Solved: Custom user not authorized for REST API but it is?

Cjones · ‎2022-06-10

I have a REST API script that works with cluster admin user, but I'd like to use a user with fewer permissions on the system. I've created a user with only privileges needed to create a qtree, quota, and share but get the following using that user. Any ideas?

Exception caught : Caused by HTTPError('401 Client Error: Unauthorized for url: https://nypntap1.jallc.lan:443/api/storage/qtrees',): User is not authorized.

Role:

rest_ldrive DEFAULT none
volume qtree create all
volume qtree show all
volume quota policy rule create all
volume quota policy rule delete all
volume quota policy rule modify all
volume quota policy rule show all
vserver cifs share access-control create all
vserver cifs share access-control delete all
vserver cifs share access-control modify all
vserver cifs share access-control show all
vserver cifs share create all
vserver cifs share delete all
vserver cifs share modify all
vserver cifs share show all

User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
rest_user http password rest_ldrive no none

qw · ‎2022-06-13

With ONTAP 9.11.1 legacy roles can be leveraged and ONTAP REST requires rest-role creation either through CLI or ONTAP REST API. Please find below example that shows how to create rest-role

Create rest-role through CLI:

metropolitan::> security login rest-role create -vserver metropolitan
-role new_role -api /api/storage/volumes -access read_create_modify

metropolitan::> security login rest-role show -role new_role

Role Access

Vserver Name API Level

---------- ---------- ------------------- ------------------

metropolitan new_role /api/storage/volumes read_create_modify

Adding 9.11.1 RBAC Roles reference document:

https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.html#/docs/security/security_roles

View solution in original post

qw · ‎2022-06-13

With ONTAP 9.11.1 legacy roles can be leveraged and ONTAP REST requires rest-role creation either through CLI or ONTAP REST API. Please find below example that shows how to create rest-role

Create rest-role through CLI:

metropolitan::> security login rest-role create -vserver metropolitan
-role new_role -api /api/storage/volumes -access read_create_modify

metropolitan::> security login rest-role show -role new_role

Role Access

Vserver Name API Level

---------- ---------- ------------------- ------------------

metropolitan new_role /api/storage/volumes read_create_modify

Adding 9.11.1 RBAC Roles reference document:

https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.html#/docs/security/security_roles

Cjones · ‎2022-07-07

Thanks, I see the point, for REST I need a rest-role. So I set up the following but still getting Unauthorized, I will keep at it but thought I'd update

Unauthorized for url: https://hostname:443/api/storage/qtrees
Unauthorized for url: https://hostname:443/api/storage/quota/rules
Unauthorized for url: https://hostname:443/api/protocols/cifs/shares

hostname::security login> rest-role show -role ldrive
Role Access
Vserver Name API Level
---------- ------------- ------------------- ------
vserver
ldrive /api/protocols/cifs all
/api/storage/qtrees all
/api/storage/quota all
3 entries were displayed.

hostname::security login> show -vserver svm_bambi_nypntap1 -user-or-group-name rest_user
Vserver: vserver
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
rest_user http password ldrive no none