Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

ONTAP Discussions

OnTAP Custom Role Not Working

TMADOCTHOMAS

Hello,

I am trying to create a custom role to limit the rights of a domain-based service account we use exclusively to run PowerShell scripts. The role resides in the main cluster SVM and I've only given it rights to change the replication throttle setting as shown below. I assigned the role to the service account with the applications ssh and ontapi. When testing, it immediately generated this error: "Insufficient privileges: user '<username>' does not have read access to this resource".  Apparently I need to give at least read only access to a certain command to allow it to log on in the first place. Does anyone know what that would be?

 

Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs

1 ACCEPTED SOLUTION

jcolonfzenpr

I test it also with:

security login role create -role script -cmddirname "DEFAULT" -access none -vserver cluster1

 

security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

 

security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

but you have to change a litter bit your scripts. 

 

 

Jonathan Colón | Blog | Linkedin

View solution in original post

23 REPLIES 23

paul_stejskal

What is the security login show output? And did you set up a security login show?

The service account has two entries, one for the ontapi application and one for the ssh application. Previously the role was set at admin, and I just changed the role to the new 'script' role with limited rights to see if it would work. I manually ran the script both before and after the change. While set to admin it worked fine of course, but when I switched it to the new role, it generated the error I mentioned. I think there's a command path I need to give read only access to but don't know what that would be.

It's probably security login role command. I think you've got the right idea it's in the "options" output.

That's a possibility. I guess it has to read the role to know what it's rights are :). I'll try that and update the thread with the results.

jcolonfzenpr

Defining custom roles:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-910E18E9-B83C-41BF-8A68-C1806FEB6177.html

 

cluster1::> security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

cluster1::> security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application console -authentication-method password -role script -vserver cluster1

 

I logged in as jocolon user with script role assigned 
cluster1::> vserver options -vserver cluster1 -option-name
encryption.data_at_rest_encryption.disable_by_default
replication.create_data_protection_rels.enable
replication.dst_snapshot_op_ems.enable
replication.feature1.enable
replication.ls_mirrors_on_data_volumes.enable
replication.mirror_initialize_priority
replication.mirror_update_priority
replication.reservation.dst.high_pri_xfer_pct
replication.reservation.dst.low_pri_xfer_pct
replication.reservation.src.high_pri_xfer_pct
replication.reservation.src.low_pri_xfer_pct
replication.restore_priority
replication.throttle.enable
replication.throttle.incoming.max_kbs
replication.throttle.outgoing.max_kbs
replication.throttle.outgoing.max_kbs_objstore
replication.vault_initialize_priority
replication.vault_update_priority
snmp.enable
volmove.throttle.enable

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs -option-value 45

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs

cluster1
replication.throttle.outgoing.max_kbs
45 -

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.incoming.max_kbs -option-value 2

Error: command failed: not authorized for that command

cluster1::> ?
exit Quit the CLI session
history Show the history of commands for this CLI session
man Display the on-line manual pages
redo Execute a previous command
rows Show/Set the rows for this CLI session
top Go to the top-level directory
up Go up one directory
vserver> Manage Vservers

cluster1::>

 

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS

@paul_stejskal unfortunately that command didn't do the trick. I may experiment with some other security login commands.

 

@jcolonfzenpr thank you for showing me your testing of my issue! Do you have a suggestion for how to get the desired results?

jcolonfzenpr

can you share the powershell script?

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS

Yes, here it is:

 

# Import the OnTAP module and create the cluster connection variable
Clear-Host
Import-Module DataONTAP
$CLUSTER = Connect-NcController -Name <cluster_name>

# Throttle snapmirror transfers
Invoke-NaSsh -Name $CLUSTER -Command "options -option-name replication.throttle.outgoing.max_kbs 3125"

 

That's the one for throttling. The one for unthrottle is the same except "unlimited" at the end instead of 3125. This is used on multiple remote offices and works fine as long as the account has full admin rights. I'm trying to reduce the service account rights down to just the ones it needs to perform the task.

TMADOCTHOMAS

It's getting hung up here:

 

$CLUSTER = Connect-NcController -Name albflnacl01p

 

Error says : 

 

Connect-NcController : Insufficient privileges: user '<username>' does not have read access to this resource

 

Here is the role. As you can see I tried setting the command/directory to "security login" but that didn't work either.

----------------------------------------------------------------------------------

Vserver: <vserver>
Role Name: script
Command / Directory: DEFAULT
Access Level: none
Query:

 

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

 

Vserver: <vserver>
Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs
----------------------------------------------------------------------------------

 

Any ideas or suggestions?

jcolonfzenpr

can you add one extra role setting like this?

 

Vserver: <vserver>
Role Name: script
Command / Directory: vserver
Access Level: readonly
Query:

 

Jonathan Colón | Blog | Linkedin

jcolonfzenpr

i think this is not needed!

 

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

Jonathan Colón | Blog | Linkedin

jcolonfzenpr

I do the testing and it work by adding a role setting to the DEFAULT as readonly.

 

Security role creation:

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

Create and apply role to a user:

security login create -user-or-group-name jocolon -application ontapi -authentication-method password -role script -vserver cluster1
security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

 

Create the powershell credential object:

PS C:\Users\Administrator.DEMO> $cred = (Get-Credential)

 

Display powershell credential object:
PS C:\Users\Administrator.DEMO> $cred

UserName Password
-------- --------
jocolon System.Security.SecureString

 

I changed your script a litter bit:
PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs 3125"


NcController : cluster1
Value :

Last login time: 1/30/2021 15:24:50

1 entry was modified.

 

Display the modified option:

PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs"


NcController : cluster1
Value :

Last login time: 1/30/2021 15:25:06


cluster1
replication.throttle.outgoing.max_kbs 3125 -

 

I learn something new today! Thanks

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS

Thanks @jcolonfzenpr . It actually works with just the following two lines:

 

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

Having said that, I don't want to give even read only rights to EVERYTHING. My goal is to give only the minimal rights required, which means read only rights just to the command or command directory required to be able to log in.

jcolonfzenpr

I test it also with:

security login role create -role script -cmddirname "DEFAULT" -access none -vserver cluster1

 

security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

 

security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

but you have to change a litter bit your scripts. 

 

 

Jonathan Colón | Blog | Linkedin

View solution in original post

TMADOCTHOMAS

Thanks @jcolonfzenpr . I reset DEFAULT back to none and added vserver in as readonly, but that didn't work either. I do realize I had one error in the script I showed earlier. Invoke-NaSsh should read Invoke-NcSsh. 

TMADOCTHOMAS

@jcolonfzenpr , for the record I decided to go ahead and modify the role to make DEFAULT readonly, as this is at least an improvement on how it works now. It does lock it down a good bit from being a full admin to having limited rights. I have a case open with NetApp and still want to narrow this down even further to give it read only rights only to the commands needed to log in.

jcolonfzenpr

If support provides a solution please share it here so other user with similar need can benefit.

 

also i forgot to metion you can ask for help on the slack channel of netapp.io

 

https://join.slack.com/t/netapppub/shared_invite/zt-ki0sse86-6ihXPApFepvu0Nx~YibCtA

Jonathan Colón | Blog | Linkedin

TMADOCTHOMAS

@jcolonfzenpr I definitely will! Thanks for the tip on slack, I will check that out.

 

On a related note, I've been testing things out on the script I posted earlier in this thread. The "DEFAULT"/readonly setting + additional rule works great for this script. I've now checked out the other PowerShell scripts I want to give permission to, and forgot that I'm using native PowerShell commands for those scripts, such as Get-NcCifsShare and Get-NcCifsShareAcl for example. At the moment it works fine since all commands are set to readonly, but if I'm able to lock "DEFAULT" down further I will need to know which NetApp commands correspond to the PowerShell commands. Do you know of a PDF that details which native NetApp commands correspond to PowerShell toolkit commands?

dbytes

Not sure if you ever figured this out.  I have set DEFAULT to readonly, set each dircmd to none, and then only the dircmds needed to all.  This works great.  I've attached a screenshot of the role I created.

Upon mentioning this to my network team, they mentioned the same behavior is on some CISCO switches.  You have to enable default so an account can login, then restrict from there.

For your question on the CIFS Share commands, I would suspect "vserver cifs share" could be set to readonly.

jcolonfzenpr

yesterday i asked the same question on the slack channel:

The answer:

If you’ve installed the netapp powershell toolkit - run “show-nchelp” and it’ll open your browser with the full help documentation with tabs for categories, full sorted list, etc

Jonathan Colón | Blog | Linkedin
Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public