Active IQ Unified Manager Discussions

"Read only" cli- user

xavierpitz
8,207 Views

Hello,

I would like to configure on our NetApp storage systems, an user which will be allowed to connect himself via ssh, and that will be only allowed any non-modifying commands.

For example, I would like to allow him commands like those :

vol status <volname>

aggr status -r (or -s / -f)

rdfile <filepath>

snap list

lun show -m -g <igroup_name>

But not allow him commands like those :

vol size <volname> +Xg

aggr add <aggr_name> <ndisks> / aggr offline <aggr_name>

wrfile <filepath>

snap delete

lun offline <lunpath>

Does someone knows if (or already have) such a role with corresponding capabilities exists ?

If not, where can I find an exhaustive list of all existing capabilities so that I can build such a role ?

Best Regards,

7 REPLIES 7

donaldmann
8,207 Views

xavierpitz
8,207 Views

Hello,

As you mentioned, the "Role-Based Access Controls in Data ONTAP™: Granular Administration of Capabilities" doc is a great one.

It explains (with examples) how to implement RBAC.

At the end of the document (page 9), there's a list of all cli- capabilities.

The problem it that this document is now 4+ years old.

I'm sure that, since then, new capabilities have been implemented in DOT.

I was not able to find any up-to-date list of implemented capabilities for DOT 7.2.4 7.2.5 7.2.6 or 7.3.

I would be really interested in a per release exhaustive list of implemented capabilities.

Moreover with such year-2004 capabilities, when for example the cli-aggr-* is granted to a role users with this one assigned he will not only be able to perform "aggr status -r/-s/-f" but also aggr offline/destroy commands.

I want to be more granular than that.

I hope that this is possible with the new capabilities that were probably introduced in DOT since then.

It will be really great if someone already implemented such a role that is limited to "read-only" cli- capabilities.

Regards,

donaldmann
8,207 Views

OnTap sysadmin guide seems to be a good place to start for any changes to this capability.

I'm looking in the 7.3 sysadmin guide http://now.netapp.com/NOW/knowledge/docs/ontap/rel73/pdfs/ontap/sysadmin.pdf

There is a filerview-readonly option - GUI only of course.

On page 109:

Grants the specified role read-only access to FilerView.

This capability type includes only the

filerview-readonly capability, which grants the

specified role the capability to view but not change

manageable objects on systems managed by FilerView.

Note:

There is no predefined role or group for read-only

FilerView access. You must first assign the

filerview-readonly capability to a role and

then assign the role to a group, before you can create

a user in such a group.

xavierpitz
8,207 Views

Hello,

A colleague already informed me about this filerview-readonly capability that was introduced in DOT 7.3.

At page 107 from the "Data ONTAP® 7.3 System Administration Guide", there is a short list of capabilities present in DOT 7.3.

Does anybody knows if I can find an exhaustive per-release capability list ?

Some of our systems are still running DOT 7.2, and anyway my goal is to defile a read only role for cli- commands.

It will be great if I can add a bunch of cli- capabilities into a role so that it would behave like the filerview-readonly role, but on the cli side.

I already tried with cli-readonly, also on DOT 7.3, but there's no such a capability yet defined.

To be granular I need to know all capabilities that exists, I really searched for this, and I was not able to find such a list yet.

Regards,

ASUNDSTROM
8,207 Views

It would be nice to find that exhaustive list that you are requesting.  Funny that no one from NetApp seems to have one.  Seems to be the case on a few matters that have come up.  Like things are only partially thought through.

anton_oks
8,207 Views

You can check the capabilities of a NetApp via API (or just via the ZExplore tool).

The API call to consider would be: system -> system-api-list

In the XML output, see attachment, you could grep for "<name>" and then for things like "read" and "list"... those should be your "safe APIs"

Have fun

Anton

D_BEREZENKO
8,207 Views

Where can I find info for 8.x?

Public