I am new to netapp harvest and trying to set up the metrics collection.I followed the documentation in setting up netapp-harvest role but when I grant cluster identity show permissions I would see permissions added to modify and create after running the command, is there a way to restrict netapp harvest to use on show commands instead of modify and create?
For example I see
security login role create -role netapp-harvest-role -cmddirname "network interface show"
Warning: This operation will also affect the following commands: "network interface create" "network interface delete" "network interface modify"
The above happens on all the listed commands in the document and I end up having below permissions after installation
netapp-harvest-role DEFAULT none cluster identity modify readonly cluster identity show readonly cluster modify readonly cluster show readonly lun create readonly lun modify readonly lun show readonly network interface create readonly network interface delete readonly network interface modify readonly network interface show readonly qos workload delete readonly qos workload modify readonly qos workload show readonly statistics readonly system node modify readonly system node show readonly version readonly
Could someone assist me if we can restrict the role only to show commands as given in the installation or the above is by design
No worries, that is still effectively a read-only access.
As you can see, even the "create" subcommand is marked with "readonly", which basically means it cannot create anything :). You can verify that, if you want, by logging in into that account and trying to create or modify things.
As a side note, I personally use the built-in "readonly" role for Harvest. It allows to read anything, but not to modify or create. Recent versions of Harvest add additional capabilities, which won't work if you follow the old guide and only add those listed commands to the custom role. Using the "readonly" role should always work, even when Harvest gets new features. Obviously, if you want to limit even the read access to only specific sections, you need to use the purpose-built role.