Astra Trident user access permissions - limitAggregateUsage option

pedro_rocha · ‎2023-04-03

Hello all,

I was trying to use the limitAggregateUsage option to restrict aggregate usage by Trident. Initially, Trident was using a non-admin user account, and the option was giving me an error.

So digging in the docs I found this:

"If you use the limitAggregateUsage parameter, cluster admin permissions are required. When using Amazon FSx for NetApp ONTAP with Astra Trident, the limitAggregateUsage parameter will not work with the vsadmin and fsxadmin user accounts. The configuration operation will fail if you specify this parameter.

While it is possible to create a more restrictive role within ONTAP that a Trident driver can use, we don’t recommend it. Most new releases of Trident will call additional APIs that would have to be accounted for, making upgrades difficult and error-prone."

What do you guys think of it? Customer was a little concerned in giving an admin account to their kubernetes cluster admin. Have anyone had this concern or used this options (limitAggregateUsage)?

Regards,

Pedro Rocha

Ontapforrum · ‎2023-04-06

I see your (valid) point. I also read the documentation and it says exactly what you mentioned. I think the reason could be b'cos of the fact that 'vsadmin' (pre-defined SVM admin roles) are basically limited to 'volume' only, they have no control over 'aggr'. Only 'Cluster Admin' can deal with 'aggr' related attributes, or a custom account of more restrictive role. Interestingly it discourages to use it, and this may be due to fact that, may be there is no clear visibility of what API (additional) requests are made to the Storage, which means it can be a very laborious task to keep adding the -api* to the custom role until the error is gone.