ONTAP Discussions

TR-4513 Security Hardening Guide, 4.11 - "admin_ssh" role preventing HTTP access?

SMLocke
2,966 Views

This is super specific, but I wonder if any of you folks have some insight into this.

 

The subject TR calls for creating a role called admin_ssh that is basically like the admin role, but restricts access to the service processor commands, like so:

 

cluster::> security login role create -role admin_ssh -cmddirname DEFAULT -access all -vserver <cluster SVM> 
cluster::> security login role create -role admin_ssh -cmddirname "system service-processor" -access none -vserver <cluster SVM>

 

I did this, and changed a user from admin to admin_ssh for all login methods, including ssh, http, and ontapi.

 

Prior to the change, the user was able to log in to OnCommand System Manager as per normal. After the change, the user cannot log in to OnCommand System Manager at all. All attempts result in an "invalid credentials" type message. Reverting the change results in the ability to log in to OCSM normally once more.

 

Any chance this is a bug? Worth filing a ticket to support?

 

 

1 ACCEPTED SOLUTION

Jeff_Yao
2,909 Views

looks like u need to enable the access for system manager. use below cmd:

vserver services web access create -vserver vserver_name -name sysmgr -role role_name

hopefully helps

View solution in original post

2 REPLIES 2

Jeff_Yao
2,910 Views

looks like u need to enable the access for system manager. use below cmd:

vserver services web access create -vserver vserver_name -name sysmgr -role role_name

hopefully helps

SMLocke
2,895 Views

That did the trick, brother, thanks!

Public