I would like to configure on our NetApp storage systems, an user which will be allowed to connect himself via ssh, and that will be only allowed any non-modifying commands.
For example, I would like to allow him commands like those :
vol status <volname>
aggr status -r (or -s / -f)
lun show -m -g <igroup_name>
But not allow him commands like those :
vol size <volname> +Xg
aggr add <aggr_name> <ndisks> / aggr offline <aggr_name>
lun offline <lunpath>
Does someone knows if (or already have) such a role with corresponding capabilities exists ?
If not, where can I find an exhaustive list of all existing capabilities so that I can build such a role ?
As you mentioned, the "Role-Based Access Controls in Data ONTAP™: Granular Administration of Capabilities" doc is a great one.
It explains (with examples) how to implement RBAC.
At the end of the document (page 9), there's a list of all cli- capabilities.
The problem it that this document is now 4+ years old.
I'm sure that, since then, new capabilities have been implemented in DOT.
I was not able to find any up-to-date list of implemented capabilities for DOT 7.2.4 7.2.5 7.2.6 or 7.3.
I would be really interested in a per release exhaustive list of implemented capabilities.
Moreover with such year-2004 capabilities, when for example the cli-aggr-* is granted to a role users with this one assigned he will not only be able to perform "aggr status -r/-s/-f" but also aggr offline/destroy commands.
I want to be more granular than that.
I hope that this is possible with the new capabilities that were probably introduced in DOT since then.
It will be really great if someone already implemented such a role that is limited to "read-only" cli- capabilities.
OnTap sysadmin guide seems to be a good place to start for any changes to this capability.
I'm looking in the 7.3 sysadmin guide http://now.netapp.com/NOW/knowledge/docs/ontap/rel73/pdfs/ontap/sysadmin.pdf
There is a filerview-readonly option - GUI only of course.
On page 109:
Grants the specified role read-only access to FilerView.
This capability type includes only the
filerview-readonly capability, which grants the
specified role the capability to view but not change
manageable objects on systems managed by FilerView.
There is no predefined role or group for read-only
FilerView access. You must first assign the
filerview-readonly capability to a role and
then assign the role to a group, before you can create
a user in such a group.
A colleague already informed me about this filerview-readonly capability that was introduced in DOT 7.3.
At page 107 from the "Data ONTAP® 7.3 System Administration Guide", there is a short list of capabilities present in DOT 7.3.
Does anybody knows if I can find an exhaustive per-release capability list ?
Some of our systems are still running DOT 7.2, and anyway my goal is to defile a read only role for cli- commands.
It will be great if I can add a bunch of cli- capabilities into a role so that it would behave like the filerview-readonly role, but on the cli side.
I already tried with cli-readonly, also on DOT 7.3, but there's no such a capability yet defined.
To be granular I need to know all capabilities that exists, I really searched for this, and I was not able to find such a list yet.
It would be nice to find that exhaustive list that you are requesting. Funny that no one from NetApp seems to have one. Seems to be the case on a few matters that have come up. Like things are only partially thought through.