ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

OnTap granular debugging of role access

fwdalrymple
‎2019-03-19 07:38 AM
3,927 Views

I'm building an automation suite to handle some of the day to day for our storage administrators. In doing so I want to grant the service user the least privilege necessary to achieve the desired outcome. Since updating my Ansible machine to the current dev release even na_ontap_gather_facts doesn't work without some sort of write permissions.

 

clustername::*> security login role show -role ansible-user
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
clustername ansible-user DEFAULT                                      readonly
                          system node autosupport                      all
2 entries were displayed.

Note that I've added the 'autosupport / all' component as that's the first change I want to test.

 

I could sift through the Ansible code, but it seems to me that there should be a more straightforward way from the audit log to identify the specific privilege requested that's being denied. This is what is in the audit log:

 

Tue Mar 19 14:24:15 2019  clustername-2  [kern_audit:info:14677] 8503e9000000081c :: clustername:ontapi :: 10.170.38.66:34252 :: clustername:unknown :: Error: POST /servlets/netapp.servlets.admin.XMLrequest_filer HTTP/1.1 401 Unauthorized
Tue Mar 19 14:24:15 2019  clustername-2  [kern_audit:info:2152] 8503e9000000081d :: clustername:ontapi :: 10.170.38.66:34254 :: clustername:ansible-user :: <netapp xmlns="http://www.netapp.com/filer/admin" version="1.110" vfiler="clustername"><ems-autosupport-log><computer-name>Ansible</computer-name><event-id>12345</event-id><event-source>na_ontap_gather_facts</event-source><app-version>2.8.0.dev0</app-version><category>Information</category><event-description>setup</event-description><log-level>6</log-level><auto-support>false</auto-support></ems-autosupport-log></netapp> :: Pending
Tue Mar 19 14:24:15 2019  clustername-2  [kern_audit:info:2152] 8503e9000000081d :: clustername:ontapi :: 10.170.38.66:34254 :: clustername:ansible-user :: Insufficient privileges: user 'ansible-user' does not have write access to this resource :: ONTAPI :: Error

I recall having the capability to see privileges denied at a very granular level in 7-mode then being able to correct them as they come up. Where is this functionality in cDOT, or am I just not reading the audit logs the way they're meant to be read?

0 Kudos
View By:
1 ACCEPTED SOLUTION

RamK
NetApp
‎2020-04-08 08:03 AM
3,509 Views

I just ran into a similar situation and discovered the fix. ontap_gather_facts and ontap_info fail when trying to create a log entry.   The role requires access to the 'event' command directory.

 

sec login role create -role ansible-user -cmddirname event -access all

 

View solution in original post

2 REPLIES 2

PaulF
‎2019-04-08 07:14 AM
3,723 Views

Same issue here, i can't work out what permission is missing when creating and export policy. If I SSH i can create the policy so it looks like the user has the correct permisions. Do you have any tips to sift through the Ansible code?

0 Kudos

RamK
NetApp
‎2020-04-08 08:03 AM
3,510 Views

I just ran into a similar situation and discovered the fix. ontap_gather_facts and ontap_info fail when trying to create a log entry.   The role requires access to the 'event' command directory.

 

sec login role create -role ansible-user -cmddirname event -access all

 

Announcements
All Community Forums
Public