2016-03-22 07:40 AM
Other than creating a bespoke role, is there anyway to prevent a Vserver/SVM user/administrator from being able to modify the size of a volume in their SVM?
I'd like to prevent volumes from multiple SVMs in the same aggregate from being able to consume beyond their allocated amount, but it looks like the SVM admins have control to make changes from within the SVM.
I understand I can restrict the ability to create new volumes, by not assigning any aggregates to the SVM aggregate allowed list, but this does not seem to prevent changes being made to already provisioned volumes.
I've tested this under the simulator (version 8.3.2RC1) and so far haven't found a way.
Thanks in advance
2016-03-22 08:04 AM
You can get this done via role creation on vserver level.
I created a testrole with the following abilities.
cmemile01::vserver security> security login role show -vserver data_svm -role testrole Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ----------------------------------- -------- data_svm testrole DEFAULT none data_svm testrole network all data_svm testrole snapmirror all data_svm testrole volume readonly
When I go to vserver context and login with my user which was assigned the "testrole" the "volume size" command is not available.
cmemile01::vserver security> vserver context -username emile -vserver data_svm Info: Use 'exit' command to return. data_svm::> volume ? clone> Manage FlexClones efficiency> Manage volume efficiency file> File related commands qtree> Manage qtrees quota> Manage Quotas, Policies, Rules and Reports show Display a list of volumes show-footprint Display a list of volumes and their data and metadata footprints in their associated aggregate. show-space Display space usage for volume(s) snapshot> Manage snapshots data_svm::> volume size Error: "size" is not a recognized command
Is this what you are trying to achieve?
2016-03-22 08:34 AM
Many thanks for the response.
I was hoping to restrict this in another way other than by defining new roles, as that opens up other administration issues/burdens in a multitenant environment, hence my original question.
The ideal would to be able to restrict it at the cluster level for the SVM, a bit like under 7 mode where the volume changes that didn't affect the aggregate utilisation could be controlled from within the Vfiler, but anything that would affect the aggregate (vol size/autosize for instance) had to be completed at the vfiler0 level.
If roles are the only way, we'll have to get some automation in palce for it to ensure a consitent deployment model for each SVM stood up.