Data Backup and Recovery Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Data Backup and Recovery Discussions

Start a New Post

Snapcreator as a mechanism for delegating data protection operations

rmharwood
‎2011-11-22 12:43 PM

Hi folks,

Been looking at the SC (3.4.0) framework for a week or so. I am wondering if it is considered to be a useful platform for delegating control of filer operations (snapshots, clones, snapmirror and snapvault updates). Right now I have a handful of users that have to run such operations and as such they have accounts on various filers with the minimum privileges needed to perform such operations. However, the filer RBAC controls are far too wide and I can't limit these operations to particular volumes, for example. I like the idea of using our DFM server to set up a proxy by which all commands go through but I have to provide a simple interface so that snapshots and clones (et cetera) may be run from shell scripts.

From my research it would appear that a SC server would be required for each platform that needs to initiate such operations. Am I correct in this?

It also appears that you cannot configure DFM proxy via the GUI because it insists on a filer's credentials being entered. I have not tried CLI configuration as yet.

Has anyone else used this mechanism to delegate control in this manner or am I really trying to use the wrong tool here?

Any insight or advice would be appreciated.

Richard

0 Likes
5 Replies
5 REPLIES 5

Re: Snapcreator as a mechanism for delegating data protection operations

ktenzer
NetApp
‎2011-11-29 10:31 AM

Hi Richard,

Yes SC can initiate all APIs through DFM proxy which means users would need access to the scServer or run their own scServer. This is limitted however to things Snap Creator does which I think was clear by your statment. So you cant just send any API or CLI command to DFM server through Snap Creator.

As for support in GUI, you are correct in 3.4 it is only supported through CLI. In 3.5 which releases on Jan 12 2012 it will also be fully supported in GUI. We also added RBAC capabilities in SC itself for those who want to control things more granular so that combo + DFM proxy makes an interesting use case

Regards,

Keith

0 Likes
5 Replies

Re: Snapcreator as a mechanism for delegating data protection operations

rmharwood
‎2011-12-02 12:35 PM

Thanks for the reply. If I ever get it working well then perhaps I will document it for everyone's benefit.

Richard

0 Likes
5 Replies

Re: Snapcreator as a mechanism for delegating data protection operations

magnus_nyvall
‎2011-12-07 04:01 AM

What are the minimum rights for the OM user if you use USE_PROXY=Y?

Cant seem to find any document on that.

I created one with all of these like a GolbalSnapcreator user.

I guess i can trial end error my way but i am lazy.

Which of them can i remove and still have all SC functionality?

DFM.Alarm.Delete, DFM.Alarm.Read, DFM.Alarm.Write, DFM.BackupManager.Backup, DFM.BackupManager.Failover, DFM.BackupManager.Read, DFM.BackupManager.Restore, DFM.ConfigManagement.Delete, DFM.ConfigManagement.Read, DFM.ConfigManagement.Write, DFM.Console.Execute, DFM.Core.AccessCheck, DFM.Core.Control, DFM.Core.Delegate, DFM.Database.Delete, DFM.Database.Read, DFM.Database.Write, DFM.DataSet.Create, DFM.DataSet.Delete, DFM.DataSet.Write, DFM.Event.Read, DFM.Event.Write, DFM.Mirror.PolicyControl, DFM.Mirror.Read, DFM.PerfThreshTemplate.Read, DFM.PerfThreshTemplate.Write, DFM.PerfView.Delete, DFM.PerfView.RealTimeRead, DFM.PerfView.Write, DFM.Policy.Delete, DFM.Policy.Read, DFM.Policy.Write, DFM.Quota.FullControl, DFM.Report.Delete, DFM.Report.Read, DFM.Report.Write, DFM.Resource.Control, DFM.ResourcePool.Provision, DFM.SAN.FullControl, DFM.Schedule.Delete, DFM.Schedule.Read, DFM.Schedule.Write, DFM.SRM.Read, DFM.StorageService.Attach, DFM.StorageService.Delete, DFM.StorageService.Detach, DFM.StorageService.Read, DFM.StorageService.Write, SD.Config.Delete, SD.Config.Read, SD.Config.Write, SD.Snapshot.Clone, SD.Snapshot.Delete, SD.Snapshot.DestroyUnrestrictedClone, SD.Snapshot.DisruptBaseline, SD.Snapshot.Read, SD.Snapshot.Restore, SD.Snapshot.UnrestrictedClone, SD.Snapshot.Write, SD.Storage.Delete, SD.Storage.Read, SD.Storage.Write

0 Likes
5 Replies

Re: Snapcreator as a mechanism for delegating data protection operations

magnus_nyvall
‎2011-12-07 04:01 AM

What are the minimum rights for the OM user if you use USE_PROXY=Y?

Cant seem to find any document on that.

I created one with all of these like a GolbalSnapcreator user.

I guess i can trial end error my way but i am lazy.

Which of them can i remove and still have all SC functionality?

DFM.Alarm.Delete, DFM.Alarm.Read, DFM.Alarm.Write, DFM.BackupManager.Backup, DFM.BackupManager.Failover, DFM.BackupManager.Read, DFM.BackupManager.Restore, DFM.ConfigManagement.Delete, DFM.ConfigManagement.Read, DFM.ConfigManagement.Write, DFM.Console.Execute, DFM.Core.AccessCheck, DFM.Core.Control, DFM.Core.Delegate, DFM.Database.Delete, DFM.Database.Read, DFM.Database.Write, DFM.DataSet.Create, DFM.DataSet.Delete, DFM.DataSet.Write, DFM.Event.Read, DFM.Event.Write, DFM.Mirror.PolicyControl, DFM.Mirror.Read, DFM.PerfThreshTemplate.Read, DFM.PerfThreshTemplate.Write, DFM.PerfView.Delete, DFM.PerfView.RealTimeRead, DFM.PerfView.Write, DFM.Policy.Delete, DFM.Policy.Read, DFM.Policy.Write, DFM.Quota.FullControl, DFM.Report.Delete, DFM.Report.Read, DFM.Report.Write, DFM.Resource.Control, DFM.ResourcePool.Provision, DFM.SAN.FullControl, DFM.Schedule.Delete, DFM.Schedule.Read, DFM.Schedule.Write, DFM.SRM.Read, DFM.StorageService.Attach, DFM.StorageService.Delete, DFM.StorageService.Detach, DFM.StorageService.Read, DFM.StorageService.Write, SD.Config.Delete, SD.Config.Read, SD.Config.Write, SD.Snapshot.Clone, SD.Snapshot.Delete, SD.Snapshot.DestroyUnrestrictedClone, SD.Snapshot.DisruptBaseline, SD.Snapshot.Read, SD.Snapshot.Restore, SD.Snapshot.UnrestrictedClone, SD.Snapshot.Write, SD.Storage.Delete, SD.Storage.Read, SD.Storage.Write

0 Likes
5 Replies

Re: Snapcreator as a mechanism for delegating data protection operations

ktenzer
NetApp
‎2011-12-13 08:35 AM

  magnus.nyvall    Dec 7, 2011 4:01 AM   (in response to rmharwood)       

What are the minimum rights for the OM user if you use USE_PROXY=Y?

We have only tested "Global Full Control"

You need to do two things to use DFM Proxy

1) create user with global full control

2) Add storage system login credentials, this is where you configure what user ther DFM server will use when communicating with storage

Which of them can i remove and still have all SC functionality?

Like I said we only tested "Global Full Control" but the following should be a minimum

DFM.BackupManager.Backup, DFM.BackupManager.Read, DFM.BackupManager.Restore, DFM.Console.Execute, DFM.Core.AccessCheck, DFM.Core.Control, DFM.Core.Delegate, DFM.Database.Read, DFM.Database.Write, DFM.DataSet.Create,  DFM.DataSet.Write, DFM.Event.Read, DFM.Event.Write, DFM.Mirror.PolicyControl, DFM.Mirror.Read,  DFM.Policy.Delete, DFM.Policy.Read, DFM.Policy.Write,DFM.Schedule.Read

You might even be able to get it to work with just

DFM.Console.Execute,DFM.DataSet.Create,  DFM.DataSet.Write, DFM.Event.Read, DFM.Event.Write

Regards,

Keith

0 Likes
5 Replies
Cloud Volumes ONTAP
Review Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public