Data Infrastructure Management Software Discussions

Re: howto create separate, least priveledged role for OCUM Service Account user ?

Repeating an earlier warning from this thread - this user setup below is not approved by NetApp support!  It's worked well in my (and others) experience but you're using this at your own risk!  NetApp and/or support won't take any responsibility for failed polling, missing data, alarms not triggering/catching issues, etc. 

 

If you need this functionality with official support please contact your NetApp account team to have them submit an internal request.

 

 

Hi bjoern,

 

I spun up a simulator for this testing and found 4 additional APIs being called:

 

ems-event-filter-create
ems-event-notification-create
ems-event-notification-destination-create
security-certificate-install

 

These new API calls make sense given how the OCUM software has evolved around alerting, and I'm surprised the certificate command wasn't already required.  I modified the custom role a bit and it's successfully discovering in an OCUM 9.4RC1 instance of mine.  Can you try this updated role and let me know how it looks on your end?

 

 

security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname DEFAULT -access readonly
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "cluster application-record" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster modify" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster show" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "event filter create" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "event notification destination create" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "event notification create" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "security certificate install" -access all
vserver services web access create -vserver <cluster_vserver> -name spi -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application ontapi -authmethod password -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application http -authmethod password -role ocum_readonly_role

 

 

Please note I've only quickly tried this in a lab and have *not* done any extensive testing on whether or not this lets OCUM 9.4 fully monitor ONTAP 9.1.

 

 

Re: howto create separate, least priveledged role for OCUM Service Account user ?

Hi @bjoern_shd - have you had a chance to try this in your environment?  

Re: howto create separate, least priveledged role for OCUM Service Account user ?

sadly this won't work when you use EMS fordwarding, you will get a error 

Unable to add data source, which can be caused by reaching the max number of EMS notification destinations in the data source.

 I had to change the command directories for the commando event

event destination all
event filter all
event notification all
event route all

 

I'am sure you can break it more down. But for my needs it was enough. After this change, i could add the Cluster with the new User/Role.

 

Thanks Smiley Happy

Re: howto create separate, least priveledged role for OCUM Service Account user ?

Hi.

 

Thanks for your solution.

I tried it on my 9.3P7 and works fine.

 

One question though.

We moved from local admin accounts to domain passthrough accounts for our administrators.

But, as domain passthrough accounts doesn´t have SSH we can´t use the restore function in OCUM (therefor I´m looking at your solution)

 

But same here now when we have a RO role.

What function do I need to change to be able to do a restore in OCUM with this kind of security login role?

 

//Henrik

Forums