Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a REST API script that works with cluster admin user, but I'd like to use a user with fewer permissions on the system. I've created a user with only privileges needed to create a qtree, quota, and share but get the following using that user. Any ideas?
Exception caught : Caused by HTTPError('401 Client Error: Unauthorized for url: https://nypntap1.jallc.lan:443/api/storage/qtrees',): User is not authorized.
Role:
rest_ldrive DEFAULT none
volume qtree create all
volume qtree show all
volume quota policy rule create all
volume quota policy rule delete all
volume quota policy rule modify all
volume quota policy rule show all
vserver cifs share access-control create all
vserver cifs share access-control delete all
vserver cifs share access-control modify all
vserver cifs share access-control show all
vserver cifs share create all
vserver cifs share delete all
vserver cifs share modify all
vserver cifs share show all
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
rest_user http password rest_ldrive no none
Solved! See The Solution
1 ACCEPTED SOLUTION
qw has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With ONTAP 9.11.1 legacy roles can be leveraged and ONTAP REST requires rest-role creation either through CLI or ONTAP REST API. Please find below example that shows how to create rest-role
Create rest-role through CLI:
metropolitan::> security login rest-role create -vserver metropolitan
-role new_role -api /api/storage/volumes -access read_create_modify
metropolitan::> security login rest-role show -role new_role
Role Access
Vserver Name API Level
---------- ---------- ------------------- ------------------
metropolitan new_role /api/storage/volumes read_create_modify
Adding 9.11.1 RBAC Roles reference document:
2 REPLIES 2
qw has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With ONTAP 9.11.1 legacy roles can be leveraged and ONTAP REST requires rest-role creation either through CLI or ONTAP REST API. Please find below example that shows how to create rest-role
Create rest-role through CLI:
metropolitan::> security login rest-role create -vserver metropolitan
-role new_role -api /api/storage/volumes -access read_create_modify
metropolitan::> security login rest-role show -role new_role
Role Access
Vserver Name API Level
---------- ---------- ------------------- ------------------
metropolitan new_role /api/storage/volumes read_create_modify
Adding 9.11.1 RBAC Roles reference document:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I see the point, for REST I need a rest-role. So I set up the following but still getting Unauthorized, I will keep at it but thought I'd update
Unauthorized for url: https://hostname:443/api/storage/qtrees
Unauthorized for url: https://hostname:443/api/storage/quota/rules
Unauthorized for url: https://hostname:443/api/protocols/cifs/shares
hostname::security login> rest-role show -role ldrive
Role Access
Vserver Name API Level
---------- ------------- ------------------- ------
vserver
ldrive /api/protocols/cifs all
/api/storage/qtrees all
/api/storage/quota all
3 entries were displayed.
hostname::security login> show -vserver svm_bambi_nypntap1 -user-or-group-name rest_user
Vserver: vserver
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
rest_user http password ldrive no none