Solved: CDOT 8.3 Create Role to limit a user to only Shutdown nodes in a Cluster

DREdwards · ‎2016-12-04

I am trying to create a role that will limit a user to login via ssh and only halt the nodes in the Cluster, using the -inhibit-takeover true and -skip-lif-migration-before-shutdown true options.

The user will connect to the first node and run:

cluster1::> system node halt -node Cluster-01 -inhibit-takeover true -skip-lif-migration-before-shutdown true

Connect second controller and run:

cluster1::> system node halt -node Cluster-02 -inhibit-takeover true -skip-lif-migration-before-shutdown true

I have created a role named rHaltUser with the following permissions:

cluster1::> security login role create -role rHaltUser -access admin -cmddirname "system node halt"

Also created a user named haltuser and assigned the rHaltUser role..

cluster1::> security login create -vserver cluster1 -user-or-group-name haltuser -application ontapi -authmethod password -role rHaltUser

cluster1::> security login create -vserver cluster1 -user-or-group-name haltuser -application ssh -authmethod password -role rHaltUser

I am able to halt the nodes, but not invoke the -inhibit-takeover true and -skip-lif-migration-before-shutdown true options.

do I need to add addtional -cmddirname permissions?

Any suggestions welcomed. Thanks

AlexDawson · ‎2016-12-04

Page 127 of https://library.netapp.com/ecm/ecm_download_file/ECMLP2348035

Your command:

security login role create -role rHaltUser -access admin -cmddirname "system node halt"

I believe it should be:

security login role create -role rHaltUser -access all -cmddirname "system node halt"

Let me know how it goes!

View solution in original post

AlexDawson · ‎2016-12-04

Page 127 of https://library.netapp.com/ecm/ecm_download_file/ECMLP2348035

Your command:

security login role create -role rHaltUser -access admin -cmddirname "system node halt"

I believe it should be:

security login role create -role rHaltUser -access all -cmddirname "system node halt"

Let me know how it goes!

DREdwards · ‎2016-12-09

Thanks. That works. Much appreciated.

DREdwards · ‎2016-12-09

Do you know which ontapi -cmddirname that will allow the user to perform the below command during the system node halt:

-skip-lif-migration-before-shutdown true

It seems that the haltuser can only shut down the node that does not hold epsilon.

AlexDawson · ‎2016-12-10

Can you execute "set -confirmations off" in the same command session before issuing the shutdown command? That should fix that. Alternatively, adding "-ignore-quorum-warnings true" to the halt command might do it

DREdwards · ‎2016-12-12

I received the following error message 'not authorized for that command' when halting the second node using a custom account.

I found an article (917335) that states: If you run the 'system node halt' command on the local node by using a user name with a role that has 'DEFAULT' and the access level is 'none', the command fails with the following error message:
Error: not authorized for that command

Workaround: To prevent the 'system node halt' command from failing, perform one of the following steps:
- Run the command by using a user name with a role that has 'DEFAULT' and the access level is 'all'.
- Run the command from a node other than the one you are attempting to halt.

When you create a custome role, "DEFAULT" is also created for that role with an access level of "none".

I modifued "DEFAULT for that role to an access level of "all" and was able to halt both nodes without error.

Thanks again...

DREdwards · ‎2016-12-20

There are several issues with this workaround:

If you give ‘DEFAULT’ the access level of ‘all’, then you grant that custom (haltuser) account full access to execute all commands on the storage system.
Once you have already halted one node, you cannot run the command from another node if you only have a two-node cluster.

According to the BUG details, this problem was fixed in Data ONTAP 9.