Microsoft Virtualization Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft Virtualization Discussions

Ask a Question

First cmdlet always fails with limited role.

ckeith
NetApp
yesterday
624 Views

I'm trying to abide by the Least Privilege model and create a role that only has the privileges needed to run a PowerShell script I plan to run that has these cmdlets: 

  • Connect-NcController
  • Get-NcFile
  • new-ncsymlink
  • add-nccifssymlink
  • Remove-NcCifsSymlink
  • Remove-NcFile

I have figured out that the Connect-NcController runs a few APIs before it returns so it needs exact privileges. Here is what I have in my role so far:

> security login rest-role show -vserver prod1 -role createlink
            Role                              Access
Vserver     Name          API                 Level
----------  ------------- ------------------- ------
prod1       createlink     /api/cluster       readonly
                           /api/protocols/cifs/unix-symlink-mapping
                                              all
                           /api/storage/volumes
                                              readonly
                           "/api/storage/volumes/*/files"
                                              all
                           /api/svms          readonly

When I run Connect-NcController, pointing to a vserver, with the credentials of the account that is assigned the limited role, it seems to connect just fine. However, no matter which cmdlet I run afterward, I get the following error:

The remote server returned an error: (403) Forbidden.

After that one failed cmdlet, the rest of them run just fine. If I authenticate with an account that has more privileges (e.g. vsadmin-volume) it doesn't have this issue. So, I assume it is a privilege problem, but I have no way of knowing which one. As far as I can tell 'security audit log show' doesn't show API calls that were declined for lack of permission so I can't figure it out that way. I already added the /api/clusters and /api/svms to get as far as I have.

 

One oddity that I did see from 'security audit log show' was when I run with the limited role, I see this API get called, but never finish (i.e. I only see the "Pending" and not "Sucess" or "Error")

GET /api/private/cli/system/node/virtual-machine/instance/show-settings?fields=consumer :: Pending

When I run with an account with more privileges, that API call finishes. I tried giving permissions to that API path to my limited role, but it didn't seem to help, in that the problem is still there, and that API never seems to generate any results.

 

If anyone has any ideas how to resolve this problem, I would be greatly appreciative. Is there a way to get the cmdlets to show the APIs it is making?

 

And if you can't help with that, can you help me totally suppress the error message? I tried adding -ErrorAction SilentlyContintue but I still see an error.

 

Here is the script I am running:

$controller = "198.19.255.116" # Vserver Management port
#
# This is the path to where you want the symbolic link to reside using
# a full path starting with /vol/volume_name/
$fileToCreate = "/vol/app1/testlink"
#
# This is where you want the link to point to. It should NOT start with
# /vol/volume_name/ and MUST end with a '/'. For a UNIX client, it will
# be redirected to this path.
$whereToPointTo = "/test-destination/subdir/"
#
# For a CIFS client, with a CIFS Symbolic link, they don't follow the
# path the UNIX link points to, it is more of a pattern match
# and is replaced with what $cifsPath is set to.
$cifsPath = "/cifspath/"
#
# If using a "wide" CIFS Symbolic link, the client can be redirected to
# another CIFS share as well as the path. But, in this case, we are
# using a "local" CIFS Symbolic Link, so the client will be redirected
# to the same share where the link resides.
$shareName = "app1"
#
# Create credentials based on the username and password above.
$connection = Connect-NcController -Name $controller -Credential(Get-Credential)
if ($connection -ne $null) {
  Write-Host "Connected to $controller as $username."
  #
  # Since for some strings reason the first call always fails, so just do one and ignore it.
  # Unfortunately, this command generates an error message no matter what I set the ErrorAction
  # to. There might be another command that will honor it.
  Get-NcFile -Path $fileToCreate -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
} else {
  Write-Host "Failed to connect to $controller!"
  exit
}
#
# Check to see if the file already exists. If it does, remove it.
$fileProperties = Get-NcFile -Path $fileToCreate -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
if ($fileProperties -ne $null ) {
  write-host "Removing cifssymlink $whereToPointTo"
  Remove-NcCifsSymlink -UnixPath $whereToPointTo -Confirm:$false
  Write-Host "Removing UNIX link $fileToCreate"
  Remove-NcFile -Path $fileToCreate -Confirm:$false
}

write-host "Creating new UNIX symlink $fileToCreate to $whereToPointTo"
new-ncsymlink –target $whereToPointTo –linkname $fileToCreate
write-host "Creating new cifs symlink for $whereToPointTo should redirect to $sharename$whereToPointTo$cifsPath"
add-nccifssymlink –unixpath $whereToPointTo -cifspath $cifsPath -locality local –sharename $shareName

 

0 Kudos
0 REPLIES 0
Announcements
All Community Forums
Public