ONTAP Discussions

User 'root' denied access - missing required capability: 'cli-route'

fletch2007
9,743 Views

At the tail end of this successful vFiler migration (the first of 16) I noticed this in the logs of the 8.1GA destination

Permission denied, user root does not have access to route

Thu May  3 14:43:15 PDT [irt-na04:tmig.step.completed:debug]: Step: 'Unbind_Source_Vfiler' of transparent migration completed at 32815 miliseconds. 

Thu May  3 14:43:15 PDT [irt-na04:tmig.step.started:debug]: Step: 'Configure_IP_Addresses' of tranparent migration started at 32815 miliseconds. 

Thu May  3 14:43:15 PDT [irt-na04:kern.cli.cmd:debug]: Command line input: the command is 'ifconfig'. The full command line is 'ifconfig na04-vif0-64 alias 171.65.64.100 netmask 255.255.255.0'.

Thu May  3 14:43:15 PDT [irt-na04:tmig.step.completed:debug]: Step: 'Configure_IP_Addresses' of transparent migration completed at 32828 miliseconds. 

Thu May  3 14:43:15 PDT [irt-na04:tmig.step.started:debug]: Step: 'Configure_Static_Route' of tranparent migration started at 32828 miliseconds. 

Thu May  3 14:43:15 PDT [irt-na04:useradmin.unauthorized.user:warning]: User 'root' denied access - missing required capability: 'cli-route'

Should I just allocate this capability to root? (why does root not have all capabilities?)

what would be the useradmin command line incantation to fix this?

thanks


9 REPLIES 9

scottgelb
9,743 Views

Odd root doesn't have access. Cli-route is not in the useradmin user role for the administrator group?

fletch2007
9,743 Views

root is listed with no groups

irt-na04> useradmin user list

Name: root

Info: Default system administrator.

Rid: 0

Groups:

irt-na04> useradmin role list

Name:    admin                          

Info:    Default role for administrator privileges.

Allowed Capabilities: login-*,cli-*,api-*,security-*

Name:    audit                          

Info:    Default role for audit privileges.

Allowed Capabilities: api-snmp-get,api-snmp-get-next,api-system-api-*

Name:    backup                         

Info:    Default role for NDMP privileges.

Allowed Capabilities: login-ndmp

Name:    compliance                     

Info:    Default role for compliance privileges.

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*,cli-snaplock*,api-snaplock-*,api-file-*,compliance-*

Name:    ndmp_role                      

Info:                                   

Allowed Capabilities: login-ndmp

Name:    none                           

Info:    Default role for no privileges.

Allowed Capabilities:

Name:    oracle                         

Info:                                   

Allowed Capabilities: login-ssh,cli-snap*

Name:    power                          

Info:    Default role for power user privileges.

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

Name:    root                           

Info:    Default role for root privileges.

Allowed Capabilities: *

scottgelb
9,743 Views

Did it add the vFiler routes correctly even with this error? And updated the rc file with he vfiler run route add statements?

fletch2007
9,743 Views

Looks like /etc/rc was updated correctly, but the route commands were permission denied.

Luckily we have no static routes for our vFilers  - just the default route

This is feeling like a bug (which is not biting us - yet)

scottgelb
9,743 Views

Agreed. Looks like a bug.

fletch2007
9,743 Views

Can you verify what a proper user->group->role mapping is supposed to look like for root?

thanks

scottgelb
9,743 Views

Same on my VSIM... no group for root.

fas6280> useradmin user list

Name: root

Info: Default system administrator.

Rid: 0

Groups:

fletch2007
9,743 Views

I just opened a P1 case since this bug cutover a vFiler with failed IP/routing and its not serving data

scottgelb
9,743 Views

You can still add the routes to fix it. But looks like a data motion bug on cutover.

Let us know the Burt # when support opens it. I would create a test vFiler with routes to test with. Support may have a workaround you can try.

Sent from my iPhone 4S

Public