I'm researching the possibility of using Snap Creator 4.0.0 to automate Oracle backups in a secure multi-tenant design with Clustered ONTAP 8.2. Each customer will have VLAN tagged Vservers and will only be able to connect to their Vserver and will not be able to connect to the Cluster Management Vserver.
I'm reading through the Snap Creator Framework 4.0.0 Installation and Administration Guide and became concerned when I read this on page 18:
Creating a Snap Creator user for clustered Data ONTAP
Clustered Data ONTAP requires creation of two users on the clustered Data ONTAP system—a cluster user and a virtual storage server (vserver) user. Both users require the HTTP, ONTAPI library, and Secure Shell (SSH) applications.
This leads me to believe that each Snap Creator Server will need to connect to the Cluster Management Vserver and this would make it necessary to open up a route and firewall rules to allow connections form every customer VLAN to the Cluster Management Vserver.
Please let me know if there is some way to make use of Snap Creator Framework to automate Oracle backups without changing a typical secure multi-tenant design.
SC 4.0 supports Clustered ONTAP 8.1.x and in this version of ONTAP we needed to go through the cluster for a few APIs because they were not available directly in vServer which is why we required both cluster creds and vserver.
SC 4.1 will support ONTAP 8.2 and starting from them we will no longer require cluster credentials for ONTAP 8.2 (clustered ontap) or higher. Unfortunately SC 4.1 is not out yet still 2-3 months out but it is coming. There will be a sort of beta (called community release) available on www.snapcreator.com prio to this but I cannot say at this time exactly when.
What you can try with SC 4.0 is use a global config and add the cluster credentials their. Then when a user or tenant configures they can import from global. The only issue is the server where SC runs must be able to communicate with cluster and vserver which I know breaks secure multi-tenancy. The release you want is SC 4.1 really to be honest.
Let me know if this helps or you have any other thoughts or ideas on how to proceed forward with this limitation?
Thanks Keith for taking time to provide this detailed answer! As luck would have it, our customer can wait three months for SC 4.1 to become GA. So, we'll watch for the community release before spending too much time trying to fit this solution into our secure multi-tenant design.