Can someone help me with what my first appear to be a daft question
I have written PowerShell scripts in the past to connect to a NetApp 7 mode filer (using the cmdlets in the NetApp PowerShell Toolkit)
This was straight forward enough e.g.
$Connection1 = connect-NaController MyNetAppFiler
Now with cDOT (Cluster mod) I have just started to read about it, as far as I understand it you have
ClusterName SVM (storage vertical machine e.g. -vserver) Namespace (e.g. replaced /vol/) Filer pairs (Head/Storage e.g. the traditional two heads/and their disc shelf's as ith 7 mode)
If I understand it I would now use Connect-NcController (rather than Na) and specify the 'Cluster Name' and optionally the -vserver I want to connect to
So for example Connect-NcController -Name MyCluster1 -vserver MySVM1
I understand (again my understanding my be all wrong) you need to make the initial connection to the 'Admin' connection on the Cluster, and from then on point your commends (if preference not already set with -vserver on the initial connection) to the vServer (storage virtual machine) you want the command to run against. in other words you do not connect direct to a given filer name any more.
The trouble is when I try the above command I get 'invalid credentials' even though the NetApp guys tell me they have given rights to the SVM for the account I am using. Do they also need to give the account rights a the cluster level in order to authenticate to/work with a SVM owned by the cluster?
tl; dr: Run the command 'Connect-NcController <IP of vserver-management-lif>' instead of 'Connect-NcController <cluster-name or cluster-management-ip>'.
>> you do not connect direct to a given filer name any more.
In cluster-mode, you can connect directly to a filername if you want to perform certain cluster administration tasks - like creating a vserver. For most data-related tasks (any operation on volumes for example), should be directed against a vserver.
In PowerShell Toolkit, if you run Get-NcCommand <command name>, you will see a 'Family' field in the output. If this field says "cluster", that means it must be directed to a filer, not to a vserver. If the family is "vserver", it can not be directed against a filer and must be directed against a vserver.
Now the connection semantics.
If you intend to run a command of family 'cluster', you must connect via Connect-NcController <cluster-name>. You may or may not have set a preferred vserver while connecting.
If you intend to run a command of family 'vserver', you must do one of three things
1. Connect as Connect-NcController <vserver-fqdn or ip>
2. Connect via Connect-NcController <cluster-name> -Vserver <vserver-name>
3. Connect via Connect-NcController <cluster-name> and specify your chosen vserver via VserverContext parameter of the cmdlet (the preferred vserver over-rides this choice).
>> The trouble is when I try the above command I get 'invalid credentials' even though the NetApp guys tell me they have given rights to the SVM for the account I am using.
In cluster-mode there are two different user accounts - an SVM administrator and a cluster administrator. The cluster administrator can connect via Connect-NcController <cluster-name or ip> and optionally set a vserver preference via the -Vserver parameter. But the vserver administrator can connect only as Connect-NcController <vserver-fqdn or ip>.
I suspect your credentials are vserver credentials - that is, you have access rights to everything within your vserver, but you can not access any other vservers on the same cluster.
When you run Connect-NcController <cluster-name>, the credentials should be the cluster admin credentials. But you are supplying the vserver admin credentials. Hence the complaint of incorrect credentials.
AD permissions and access rights are well outside my area of expertise. It is perhaps better to ask this as a separate question.
But to the best of my knowledge,
>> Do I also need certain rights applied at the cluster level in order to authenticate (login, do stuff) at the vServer level
No. Vserver access rights and cluster access rights are completely separate. You need cluster access rights to authenticate at the cluster level (i.e. to cluster or node management ip addresses) and vserver access rights to authenticate at the SVM level (i.e. to the vserver management ip).
If you have only cluster access rights, you can not authenticate at the vserver level. Though you can still authenticate at the cluster level and direct commands to a specific vserver.
>> Does MyADUser need to be granted rights elsewhere too? is so what rights?
It appears that your ADUser has only http access rights at the cluster level, and only ontapi access rights at the SVM level. As far as I know, for PowerShell Toolkit to connect, ontapi access right and at least one of ssh or http access rights has to be present. So adding ontapi access right at the cluster level may be worth a shot.
>> in both cases I am prompted for the credentials (although I am already logged in with the relevent credentials
DataONTAP PowerShell Toolkit does not automatically take credentials from the Windows/PowerShell session. You can add credentials to the Toolkit cache using Add-NcCredential, or create Credential objects and pass them through the -Credential parameter of Connect-NcController.
Hello Aparajita, and thank very much for the reply
I asked for http access at the SVM level for MyADUser (as from what I can see the PowerShell toolkit cmdlets will first try to connect over https and then fall back to http is not possible). Therefore I will have another word with the NetApp guys and ask hime to check/grant access at the SVM level via http (as not a product cluster at the moment)
I think the problem is that HTTP and SSH are turned off for this user - login show displays permissions only for Application ontapi. Can you enable these two applications for the user and then try again?
sorry to resurrect this old post Aparajita, but the highlighted response is a great answer so I am hoping you can help with this related question
Can I create a cluster admin with read-only credentials, but with Vserver Admin credentials and then login via the cluster management IP with the vserver defined and manage the vserver via this route with powershell scripts?
Can you also please clarify what access rights are required for powershell access - SSH, Ontapi? do we need http as well?
FYI I am trying to avoidin having to route multiple management IPs via our management zoen firewall so having a route to manage only one SVM via the main cluster Management Ip would be really useful