Active IQ Unified Manager Discussions

OnCommand WFA Workflow to update or delete export rule cdot

LucasVDP
6,068 Views

IHAC that is new to cDOT (8.3.x) and WFA. They are looking to create RBAC process to allow certain users to either add or delete export rules to an existing export policy on select SVMs. I'm not sure how to create. Does anyone already have this created in WFA and that can share with me please?

 

Thanks.

7 REPLIES 7

hariprak
6,041 Views

Hi,

 

Hope this helps https://community.netapp.com/t5/OnCommand-Storage-Management-Software-Articles-and-Resources/Video-Applying-Role-Based-Access-Control-RBAC-to-your-wor...

 

Thanks

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

LucasVDP
6,033 Views

Thank. This is part of what I need. I still need the workflow to add or delete export rules. Do you have that? Again, the need is to be able to update what workstations can access an export. I don't need to create new export policies or volumes; I just need to update the existing ones.

 

Thanks.

abhit
5,989 Views

1. There is a Create Export Rule command in WFA which is precanned. This will help you in adding. You have to develop a command to delete the same.

 

"Creates an Export rule configuration. If the specified policy does not exist, the "Create CM export rule" command will create the export policy in the given cluster/Storage Virtual Machine and then create the export rules in the new policy with the specified parameters."

 

2. In the playground DB you need to add the list of workstations. In the user inputs you need to take care which workstation will be able to access what kind of exports.

This will have to taken care via SQL queries.

 

Regards
Abhi

 

 

 

mbeattie
5,963 Views

Hi Lucas,

 

Here is the WFA command code to remove a client from an export policy.

Rather than use the playground mysql database as suggested...

 

I'd recommend you simply query the rule index matching the client (much simpler)

 

Hope this helps

 

/Matt

 

Param(
   [Parameter(Mandatory=$True, HelpMessage="The cluster name or IP Address")]
   [String]$ClusterName,
   [Parameter(Mandatory=$True, HelpMessage="The vserver name")]
   [String]$VserverName,
   [Parameter(Mandatory=$True, HelpMessage="The NFS export policy name")]
   [String]$PolicyName,
   [Parameter(Mandatory=$False, HelpMessage="The NFS export policy rule index number")]
   [Int]$RuleIndex,  
   [Parameter(Mandatory=$True, HelpMessage="The IP address or FQDN of the NFS client")]
   [String]$ClientMatch,
   [Parameter(Mandatory=$False, HelpMessage="The maximum number of ZAPI retry attempts")]
   [Int]$ZapiRetryCount   
)
#'------------------------------------------------------------------------------
#'Connect to cluster
#'------------------------------------------------------------------------------
Connect-WFACluster $ClusterName
#'------------------------------------------------------------------------------
#'Check if the Export Policy exists on the vserver.
#'------------------------------------------------------------------------------
Get-WFALogger -Info -Message "Enumerating export policy ""$PolicyName"" on vserver ""$VserverName"""
[String]$command = "Get-NcExportPolicy -VserverContext $VserverName -Name $PolicyName -ErrorAction Stop"
Try{
   $policy = Invoke-Expression -Command $command -ErrorAction Stop
   Get-WFALogger -Info -Message "Executed Command`: $command"
}Catch{
   Get-WFALogger -Error -Message $("Failed Executing Command`: $command. Error " + $_.Exception.Message)
   Throw "Failed enumerating export policy ""$PolicyName"" on vserver ""$VserverName"""
}
#'------------------------------------------------------------------------------
#'Raise an error if the export policy does not exist.
#'------------------------------------------------------------------------------
If(-Not($policy)){
   Throw "The export policy ""$PolicyName"" does not exist on vserver ""$VserverName"""
}
#'------------------------------------------------------------------------------
#'Enumerate the index number of the client in the export policy rules.
#'------------------------------------------------------------------------------
$query = Get-NcExportRule -Template
$query.ClientMatch = $ClientMatch
$query.PolicyName  = $PolicyName
$query.Vserver     = $VserverName
Try{
   $exportRules = Get-NcExportRule -Query $query -ErrorAction Stop
}Catch{
   Get-WFALogger -Error -Message $("Failed enumerating export policy rules for policy ""$PolicyName"" on vserver ""$VserverName"". Error " + $_.Exception.Message)
   Throw "Failed enumerating export policy rules for policy ""$PolicyName"" on vserver ""$VserverName"""
}
#'------------------------------------------------------------------------------
#'Raise an error if the export policy rules don't exist.
#'------------------------------------------------------------------------------
If(-Not($exportRules)){
   Throw "Failed enumerating an export policy rule matching client ""$ClientMatch"" in export policy ""$PolicyName"" on vserver ""$VserverName"""
}
#'------------------------------------------------------------------------------
#'Enuemrate and set the rule index number if not provided or raise an error.
#'------------------------------------------------------------------------------
If(-Not($RuleIndex)){
   $RuleIndex = $exportRules.RuleIndex
   If($RuleIndex -eq $Null -Or $RuleIndex -eq ""){
      Throw "Failed enumerating an export policy rule matching client ""$ClientMatch"" in export policy ""$PolicyName"" on vserver ""$VserverName"""
   }
}
#'------------------------------------------------------------------------------
#'Create the command to remove the export policy rule.
#'------------------------------------------------------------------------------
[String]$command = "Remove-NcExportRule -Policy $PolicyName "
If($RuleIndex){
   [String]$command += "-Index $RuleIndex "
}
If($ZapiRetryCount){
   [String]$command += "-ZapiRetryCount $ZapiRetryCount "
}
[String]$command += "-VserverContext $VserverName -Confirm:`$False -ErrorAction Stop"
#'------------------------------------------------------------------------------
#'Execute the command to remove the export policy rule.
#'------------------------------------------------------------------------------
Try{
   Invoke-Expression -Command $command -ErrorAction Stop
   Get-WFALogger -Info -Message "Executed Command`: $command"
   Get-WFALogger -Info -Message "Removed export policy rule for ""$ClientMatch"" in export policy ""$PolicyName"" on vserver ""$VserverName"""
}Catch{
   Get-WFALogger -Error -Message $("Failed Executing Command`: $command. Error " + $_.Exception.Message)
   Throw "Failed removing export policy rule for ""$ClientMatch"" in export policy ""$PolicyName"" on vserver ""$VserverName"""
}
#'------------------------------------------------------------------------------
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

DavidSpano
4,900 Views

I just implemented the code provided and it works great.  Thanks Matt.

StevenB1016
4,779 Views

Hi,

I've added your code as a command and it works great.   I am struggling on one aspect though,  in my environment I can have a single clientmatch rule in multiple export policies.  I'm trying to figure out how to loop through all my export policies with the matching clientmatch rule and remove it.   I can easily do it via a query (mult-select), but it requires the user to select the returned values.  I'm looking more for a method to loop through without user intervention.   If there was a way to default all the multi-select options to selected I would be done, but if there is a documented way I haven't found it.  Thoughts?

StevenB1016
4,757 Views

Never mind,

 

I finally figured it out using GROUP_CONCAT to put the query results in a CSV list and then use getValueAt to loop through the list.   

Regards,

 

Steve

Public