Microsoft Virtualization Discussions

Determining Ontap privileges needed for powershell script

MARTINLEGGATT
7,698 Views

Working in a least privileges environment I'm trying to confirm what Ontap privileges are needed on the Filers for a script that monitors the Filers.

I'm currently adding a privilege re-running the script and then checking the messages file for which privilege is missing, this is obviously pretty time consuming though.

If there is an easier method it would be great to know.

Thanks

Martin

1 ACCEPTED SOLUTION

beam
7,698 Views

Hi Martin,

For 7-mode, there is an easier way... the help documentation includes the required privileges for each cmdlet.  For example:

PS C:\> Get-NaHelp Get-NaVol | select Privilege

Privilege

---------

{api-volume-list-info-iter-start, api-volume-list-info-iter-next, api-volume-list-info-iter-end, api-volume-list-info}

For the clustered ONTAP cmdlets, there is a little bit more work you need to do.  The help documents list the API the command uses, then you need to use that information to map the API to a CLI command using the "show-ontapi" CLI command.  For example:

PS C:\Users\SBeam> Get-NcHelp Get-NcVol | select API

Api

---

{volume-get-iter}

PS C:\Users\SBeam> Invoke-NcSsh "security login role show-ontapi -ontapi volume-get-iter"

NcController : 10.61.167.254

Value        :

               ONTAPI Name: volume-get-iter

               CLI Command: volume show

Thanks,

Steven

View solution in original post

7 REPLIES 7

JGPSHNTAP
7,698 Views

IMHO, You're fighting a losing battle..   Why on earth would you want to do this. 

the powershell cmdlets let you do many things so the optimal solution is for someone who knows what they are doing in powershell and netapp and then you wll be all set

Just my opinion of course

MARTINLEGGATT
7,699 Views

I'd have to say I disagree. 

I want to do this for security purposes, I work in a least privileges environment meaning any login whether API, SSH  to the Filers has the least amount of privileges it needs to function.

Without going into detail many Financial and Healthcare regulations mandate this, without it you will fail an audit and as a company could be fined or shut down.

On a practical note, this script is running as an account on the Filer from a remote server, if you give the user this script runs as administrative privileges because its too difficult to restrict which ones it needs. What happens if that account gets compromised? What if the over privileged account loops through your Filers running "aggr offline/destroy"??

I also can't see an auditor being impressed when they ask "why does it have admin rights on the Filer" and you answer"because it was a bit difficult to work out what it needed".

Do you run everything as root on Linux boxes or Administrator on Windows boxes?

beam
7,699 Views

Hi Martin,

For 7-mode, there is an easier way... the help documentation includes the required privileges for each cmdlet.  For example:

PS C:\> Get-NaHelp Get-NaVol | select Privilege

Privilege

---------

{api-volume-list-info-iter-start, api-volume-list-info-iter-next, api-volume-list-info-iter-end, api-volume-list-info}

For the clustered ONTAP cmdlets, there is a little bit more work you need to do.  The help documents list the API the command uses, then you need to use that information to map the API to a CLI command using the "show-ontapi" CLI command.  For example:

PS C:\Users\SBeam> Get-NcHelp Get-NcVol | select API

Api

---

{volume-get-iter}

PS C:\Users\SBeam> Invoke-NcSsh "security login role show-ontapi -ontapi volume-get-iter"

NcController : 10.61.167.254

Value        :

               ONTAPI Name: volume-get-iter

               CLI Command: volume show

Thanks,

Steven

JGPSHNTAP
7,698 Views

Steven,

I know we can tell the API, but can you imagine building a role for all of PS toolkit and different scenarios... Just not my cup of tea, that's all

MARTINLEGGATT
7,698 Views

Thanks Beam, that's exactly what I needed.

Martin

MARTINLEGGATT
7,698 Views

Hi Beam,

I'm running a simple script that uses Get-NaSnapmirror to check the status of snapmirrors periodically and email a report out (long story why I can't use SNMP, OCUM e.t.c).

I checked the Get-Na-Snapmirror command as you mentioned:

PS Y:\> Get-NaHelp Get-NaSnapmirror | select Privilege

Privilege                                                                                               

---------                                                                                               

{api-snapmirror-get-status}                                                                             

PS Y:\>

Fri Mar 14 15:13:37 GMT [filer1:useradmin.unauthorized.user:warning]: User 'snapmirror-user' denied access - missing required capability: 'api-file-write-file'

I can't see why the PS script would be making this API call.

I'm going to create a test user on a test Filer and then give it just that api-snapmirror-get-status privilege and try a simple Get-NaSnapmirror.

Any pointers would be appreciated.

Martin

beam
7,698 Views

Hi Martin,

The file-write-file is most likely coming from Connect-NaController.  If you do not want the user to have file writing capabilities, you can ignore that particular error.

Thanks,

Steven

Public