OnTap granular debugging of role access

fwdalrymple — Tue, 19 Mar 2019 15:01:28 GMT

I'm building an automation suite to handle some of the day to day for our storage administrators. In doing so I want to grant the service user the least privilege necessary to achieve the desired outcome. Since updating my Ansible machine to the current dev release even na_ontap_gather_facts doesn't work without some sort of write permissions.

clustername::*> security login role show -role ansible-user
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
clustername ansible-user DEFAULT                                      readonly
                          system node autosupport                      all
2 entries were displayed.

Note that I've added the 'autosupport / all' component as that's the first change I want to test.

I could sift through the Ansible code, but it seems to me that there should be a more straightforward way from the audit log to identify the specific privilege requested that's being denied. This is what is in the audit log:

Tue Mar 19 14:24:15 2019  clustername-2  [kern_audit:info:14677] 8503e9000000081c :: clustername:ontapi :: 10.170.38.66:34252 :: clustername:unknown :: Error: POST /servlets/netapp.servlets.admin.XMLrequest_filer HTTP/1.1 401 Unauthorized
Tue Mar 19 14:24:15 2019  clustername-2  [kern_audit:info:2152] 8503e9000000081d :: clustername:ontapi :: 10.170.38.66:34254 :: clustername:ansible-user :: <netapp xmlns="http://www.netapp.com/filer/admin" version="1.110" vfiler="clustername"><ems-autosupport-log><computer-name>Ansible</computer-name><event-id>12345</event-id><event-source>na_ontap_gather_facts</event-source><app-version>2.8.0.dev0</app-version><category>Information</category><event-description>setup</event-description><log-level>6</log-level><auto-support>false</auto-support></ems-autosupport-log></netapp> :: Pending
Tue Mar 19 14:24:15 2019  clustername-2  [kern_audit:info:2152] 8503e9000000081d :: clustername:ontapi :: 10.170.38.66:34254 :: clustername:ansible-user :: Insufficient privileges: user 'ansible-user' does not have write access to this resource :: ONTAPI :: Error

I recall having the capability to see privileges denied at a very granular level in 7-mode then being able to correct them as they come up. Where is this functionality in cDOT, or am I just not reading the audit logs the way they're meant to be read?

Re: OnTap granular debugging of role access

PaulF — Mon, 08 Apr 2019 14:14:58 GMT

Same issue here, i can't work out what permission is missing when creating and export policy. If I SSH i can create the policy so it looks like the user has the correct permisions. Do you have any tips to sift through the Ansible code?

Re: OnTap granular debugging of role access

RamK — Wed, 08 Apr 2020 15:03:53 GMT

I just ran into a similar situation and discovered the fix. ontap_gather_facts and ontap_info fail when trying to create a log entry. The role requires access to the 'event' command directory.

sec login role create -role ansible-user -cmddirname event -access all

topic OnTap granular debugging of role access in ONTAP Discussions

OnTap granular debugging of role access

Re: OnTap granular debugging of role access

Re: OnTap granular debugging of role access