Microsoft Virtualization Discussions
Microsoft Virtualization Discussions
Hello All
Can someone help me with what my first appear to be a daft question
I have written PowerShell scripts in the past to connect to a NetApp 7 mode filer (using the cmdlets in the NetApp PowerShell Toolkit)
This was straight forward enough e.g.
$Connection1 = connect-NaController MyNetAppFiler
Now with cDOT (Cluster mod) I have just started to read about it, as far as I understand it you have
ClusterName
SVM (storage vertical machine e.g. -vserver)
Namespace (e.g. replaced /vol/)
Filer pairs (Head/Storage e.g. the traditional two heads/and their disc shelf's as ith 7 mode)
If I understand it I would now use Connect-NcController (rather than Na) and specify the 'Cluster Name' and optionally the -vserver I want to connect to
So for example Connect-NcController -Name MyCluster1 -vserver MySVM1
I understand (again my understanding my be all wrong) you need to make the initial connection to the 'Admin' connection on the Cluster, and from then on point your commends (if preference not already set with -vserver on the initial connection) to the vServer (storage virtual machine) you want the command to run against. in other words you do not connect direct to a given filer name any more.
The trouble is when I try the above command I get 'invalid credentials' even though the NetApp guys tell me they have given rights to the SVM for the account I am using. Do they also need to give the account rights a the cluster level in order to authenticate to/work with a SVM owned by the cluster?
Any advise most welcome
EB
Solved! See The Solution
tl; dr: Run the command 'Connect-NcController <IP of vserver-management-lif>' instead of 'Connect-NcController <cluster-name or cluster-management-ip>'.
>> you do not connect direct to a given filer name any more.
In cluster-mode, you can connect directly to a filername if you want to perform certain cluster administration tasks - like creating a vserver. For most data-related tasks (any operation on volumes for example), should be directed against a vserver.
In PowerShell Toolkit, if you run Get-NcCommand <command name>, you will see a 'Family' field in the output. If this field says "cluster", that means it must be directed to a filer, not to a vserver. If the family is "vserver", it can not be directed against a filer and must be directed against a vserver.
Now the connection semantics.
If you intend to run a command of family 'cluster', you must connect via Connect-NcController <cluster-name>. You may or may not have set a preferred vserver while connecting.
If you intend to run a command of family 'vserver', you must do one of three things
1. Connect as Connect-NcController <vserver-fqdn or ip>
2. Connect via Connect-NcController <cluster-name> -Vserver <vserver-name>
3. Connect via Connect-NcController <cluster-name> and specify your chosen vserver via VserverContext parameter of the cmdlet (the preferred vserver over-rides this choice).
>> The trouble is when I try the above command I get 'invalid credentials' even though the NetApp guys tell me they have given rights to the SVM for the account I am using.
In cluster-mode there are two different user accounts - an SVM administrator and a cluster administrator. The cluster administrator can connect via Connect-NcController <cluster-name or ip> and optionally set a vserver preference via the -Vserver parameter. But the vserver administrator can connect only as Connect-NcController <vserver-fqdn or ip>.
I suspect your credentials are vserver credentials - that is, you have access rights to everything within your vserver, but you can not access any other vservers on the same cluster.
When you run Connect-NcController <cluster-name>, the credentials should be the cluster admin credentials. But you are supplying the vserver admin credentials. Hence the complaint of incorrect credentials.
Hope this helps!
tl; dr: Run the command 'Connect-NcController <IP of vserver-management-lif>' instead of 'Connect-NcController <cluster-name or cluster-management-ip>'.
>> you do not connect direct to a given filer name any more.
In cluster-mode, you can connect directly to a filername if you want to perform certain cluster administration tasks - like creating a vserver. For most data-related tasks (any operation on volumes for example), should be directed against a vserver.
In PowerShell Toolkit, if you run Get-NcCommand <command name>, you will see a 'Family' field in the output. If this field says "cluster", that means it must be directed to a filer, not to a vserver. If the family is "vserver", it can not be directed against a filer and must be directed against a vserver.
Now the connection semantics.
If you intend to run a command of family 'cluster', you must connect via Connect-NcController <cluster-name>. You may or may not have set a preferred vserver while connecting.
If you intend to run a command of family 'vserver', you must do one of three things
1. Connect as Connect-NcController <vserver-fqdn or ip>
2. Connect via Connect-NcController <cluster-name> -Vserver <vserver-name>
3. Connect via Connect-NcController <cluster-name> and specify your chosen vserver via VserverContext parameter of the cmdlet (the preferred vserver over-rides this choice).
>> The trouble is when I try the above command I get 'invalid credentials' even though the NetApp guys tell me they have given rights to the SVM for the account I am using.
In cluster-mode there are two different user accounts - an SVM administrator and a cluster administrator. The cluster administrator can connect via Connect-NcController <cluster-name or ip> and optionally set a vserver preference via the -Vserver parameter. But the vserver administrator can connect only as Connect-NcController <vserver-fqdn or ip>.
I suspect your credentials are vserver credentials - that is, you have access rights to everything within your vserver, but you can not access any other vservers on the same cluster.
When you run Connect-NcController <cluster-name>, the credentials should be the cluster admin credentials. But you are supplying the vserver admin credentials. Hence the complaint of incorrect credentials.
Hope this helps!
Hello Aparajita
Thanks for the reply that is very helpful indeed and claifies several points. The information around the family property of the cmdlets is also very helpful.
Thanks
EB
Hello
I wounder if you can help me a little further with this post.
Below is a list of rights granted to the Active Directory user MyADUser in the AD Domain MyADDOMAIN (changed nanmes for security reasons). The cluster name is Mycluster02 and the vServer is Myvs01
Mycluster02::> security login show -user MyADDOmain\MyADUser
Vserver: Mycluster02
Authentication Acct
UserName Application Method Role Name Locked
---------------- ----------- -------------- ---------------- ------
MyADComain\MyADUser http domain admin -
Vserver: Myvs01
Authentication Acct
UserName Application Method Role Name Locked
---------------- ----------- -------------- ---------------- ------
MyADDomain\MyADUser ontapi domain vsadmin -
3 entries were displayed.
Therefore I open a PowerShell prompt under the credentials of MyADDOMAIN\MyADUser
Then I import the PowerShell Toolkit mode version 3.2.0
Then I issue the following command to try a connection direct to the vServer (SVM)
Connect-NcController Myvs01
I also try
Connect-NcController -Name Mycluster02 -vserver Myvs01
in both cases I am prompted for the credentials (although I am already logged in with the relevent credentials) so I privide them again, but receive the following error in both cases
Connect-NcController : Incorrect credentials for whyvs01.
At line:1 char:1
+ Connect-NcController whyvs01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (whyvs01:NcController) [Connect-NcController], NaAuthException
+ FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.C.PowerShell.SDK.ConnectNcController
Do I also need certain rights applied at the cluster level in order to authenticate (login, do stuff) at the vServer level (e.g. the storage virtual machine the cluster is hosting)
Does MyADUser need to be granted rights elsewhere too? is so what rights?
any advise most welcome
Thank
EB
Hi Ernest,
AD permissions and access rights are well outside my area of expertise. It is perhaps better to ask this as a separate question.
But to the best of my knowledge,
>> Do I also need certain rights applied at the cluster level in order to authenticate (login, do stuff) at the vServer level
No. Vserver access rights and cluster access rights are completely separate. You need cluster access rights to authenticate at the cluster level (i.e. to cluster or node management ip addresses) and vserver access rights to authenticate at the SVM level (i.e. to the vserver management ip).
If you have only cluster access rights, you can not authenticate at the vserver level. Though you can still authenticate at the cluster level and direct commands to a specific vserver.
>> Does MyADUser need to be granted rights elsewhere too? is so what rights?
It appears that your ADUser has only http access rights at the cluster level, and only ontapi access rights at the SVM level. As far as I know, for PowerShell Toolkit to connect, ontapi access right and at least one of ssh or http access rights has to be present. So adding ontapi access right at the cluster level may be worth a shot.
>> in both cases I am prompted for the credentials (although I am already logged in with the relevent credentials
DataONTAP PowerShell Toolkit does not automatically take credentials from the Windows/PowerShell session. You can add credentials to the Toolkit cache using Add-NcCredential, or create Credential objects and pass them through the -Credential parameter of Connect-NcController.
Hope this helps a little,
Aparajita
Hello Aparajita, and thank very much for the reply
I asked for http access at the SVM level for MyADUser (as from what I can see the PowerShell toolkit cmdlets will first try to connect over https and then fall back to http is not possible). Therefore I will have another word with the NetApp guys and ask hime to check/grant access at the SVM level via http (as not a product cluster at the moment)
Thank you
EB
Hi All Im looking at the same procedure. I want to be able to lock specific powershell users down to vserver access and volume commands only....
This is the user role called "volumeresize" priviledges:
XXxcluster::> login role show -vserver xxx01 -role volumeresize
(security login role show)
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
xxx01 volumeresize volume readonly
xxx01 volumeresize volume create all
xxx01 volumeresize volume modify all
xxx01 volumeresize volume show all
xxx01 volumeresize vserver readonly
5 entries were displayed.
This is the users config:
XXXcluster::> login show -vserver xxx01 -username Domain\martin
(security login show)
Vserver: xxx01
Authentication Acct
UserName Application Method Role Name Locked
---------------- ----------- -------------- ---------------- ------
Domain\martin ontapi domain volumeresize -
This is the code im using to connect:
$credentials=Get-Credential
Connect-NcController xxx01 -Credential $credentials
I get this error:
S C:\Users\lv26406> H:\Temp\testlogin.ps1
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Connect-NcController : Insufficient privileges: user 'Domain\xxx.martin' does not have read access to this resource
At H:\Temp\testlogin.ps1:4 char:1
+ Connect-NcController xxx01 -Credential $credentials
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (xxx01:NcController) [Connect-NcController], EAPIPRIVILEGE
+ FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.C.PowerShell.SDK.ConnectNcController
What vserver priviledges are needed to login to the vserver? I cant see a vserver read priviledge?
Hi Martin,
I think the problem is that HTTP and SSH are turned off for this user - login show displays permissions only for Application ontapi. Can you enable these two applications for the user and then try again?
Hope this helps,
Aparajita
If you want to connect specifically to a vserver using powershell, the role associated with the username has to include the command version set to at least readonly otherwise the connection fails.
The clue is when you get a successful connection in that basic version information is returned in the powershell terminal for the controller.
I noticed that version command is missing in your list and hence the failure, give it a try and see if it fixes your connection problem.
Hope that helps.
Bingo!
added command 'version' as read only to my role, and I could magically log in 🙂
sorry to resurrect this old post Aparajita, but the highlighted response is a great answer so I am hoping you can help with this related question
Can I create a cluster admin with read-only credentials, but with Vserver Admin credentials and then login via the cluster management IP with the vserver defined and manage the vserver via this route with powershell scripts?
Can you also please clarify what access rights are required for powershell access - SSH, Ontapi? do we need http as well?
FYI I am trying to avoidin having to route multiple management IPs via our management zoen firewall so having a route to manage only one SVM via the main cluster Management Ip would be really useful
thanks