* CORRECTION/UPDATE * - I just grabbed what I think is the lates RBAC/privs file and it doesn't look like it'll work - no version # for OCUM appears in the tool. I pinged dbkelly to see if I'm just missing something...
Yes - I have a question into the product team as to what version of the privs.xml file has OCUM 7.x included. I know we had a working version at one point but not sure why it's not working now (and/or if I'm just completely mis-remembering it).
Upfront warning - this user setup below is not approved by NetApp support and they won't take any responsibility for failed polling, missing data, alarms not triggering/catching issues, etc. I don't expect any issues with this configuration but wanted to be as clear on this as possible.
I've had success using a limited role with OCUM/OPM 7.1 using the commands below:
- A limited role is setup with access to the 'cluster application-record' command tree. This is where ONTAP tracks what OCUM/OPM/WFA instances are managing the cluster.
- OCUM also demands access to the 'metrocluster' command tree and polling fails without this access. - A SPI role is created to allow OCUM/OPM to pull performance files. - A login is created with http/ontapi access. All connectivity should be through API calls for most metrics, or HTTP calls to the SPI interface to pull performance data.
Good morning - thanks a bunch for posting that role/account listing. I had some time this morning so I tried setting up an account that way and applying it to the cluster data sources section on our COOP/non-prod cluster. Anyway, after I updated the credentials on this particular cluster I got a "cluster login failed" status inside OCUM 7.2 - then no polling would occur and the cluster was unreachable. I gave it a bit just to see if the polling cycle would pick it back up, but no dice.
I went ahead and added a ssh privilege to the role and verified the acct/pswd work via an interactive shell (i.e. just making sure I didn't fat-finger anything) but OCUM must be trying some method/whatever that isn't supported in the role as you've specified. Any ideas what might be missing and/or where I'd look to see what the specific problem was?
Okay - so I get the honorary "follow the rules dummy" award. Anyway, I looked at your role list and saw the "metrocluster modify/show" and said "oh, we don't run metrocluster" so I didn't add those. My colleague said, "well maybe if it gets a deny on any call it says discover failed". We added those two permissions and voila - it works.
We'll let it run against our COOP cluster and make sure things look good and then apply it to the other clusters.
Thanks so much for the list - wish I had just followed it correctly in the first place!
Happens to all of us at one point or another! I'm glad that OCUM is no longer complaining about failed polling. I haven't had a chance to test out 7.2 with this custom role yet - let me know if you see any issues.