ONTAP Rest API Discussions

Debug permission issues with POST /storage/volume

marcusgross
2,868 Views

Hi guys,

 

I would like to automate volume cloning by RestAPI.  It should not run as admin, only with needed permission on SVM level.

Following rest-role is created:

 

Users are defines as follows:

security login show  -user-or-group-name DOM\storage

Vserver: Cluster1
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
DOM\storage  http        domain        readonly         -      none

Vserver: SVM1
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
DOM\storage  http        domain        ExchangeRestore  -      none

 

Rest Role:

security login rest-role show -vserver SVM1 -role ExchangeRestore
               Role                                    Access
Vserver        Name            API                     Level
----------     -------------   -------------------     ------
SVM1            ExchangeRestore   /api/protocols/san     readonly
                                  /api/protocols/san/lun-maps     all
                                  /api/storage         readonly
                                  /api/storage/luns     all
                                  /api/storage/volumes     all
                                  /api/svm             readonly

 

It works for Read of LUN / Volume / Snapshot. It doesn't work for Volume POST operation (vol clone). 

In this case, an log-in window in the browser opens and asking for login. There are somewhere permissions missing.

 

Is there a way to debug the RestAPI?

 

Marcis

1 REPLY 1

RobertBlackhart
2,842 Views

I tried recreating your scenario to see if I could see the same. I wasn't successful in recreating the problem.

 

As far as debugging goes, there are a few steps I would try in general to figure out where and why a request might fail. I've listed these at increasing levels of diagnostic necessity as well as difficulty:

 

1. Use curl or Postman or some client that will easily show you the response headers and body

~/$ curl -iku storage https://xx.xx.xx.xx/api/storage/volumes
Enter host password for user 'storage':
HTTP/1.1 401 Unauthorized
Date: Tue, 18 May 2021 16:57:52 GMT
Server: Apache
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
WWW-Authenticate: Basic realm="ONTAP"
Content-Length: 65
Content-Type: text/html; charset=iso-8859-1

{"error":{"code":"6691623", "message":"User is not authorized."}}~/$
~/$

2. Look at the web server logs in ONTAP to see if there are any error messages:

[Tue May 18 14:04:51.521561 2021 +0000] [dot:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] [vserver ID 2] [service rest] Authentication denied for user storage, application http
[Tue May 18 14:04:55.538032 2021 +0000] [auth_basic:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] AH01617: user storage: authentication failure for "/api/storage/volumes": Password Mismatch

3. Trace the API through the server and compare the trace to a call you know works:

~/$ curl -iku storage -H "X-Trace-Threshold: 0" https://xx.xx.xx.xx/api/storage/aggregates
Enter host password for user 'storage':
HTTP/1.1 403 Forbidden
Date: Tue, 18 May 2021 17:00:53 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Length: 41092
Content-Type: application/hal+json

{
  "error": {
    "message": "not authorized for that command",
    "code": "6"
  },
  "trace_output": "
TRACE RESULTS
---------------------------------------------------------------------------------
Node           Thread  Time(s) Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs
-------------- ------ -------- --------- --------- ----------- ----------- ------
mycluster      main 0.001635     54040     54136      178392      124352   1032
---------------------------------------------------------------------------------
         TOTAL        0.001635     54040     54136      178392      124352   1032

%Parent / Label                                         Method                Dst Num !Ok Time(us)  Max  Min  Avg Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs
------------------------------------------------------- --------------------- --- --- --- -------- ---- ---- ---- --------- --------- ----------- ----------- ------
100% REST                                                                     svr   1   0     1635 1635 1635 1635     54040     54136      178392      124352   1032
.. 6% *unaccounted*                                                                 1   0      113    -    -  113     12360         -       17816        5456     39
.. 2% sequential_identifier                             get                   svr   1   0       46   46   46   46         0      2016        2688        2688      8

  < snipped for brevity >

Latency of printTrace: 0.003956s. Memory: 98336 net used, 163872 max, 4648624 allocated, 4550288 freed, 7396 allocations.
"
}~/$
~/$

 

Hopefully that gives you somewhere to start looking.

Public