ONTAP Discussions

Highlighted

System Manager GUI Manage Individual vserver on CDOT

Hi,

I have a CDOT cluster on 8.3.  My manager wants individual business units to manage their own vserver via System Manager.

 

It is my understanding that it is not currently possible for System Manager to  manager an individual vserver on a cdot array.

 

It this true?

 

If it is true, are there any plans to provide this capability in the future?

 

Thanks,

11 REPLIES 11
Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

Hi,

my name is Chriz Ott, I'm working with NetApp as a Principal Architect.

 

Thank you very much for your question, your usecase is one of the use-cases cDOT was designed for - Secure Multi Tenancy.

 

Unfortunately you are correct, currently it is not possible to manage individual SVMs using the System Manager.

There are definitely plans to bring this functionality into System Manager, however in the past they have been defered for the benefit of other features.

 

A workaround could be using WFA (Worflow Automation) to provide certain "operational tasks" that application owners would usually require and have WFA take care of RBAC (including intergration into an existing LDAP).

Another way would be to use our SnapManager products for individual applications such as SQL, Exchange, Sharepoint etc. to connect to the SVM and manager their storage.

 

I hope this answer is usefull for you, please don't hesitate to come back to me in case you have more questions.

 

Cheers chriz

 

P.S. if you feel this answer is useful, please KUDO or "correct answer" so other people may find it faster.

P.S. if you feel this post is useful, please KUDO or “accept as a solution" so other people may find it faster.

View solution in original post

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

I would like to ask you about this topic.
I would like to perform individual business units to manage their own vserver via System Manager,too.

The OnCommand System Manager 8.3 is included with Data ONTAP as a web service.


It seems that cDot8.3 has "vserver services web access" command.
https://library.netapp.com/ecmdocs/ECMP12452955/html/vserver/services/web/modify.html

 

Can we manage an individual vserver on a cdot array to a certain degree ?

 

Best regards,

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

Mikky,

 

It looks like you can only enable ontapi access on the vserver level using this, and not the "portal" and "compat" services.

 

Fred

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

Hi. Any news regarding possibility to manage SVM by vsadmin via System Manager?

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

Hi,

 

I am running 9.1 now.. and still no posiblilty to give indivual SVM gui access.

it would be a nice feature

"/sysmgr/SysMgr.html " svm

Not Found

The requested URL /sysmgr/SysMgr.html was not found on this server.

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

Hello,

 

Although OCSM access can't be enabled at an SVM-by-SVM level, you can create your SVM administrators a top-level cluster account and then grant their role individualized permissions to their SVM (thus granting them access via OCSM).  We have done this with the system administrators for our Oracle E-Business Suite systems and they're able to do almost everything they need to do.  The process looks something like this:

 

security login role create -role <ROLE NAME> -cmddirname DEFAULT -access readonly

security login role create -role <ROLE NAME> -cmddirname "volume qtree" -query "-vserver <SVM NAME>" -access all

security login role create -role <ROLE NAME> -cmddirname "vserver export-policy" -query "-vserver <SVM NAME>" -access all

vserver services web access create -vserver <CLUSTER SVM> -name sysmgr -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application http -authentication-method password -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application ontap -authentication-method password -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application ssh -authentication-method password -role <ROLE NAME>

  

This is actually preferable to an SVM-by-SVM user account for us in that these sysadmins have multiple SVMs and would need accounts on each one.  We overcome this by applying a wildcard to the query object of the role - since our SVMs follow a standard naming convention we just grant them access to any SVM named "oracle-*".  Also, we wanted to limit some of what they could do inside the SVM and being an SVMadmin would have been too permissive for our use case.

 

Hope that helps,

 

Chris

 

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

Anybody know if this feature has been added in 9.2 (which we are currently on) or 9.3?

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

@colsen, I am trying your recommended alternative. I assume this works with domain groups, right (where auth method is domain and not password)? I'm having difficulty with applying this to two SVMs. In the query I entered:

 

-query "-vserver <svm1> <svm2>"

 

There was no error, but the user wasn't able to log on to the cluster via System Manager. I tried again with just one SVM and they still couldn't log on. Any ideas?

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

Have NetApp corrected this in 9.2 and above ?

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT

Not as of yet.

Highlighted

Re: System Manager GUI Manage Individual vserver on CDOT


@colsen wrote:

 

Although OCSM access can't be enabled at an SVM-by-SVM level, you can create your SVM administrators a top-level cluster account and then grant their role individualized permissions to their SVM (thus granting them access via OCSM).

 


But this wouldn´t work in a multidomain environemnt, where all SVMs have different VLAN and different IP nets.

With this setup, we would have to open FW for each user who would like to manager thier SVMs.

 

If SVM-by-SVM would be enalbled, they could just access the same adress via webbrowser if we changed the LIF's firewall policy to mgmt.

Check out the KB!
Knowledge Base
All Community Forums