Microsoft Virtualization Discussions

How do I connect to a Cluster Mode filer using Connect-NcController

ernest_brant
27,244 Views

Hello All

 

Can someone help me with what my first appear to be a daft question

 
I have written PowerShell scripts in the past to connect to a NetApp 7 mode filer (using the cmdlets in the NetApp PowerShell Toolkit)
 
This was straight forward enough e.g.
 
$Connection1 = connect-NaController  MyNetAppFiler
 
Now with cDOT (Cluster mod) I have just started to read about it, as far as I understand it you have
 
ClusterName
SVM (storage vertical machine e.g. -vserver)
Namespace (e.g. replaced /vol/)
Filer pairs (Head/Storage e.g. the traditional two heads/and their disc shelf's  as ith 7 mode)
 
 If I understand it I would now use Connect-NcController (rather than Na) and specify the 'Cluster Name' and optionally the -vserver I want to connect to
 
So for example Connect-NcController -Name MyCluster1 -vserver MySVM1
 
I understand (again my understanding my be all wrong) you need to make the initial connection to the 'Admin' connection on the Cluster, and from then on point your commends (if preference not already set with -vserver on the initial connection)  to the vServer (storage virtual machine) you want the command to run against. in other words you do not connect direct to a given filer name any more.
 
The trouble is when I try the above command  I get 'invalid credentials' even though the NetApp guys tell me they have given rights to the SVM for the account I am using. Do they also need to give the account rights a the cluster level in order to authenticate to/work with a SVM owned by the cluster?
 
Any advise most welcome

 

EB

1 ACCEPTED SOLUTION

Aparajita
27,238 Views

tl; dr: Run the command 'Connect-NcController <IP of vserver-management-lif>' instead of 'Connect-NcController <cluster-name or cluster-management-ip>'.

 

>> you do not connect direct to a given filer name any more.

 

In cluster-mode, you can connect directly to a filername if you want to perform certain cluster administration tasks - like creating a vserver. For most data-related tasks (any operation on volumes for example), should be directed against a vserver.

    In PowerShell Toolkit, if you run Get-NcCommand <command name>, you will see a 'Family' field in the output. If this field says "cluster", that means it must be directed to a filer, not to a vserver. If the family is "vserver", it can not be directed against a filer and must be directed against a vserver.

 

Now the connection semantics.

If you intend to run a command of family 'cluster', you must connect via Connect-NcController <cluster-name>. You may or may not have set a preferred vserver while connecting.

If you intend to run a command of family 'vserver', you must do one of three things

    1. Connect as Connect-NcController <vserver-fqdn or ip>

    2. Connect via Connect-NcController <cluster-name> -Vserver <vserver-name>

    3. Connect via Connect-NcController <cluster-name> and specify your chosen vserver via VserverContext parameter of the cmdlet (the preferred vserver over-rides this choice).

 

>> The trouble is when I try the above command  I get 'invalid credentials' even though the NetApp guys tell me they have given rights to the SVM for the account I am using.

 

In cluster-mode there are two different user accounts - an SVM administrator and a cluster administrator. The cluster administrator can connect via Connect-NcController <cluster-name or ip> and optionally set a vserver preference via the -Vserver parameter. But the vserver administrator can connect only as Connect-NcController <vserver-fqdn or ip>.

    I suspect  your credentials are vserver credentials - that is, you have access rights to everything within your vserver, but you can not access any other vservers on the same cluster.

 

When you run Connect-NcController <cluster-name>, the credentials should be the cluster admin credentials. But you are supplying the vserver admin credentials. Hence the complaint of incorrect credentials.

 

Hope this helps!

 

View solution in original post

10 REPLIES 10

Aparajita
27,239 Views

tl; dr: Run the command 'Connect-NcController <IP of vserver-management-lif>' instead of 'Connect-NcController <cluster-name or cluster-management-ip>'.

 

>> you do not connect direct to a given filer name any more.

 

In cluster-mode, you can connect directly to a filername if you want to perform certain cluster administration tasks - like creating a vserver. For most data-related tasks (any operation on volumes for example), should be directed against a vserver.

    In PowerShell Toolkit, if you run Get-NcCommand <command name>, you will see a 'Family' field in the output. If this field says "cluster", that means it must be directed to a filer, not to a vserver. If the family is "vserver", it can not be directed against a filer and must be directed against a vserver.

 

Now the connection semantics.

If you intend to run a command of family 'cluster', you must connect via Connect-NcController <cluster-name>. You may or may not have set a preferred vserver while connecting.

If you intend to run a command of family 'vserver', you must do one of three things

    1. Connect as Connect-NcController <vserver-fqdn or ip>

    2. Connect via Connect-NcController <cluster-name> -Vserver <vserver-name>

    3. Connect via Connect-NcController <cluster-name> and specify your chosen vserver via VserverContext parameter of the cmdlet (the preferred vserver over-rides this choice).

 

>> The trouble is when I try the above command  I get 'invalid credentials' even though the NetApp guys tell me they have given rights to the SVM for the account I am using.

 

In cluster-mode there are two different user accounts - an SVM administrator and a cluster administrator. The cluster administrator can connect via Connect-NcController <cluster-name or ip> and optionally set a vserver preference via the -Vserver parameter. But the vserver administrator can connect only as Connect-NcController <vserver-fqdn or ip>.

    I suspect  your credentials are vserver credentials - that is, you have access rights to everything within your vserver, but you can not access any other vservers on the same cluster.

 

When you run Connect-NcController <cluster-name>, the credentials should be the cluster admin credentials. But you are supplying the vserver admin credentials. Hence the complaint of incorrect credentials.

 

Hope this helps!

 

ernest_brant
27,149 Views

Hello Aparajita

 

Thanks for the reply that is very helpful indeed and claifies several points. The information around the family property of the cmdlets is also very helpful.

 

Thanks

EB

ernest_brant
27,128 Views

Hello

 

I wounder if you can help me a little further with this post.

 

Below is a list of rights granted to the Active Directory user  MyADUser in the AD Domain MyADDOMAIN (changed nanmes for security reasons). The cluster name is Mycluster02 and the vServer is Myvs01

 

Mycluster02::> security login show -user MyADDOmain\MyADUser

Vserver: Mycluster02
                                                    Authentication                                Acct
UserName         Application              Method                  Role Name        Locked
---------------- ----------- -------------- ---------------- ------
MyADComain\MyADUser  http                     domain                  admin            -

Vserver: Myvs01
                                                     Authentication                                Acct
UserName         Application              Method                 Role Name                 Locked
---------------- ----------- -------------- ---------------- ------
MyADDomain\MyADUser  ontapi      domain                   vsadmin          -
3 entries were displayed.

 

Therefore I open a PowerShell prompt under the credentials of MyADDOMAIN\MyADUser

Then I import the PowerShell Toolkit mode version 3.2.0

 

Then I issue the following command to try a connection direct to the vServer (SVM)

 

Connect-NcController Myvs01

 

I also try

 

Connect-NcController -Name Mycluster02 -vserver Myvs01 

 

in both cases I am prompted for the credentials (although I am already logged in with the relevent credentials) so I privide them again, but receive the following error in both cases

 

Connect-NcController : Incorrect credentials for whyvs01.
At line:1 char:1
+ Connect-NcController whyvs01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (whyvs01:NcController) [Connect-NcController], NaAuthException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.C.PowerShell.SDK.ConnectNcController

 

Do I also need certain rights applied at the cluster level in order to authenticate (login, do stuff) at the vServer level (e.g. the storage virtual machine the cluster is hosting)

 

Does MyADUser need to be granted rights elsewhere too? is so what rights?

 

any advise most welcome

 

Thank

EB

Aparajita
27,110 Views

Hi Ernest,

 

AD permissions and access rights are well outside my area of expertise. It is perhaps better to ask this as a separate question.

 

But to the best of my knowledge,

 

>> Do I also need certain rights applied at the cluster level in order to authenticate (login, do stuff) at the vServer level

No. Vserver access rights and cluster access rights are completely separate. You need cluster access rights to authenticate at the cluster level (i.e. to cluster or node management ip addresses) and vserver access rights to authenticate at the SVM level (i.e. to the vserver management ip).

         If you have only cluster access rights, you can not authenticate at the vserver level. Though you can still authenticate at the cluster level and direct commands to a specific vserver.

 

>> Does MyADUser need to be granted rights elsewhere too? is so what rights?

It appears that your ADUser has only http access rights at the cluster level, and only ontapi access rights at the SVM level. As far as I know, for PowerShell Toolkit to connect, ontapi access right and at least one of ssh or http access rights has to be present. So adding ontapi access right at the cluster level may be worth a shot.

 

>> in both cases I am prompted for the credentials (although I am already logged in with the relevent credentials

DataONTAP PowerShell Toolkit does not automatically take credentials from the Windows/PowerShell session. You can add credentials to the Toolkit cache using Add-NcCredential, or create Credential objects and pass them through the -Credential parameter of Connect-NcController.

 

Hope this helps a little,

Aparajita

ernest_brant
27,107 Views

Hello Aparajita, and thank very much for the reply

 

I asked for http access at the SVM level for MyADUser (as from what I can see the PowerShell toolkit cmdlets will first try to connect over https and then fall back to http is not possible). Therefore I will have another word with the NetApp guys and ask hime to check/grant access at the SVM level via http (as not a product cluster at the moment)

 

Thank you

EB

MARTIN_NETAPP
25,950 Views
Spoiler
 

Hi All Im looking at the same procedure. I want to be able to lock specific powershell users down to vserver access and volume commands only....

 

 

This is the user role called "volumeresize" priviledges:

XXxcluster::> login role show -vserver xxx01 -role volumeresize
  (security login role show)
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
xxx01    volumeresize  volume                                        readonly
xxx01    volumeresize  volume create                                 all
xxx01    volumeresize  volume modify                                 all
xxx01    volumeresize  volume show                                   all
xxx01    volumeresize  vserver                                       readonly
5 entries were displayed.

 

This is the users config:

XXXcluster::> login  show -vserver xxx01  -username Domain\martin
  (security login show)

Vserver: xxx01
                             Authentication                  Acct
UserName         Application Method         Role Name        Locked
---------------- ----------- -------------- ---------------- ------
Domain\martin       ontapi domain            volumeresize     -

 

 

This is the code im using to connect:

 

$credentials=Get-Credential

Connect-NcController xxx01 -Credential $credentials

 

 

I get this error:

S C:\Users\lv26406> H:\Temp\testlogin.ps1

 

Spoiler

cmdlet Get-Credential at command pipeline position 1

Supply values for the following parameters:

Connect-NcController : Insufficient privileges: user 'Domain\xxx.martin' does not have read access to this resource

At H:\Temp\testlogin.ps1:4 char:1

+ Connect-NcController xxx01 -Credential $credentials

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidResult: (xxx01:NcController) [Connect-NcController], EAPIPRIVILEGE

+ FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.C.PowerShell.SDK.ConnectNcController

Spoiler
 

 

 

 

What vserver priviledges are needed to login to the vserver? I cant see a vserver read priviledge?

Aparajita
25,946 Views

Hi Martin,

 

I think the problem is that HTTP and SSH are turned off for this user - login show displays permissions only for Application ontapi. Can you enable these two applications for the user and then try again?

 

Hope this helps,

Aparajita

NADRS
25,922 Views

If you want to connect specifically to a vserver using powershell, the role associated with the username has to include the command version set to at least readonly otherwise the connection fails.

 

The clue is when you get a successful connection in that basic version information is returned in the powershell terminal for the controller.

 

I noticed that version command is missing in your list and hence the failure, give it a try and see if it fixes your connection problem.

 

Hope that helps.

 

OZWALKERZ
25,737 Views

Bingo!

 

added command 'version' as read only to my role, and I could magically log in 🙂

bobalon
12,919 Views

sorry to resurrect this old post Aparajita, but the highlighted response is a great answer so I am hoping you can help with this related question

 

Can I create a cluster admin with read-only credentials, but with Vserver Admin credentials and then login via the cluster management IP with the vserver defined and  manage the vserver via this route with powershell scripts?

 

Can you also please clarify what access rights are required for powershell access - SSH, Ontapi? do we need http as well?

 

FYI I am trying to avoidin having to route multiple management IPs via our management zoen firewall so having a route to manage only one SVM via the main cluster Management Ip would be really useful

 

thanks

 

Public