Get-NCAggr and permissions

Hello Richard,

You appear to be connecting to an SVM mangement interface, the APIs (and consequentially cmdlets) available at the SVM level do not include aggregates.  This means that you can not list/show aggregates, and is the same experience that you would have when connecting to an SVM's mangement interface using vsadmin (or an equivalent)..."aggr show" doesn't work.  To be fair, that may work at the CLI by enabling permissions...I haven't tested.

You can still see which aggregates are assigned (including available capacity) to the SVM using the Get-NcVserver cmdlet:

(Get-NcVserver).VserverAggrInfoList

This changes if you connect to the cluster management interface using a user who has the necessary permissions.  You would then be able to enumerate aggregates and view/modify the properties which they have been entitled to, both at the CLI and using the PSTK.

Hope that helps.

Andrew

Thanks for the reply Andrew.  

I was connecting to the cluster management interface and not so any specific SVM. The error message itself seems to be

incorrect. 

If i connect using a user with the Admin role the command will work. But not with my minimally permissioned user. 

PS E:\> connect-nccontroller -name 10.20.32.214 -Credential admin.user
Name Address Vserver Version
---- ------- ------- -------
10.20.32.214 10.20.32.214 NetApp Release 8.3.1P2: Wed Dec 09 03:10:24 UTC 2015

PS E:\> get-ncaggr
Name State TotalSize Used Available Disks RaidType RaidSize Volumes
---- ----- --------- ---- --------- ----- -------- -------- -------
aggr0_filer01 online 1.4 TB 95% 69.4 GB 3 raid_dp, normal 16 1
**** Snip some more aggregates *****

PS E:\> connect-nccontroller -name 10.20.32.214 -Credential normal.user
Name Address Vserver Version
---- ------- ------- -------
10.20.32.214 10.20.32.214 NetApp Release 8.3.1P2: Wed Dec 09 03:10:24 UTC 2015

PS E:\> get-ncaggr
get-ncaggr :
==================================================================================
| This cmdlet must be directed to the cluster admin vserver. You are currently |
| connected to a data vserver. See the Toolkit web docs (Show-NcHelp) or online |
| help (Get-Help Connect-NcController -Examples) to learn more about directing |
| Toolkit cmdlets to a cluster or data vserver as required by Data ONTAP. |
==================================================================================

It seems to want some extra permissions. But i can't work out what they are.

The get-ncvserver command also fails with my minumal user with a permissions error as the current role assigned to the user has literally just the commands listed above. 

Thanks,

Richard

Does the user have ontapi permissions for the role you created?

security login modify -user-or-group-name normal.user -application ontapi -authmethod password -role Role1

Andrew

Hi Andrew,

The user does have the Ontapi application listed in its logon privs. 

Thanks,

Richard

OK. So i seem to have had this solved.... I recreated the permissions using the folllowing: 

PS C:\> $roles = get-ncrole -Role Role1

PS C:\> foreach ($role in $roles) {Remove-NcRole -Role Role1 -Vserver Cluster1 -CommandDirectory $role.CommandDirectoryName -Confirm:$false}

PS C:\> foreach ($role in $roles) {New-NcRole -Role Role1 -Vserver Cluster1 -CommandDirectory $role.CommandDirectoryName -AccessLevel readonly}

And it can now run get-ncaggr without errors.

The permissions assigned to my role are identical to as above but now it works.

I wonder if there is something specific, unexpected or odd about the order in which i created the permissions in the first place?