Storage Replication Adapter for VMware Site Recovery Manager" is a bit too long.    Since you are already editing the XML file, please go ahead and shorten the SRA description field.    You can make it anything you want.

         <product id="srm" label="SRA for VMware SRM" description="Storage Replication Adapter for VMware Site Recovery Manager">

  "SRA for VMware SRM" should work.

I'll get this fixed in the next release.

avbohemen
on ‎2013-08-05 03:11 AM

It looks like there is an error in the ontapPrivs.xml for the VSC user: it says:

   <ontap-dependent value="8.1.2-">
   <api>api-raid-info-listdisk</api>
   <api>api-raid-info-listplex</api>
   </ontap-dependent>

Where it should be 8.1.2+. This is for Create-Clones, Create-Storage, Modify-Storage and Destroy-Storage, so I changed 4 entries in the xml file.

I am setting up a VSC user with ONTAP 8.1.3 7-mode, and after I changed the minus-sign to the plus-sign, I correctly got al privileges in VSC.

CSCOTTENO
on ‎2013-08-13 09:50 AM

Hi,

Glad this app exists!  Any chance in future builds of being able to give it a list of controllers instead of going one-at-a-time?  Such as if I want to add a DFM account to 30+ controllers, could there be an XML file or somesuch that could be provided to the app and then let it go do its thing?

Thanks for making this application!

dbkelly
NetApp Employee on ‎2013-08-28 11:10 AM

Thanks Anton.   Actually, the value should be '8.1.99-'.   Those API have been deprecated in 8.2.