ONTAP Discussions

OnTAP Custom Role Not Working

TMADOCTHOMAS
15,582 Views

Hello,

I am trying to create a custom role to limit the rights of a domain-based service account we use exclusively to run PowerShell scripts. The role resides in the main cluster SVM and I've only given it rights to change the replication throttle setting as shown below. I assigned the role to the service account with the applications ssh and ontapi. When testing, it immediately generated this error: "Insufficient privileges: user '<username>' does not have read access to this resource".  Apparently I need to give at least read only access to a certain command to allow it to log on in the first place. Does anyone know what that would be?

 

Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs

1 ACCEPTED SOLUTION

jcolonfzenpr
15,161 Views

I test it also with:

security login role create -role script -cmddirname "DEFAULT" -access none -vserver cluster1

 

security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

 

security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

but you have to change a litter bit your scripts. 

 

 

Jonathan Colón | Blog | Linkedin

View solution in original post

25 REPLIES 25

paul_stejskal
13,732 Views

What is the security login show output? And did you set up a security login show?

TMADOCTHOMAS
13,728 Views

The service account has two entries, one for the ontapi application and one for the ssh application. Previously the role was set at admin, and I just changed the role to the new 'script' role with limited rights to see if it would work. I manually ran the script both before and after the change. While set to admin it worked fine of course, but when I switched it to the new role, it generated the error I mentioned. I think there's a command path I need to give read only access to but don't know what that would be.

paul_stejskal
13,717 Views
It's probably security login role command. I think you've got the right idea it's in the "options" output.

TMADOCTHOMAS
13,714 Views

That's a possibility. I guess it has to read the role to know what it's rights are :). I'll try that and update the thread with the results.

jcolonfzenpr
13,712 Views

Defining custom roles:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-910E18E9-B83C-41BF-8A68-C1806FEB6177.html

 

cluster1::> security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

cluster1::> security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application console -authentication-method password -role script -vserver cluster1

 

I logged in as jocolon user with script role assigned 
cluster1::> vserver options -vserver cluster1 -option-name
encryption.data_at_rest_encryption.disable_by_default
replication.create_data_protection_rels.enable
replication.dst_snapshot_op_ems.enable
replication.feature1.enable
replication.ls_mirrors_on_data_volumes.enable
replication.mirror_initialize_priority
replication.mirror_update_priority
replication.reservation.dst.high_pri_xfer_pct
replication.reservation.dst.low_pri_xfer_pct
replication.reservation.src.high_pri_xfer_pct
replication.reservation.src.low_pri_xfer_pct
replication.restore_priority
replication.throttle.enable
replication.throttle.incoming.max_kbs
replication.throttle.outgoing.max_kbs
replication.throttle.outgoing.max_kbs_objstore
replication.vault_initialize_priority
replication.vault_update_priority
snmp.enable
volmove.throttle.enable

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs -option-value 45

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs

cluster1
replication.throttle.outgoing.max_kbs
45 -

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.incoming.max_kbs -option-value 2

Error: command failed: not authorized for that command

cluster1::> ?
exit Quit the CLI session
history Show the history of commands for this CLI session
man Display the on-line manual pages
redo Execute a previous command
rows Show/Set the rows for this CLI session
top Go to the top-level directory
up Go up one directory
vserver> Manage Vservers

cluster1::>

 

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS
13,700 Views

@paul_stejskal unfortunately that command didn't do the trick. I may experiment with some other security login commands.

 

@jcolonfzenpr thank you for showing me your testing of my issue! Do you have a suggestion for how to get the desired results?

jcolonfzenpr
13,697 Views

can you share the powershell script?

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS
13,654 Views

Yes, here it is:

 

# Import the OnTAP module and create the cluster connection variable
Clear-Host
Import-Module DataONTAP
$CLUSTER = Connect-NcController -Name <cluster_name>

# Throttle snapmirror transfers
Invoke-NaSsh -Name $CLUSTER -Command "options -option-name replication.throttle.outgoing.max_kbs 3125"

 

That's the one for throttling. The one for unthrottle is the same except "unlimited" at the end instead of 3125. This is used on multiple remote offices and works fine as long as the account has full admin rights. I'm trying to reduce the service account rights down to just the ones it needs to perform the task.

TMADOCTHOMAS
13,652 Views

It's getting hung up here:

 

$CLUSTER = Connect-NcController -Name albflnacl01p

 

Error says : 

 

Connect-NcController : Insufficient privileges: user '<username>' does not have read access to this resource

 

Here is the role. As you can see I tried setting the command/directory to "security login" but that didn't work either.

----------------------------------------------------------------------------------

Vserver: <vserver>
Role Name: script
Command / Directory: DEFAULT
Access Level: none
Query:

 

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

 

Vserver: <vserver>
Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs
----------------------------------------------------------------------------------

 

Any ideas or suggestions?

jcolonfzenpr
13,646 Views

can you add one extra role setting like this?

 

Vserver: <vserver>
Role Name: script
Command / Directory: vserver
Access Level: readonly
Query:

 

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS
12,083 Views

FYI I found the following which answers my question for 7-mode. Anyone know a cdot equivalent?

 

https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/Determining-Ontap-privileges-needed-for-powershell-script/td-p/16210

 

@jcolonfzenpr I will try that and see if it works.

jcolonfzenpr
13,641 Views

i think this is not needed!

 

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

Jonathan Colón | Blog | Linkedin

jcolonfzenpr
13,585 Views

I do the testing and it work by adding a role setting to the DEFAULT as readonly.

 

Security role creation:

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

Create and apply role to a user:

security login create -user-or-group-name jocolon -application ontapi -authentication-method password -role script -vserver cluster1
security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

 

Create the powershell credential object:

PS C:\Users\Administrator.DEMO> $cred = (Get-Credential)

 

Display powershell credential object:
PS C:\Users\Administrator.DEMO> $cred

UserName Password
-------- --------
jocolon System.Security.SecureString

 

I changed your script a litter bit:
PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs 3125"


NcController : cluster1
Value :

Last login time: 1/30/2021 15:24:50

1 entry was modified.

 

Display the modified option:

PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs"


NcController : cluster1
Value :

Last login time: 1/30/2021 15:25:06


cluster1
replication.throttle.outgoing.max_kbs 3125 -

 

I learn something new today! Thanks

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS
13,403 Views

Thanks @jcolonfzenpr . It actually works with just the following two lines:

 

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

Having said that, I don't want to give even read only rights to EVERYTHING. My goal is to give only the minimal rights required, which means read only rights just to the command or command directory required to be able to log in.

jcolonfzenpr
15,162 Views

I test it also with:

security login role create -role script -cmddirname "DEFAULT" -access none -vserver cluster1

 

security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

 

security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

but you have to change a litter bit your scripts. 

 

 

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS
12,288 Views

Thanks @jcolonfzenpr . I reset DEFAULT back to none and added vserver in as readonly, but that didn't work either. I do realize I had one error in the script I showed earlier. Invoke-NaSsh should read Invoke-NcSsh. 

TMADOCTHOMAS
12,265 Views

@jcolonfzenpr , for the record I decided to go ahead and modify the role to make DEFAULT readonly, as this is at least an improvement on how it works now. It does lock it down a good bit from being a full admin to having limited rights. I have a case open with NetApp and still want to narrow this down even further to give it read only rights only to the commands needed to log in.

jcolonfzenpr
12,236 Views

If support provides a solution please share it here so other user with similar need can benefit.

 

also i forgot to metion you can ask for help on the slack channel of netapp.io

 

https://join.slack.com/t/netapppub/shared_invite/zt-ki0sse86-6ihXPApFepvu0Nx~YibCtA

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS
12,230 Views

@jcolonfzenpr I definitely will! Thanks for the tip on slack, I will check that out.

 

On a related note, I've been testing things out on the script I posted earlier in this thread. The "DEFAULT"/readonly setting + additional rule works great for this script. I've now checked out the other PowerShell scripts I want to give permission to, and forgot that I'm using native PowerShell commands for those scripts, such as Get-NcCifsShare and Get-NcCifsShareAcl for example. At the moment it works fine since all commands are set to readonly, but if I'm able to lock "DEFAULT" down further I will need to know which NetApp commands correspond to the PowerShell commands. Do you know of a PDF that details which native NetApp commands correspond to PowerShell toolkit commands?

jcolonfzenpr
12,232 Views

yesterday i asked the same question on the slack channel:

The answer:

If you’ve installed the netapp powershell toolkit - run “show-nchelp” and it’ll open your browser with the full help documentation with tabs for categories, full sorted list, etc

Jonathan Colón | Blog | Linkedin
Public