ONTAP Rest API Discussions

Custom user not authorized for REST API but it is?

Cjones
2,465 Views

 I have a REST API script that works with cluster admin user, but I'd like to use a user with fewer permissions on the system.  I've created a user with only privileges needed to create a qtree, quota, and share but get the following using that user.  Any ideas? 

 

Exception caught : Caused by HTTPError('401 Client Error: Unauthorized for url: https://nypntap1.jallc.lan:443/api/storage/qtrees',): User is not authorized.

 

Role:

rest_ldrive DEFAULT none
volume qtree create all
volume qtree show all
volume quota policy rule create all
volume quota policy rule delete all
volume quota policy rule modify all
volume quota policy rule show all
vserver cifs share access-control create all
vserver cifs share access-control delete all
vserver cifs share access-control modify all
vserver cifs share access-control show all
vserver cifs share create all
vserver cifs share delete all
vserver cifs share modify all
vserver cifs share show all

 

User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
rest_user http password rest_ldrive no none

1 ACCEPTED SOLUTION

qw
NetApp
2,336 Views

With ONTAP 9.11.1 legacy roles can be leveraged and ONTAP REST requires rest-role creation either through CLI or ONTAP REST API. Please find below example that shows how to create rest-role

Create rest-role through CLI:

 

metropolitan::> security login rest-role create -vserver metropolitan
-role new_role -api /api/storage/volumes -access read_create_modify

 

metropolitan::> security login rest-role show -role new_role

               Role                                    Access

Vserver        Name            API                     Level

----------     ----------   -------------------   ------------------


metropolitan   new_role    /api/storage/volumes   read_create_modify

 

Adding 9.11.1 RBAC Roles reference document:

 

View solution in original post

2 REPLIES 2

qw
NetApp
2,337 Views

With ONTAP 9.11.1 legacy roles can be leveraged and ONTAP REST requires rest-role creation either through CLI or ONTAP REST API. Please find below example that shows how to create rest-role

Create rest-role through CLI:

 

metropolitan::> security login rest-role create -vserver metropolitan
-role new_role -api /api/storage/volumes -access read_create_modify

 

metropolitan::> security login rest-role show -role new_role

               Role                                    Access

Vserver        Name            API                     Level

----------     ----------   -------------------   ------------------


metropolitan   new_role    /api/storage/volumes   read_create_modify

 

Adding 9.11.1 RBAC Roles reference document:

 

Cjones
2,100 Views

Thanks, I see the point, for REST I need a rest-role.  So I set up the following but still getting Unauthorized, I will keep at it but thought I'd update 

 

Unauthorized for url: https://hostname:443/api/storage/qtrees
Unauthorized for url: https://hostname:443/api/storage/quota/rules
Unauthorized for url: https://hostname:443/api/protocols/cifs/shares

 

hostname::security login> rest-role show -role ldrive
Role Access
Vserver Name API Level
---------- ------------- ------------------- ------
vserver
ldrive /api/protocols/cifs all
/api/storage/qtrees all
/api/storage/quota all
3 entries were displayed.

 

hostname::security login> show -vserver svm_bambi_nypntap1 -user-or-group-name rest_user
Vserver: vserver
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
rest_user http password ldrive no none

 

Public