Get-NCAggr and permissions

Dizz-E · ‎2016-04-11

Hi,

I am trying to get the command get-ncaggr (and get-ncvol) to run with the minimum of permissions, but i am currently running into the error message:

PS E:\> get-ncaggr
get-ncaggr :
==================================================================================
| This cmdlet must be directed to the cluster admin vserver. You are currently |
| connected to a data vserver. See the Toolkit web docs (Show-NcHelp) or online |
| help (Get-Help Connect-NcController -Examples) to learn more about directing |
| Toolkit cmdlets to a cluster or data vserver as required by Data ONTAP. |
==================================================================================

I am directing the command to the correct vserver. The command will run with my admin privileged account.

The privileges assigned so far are:

PS C:\> Get-NcRole -Role Role1
RoleName Vserver AccessLevel CommandDirectoryName
-------- ------- ----------- --------------------
Role1 Admin none DEFAULT
Role1 Admin readonly storage aggregate
Role1 Admin readonly storage aggregate create
Role1 Admin readonly storage aggregate modify
Role1 Admin readonly storage aggregate show
Role1 Admin readonly version
Role1 Admin readonly volume create
Role1 Admin readonly volume modify
Role1 Admin readonly volume show

These permissions are adequate for getting the aggregate information via SSH.

Does anyone have any ideas?

Thanks,

Richard

asulliva · ‎2016-04-11

Hello Richard,

You appear to be connecting to an SVM mangement interface, the APIs (and consequentially cmdlets) available at the SVM level do not include aggregates. This means that you can not list/show aggregates, and is the same experience that you would have when connecting to an SVM's mangement interface using vsadmin (or an equivalent)..."aggr show" doesn't work. To be fair, that may work at the CLI by enabling permissions...I haven't tested.

You can still see which aggregates are assigned (including available capacity) to the SVM using the Get-NcVserver cmdlet:

(Get-NcVserver).VserverAggrInfoList

This changes if you connect to the cluster management interface using a user who has the necessary permissions. You would then be able to enumerate aggregates and view/modify the properties which they have been entitled to, both at the CLI and using the PSTK.

Hope that helps.

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Dizz-E · ‎2016-04-12

Thanks for the reply Andrew.

I was connecting to the cluster management interface and not so any specific SVM. The error message itself seems to be

incorrect.

If i connect using a user with the Admin role the command will work. But not with my minimally permissioned user.

PS E:\> connect-nccontroller -name 10.20.32.214 -Credential admin.user
Name Address Vserver Version
---- ------- ------- -------
10.20.32.214 10.20.32.214 NetApp Release 8.3.1P2: Wed Dec 09 03:10:24 UTC 2015

PS E:\> get-ncaggr
Name State TotalSize Used Available Disks RaidType RaidSize Volumes
---- ----- --------- ---- --------- ----- -------- -------- -------
aggr0_filer01 online 1.4 TB 95% 69.4 GB 3 raid_dp, normal 16 1
**** Snip some more aggregates *****

PS E:\> connect-nccontroller -name 10.20.32.214 -Credential normal.user
Name Address Vserver Version
---- ------- ------- -------
10.20.32.214 10.20.32.214 NetApp Release 8.3.1P2: Wed Dec 09 03:10:24 UTC 2015

PS E:\> get-ncaggr
get-ncaggr :
==================================================================================
| This cmdlet must be directed to the cluster admin vserver. You are currently |
| connected to a data vserver. See the Toolkit web docs (Show-NcHelp) or online |
| help (Get-Help Connect-NcController -Examples) to learn more about directing |
| Toolkit cmdlets to a cluster or data vserver as required by Data ONTAP. |
==================================================================================

It seems to want some extra permissions. But i can't work out what they are.

The get-ncvserver command also fails with my minumal user with a permissions error as the current role assigned to the user has literally just the commands listed above.

Thanks,

Richard

asulliva · ‎2016-04-12

Does the user have ontapi permissions for the role you created?

security login modify -user-or-group-name normal.user -application ontapi -authmethod password -role Role1

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Dizz-E · ‎2016-04-13

Hi Andrew,

The user does have the Ontapi application listed in its logon privs.

Thanks,

Richard

Dizz-E · ‎2016-04-13

OK. So i seem to have had this solved.... I recreated the permissions using the folllowing:

PS C:\> $roles = get-ncrole -Role Role1

PS C:\> foreach ($role in $roles) {Remove-NcRole -Role Role1 -Vserver Cluster1 -CommandDirectory $role.CommandDirectoryName -Confirm:$false}

PS C:\> foreach ($role in $roles) {New-NcRole -Role Role1 -Vserver Cluster1 -CommandDirectory $role.CommandDirectoryName -AccessLevel readonly}

And it can now run get-ncaggr without errors.

The permissions assigned to my role are identical to as above but now it works.

I wonder if there is something specific, unexpected or odd about the order in which i created the permissions in the first place?

dietermann · ‎2020-07-17

Four years later and with Ontap 9.5 I encountered the same odd behaviour.
I applied your trick and deleted and recreated the role with the same permissions.

I worked!

Thanks for saving me a lot of time searching for the "missing" permission!