The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to reigister at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

ONTAP Rest API Discussions

Debug permission issues with POST /storage/volume

marcusgross

Hi guys,

 

I would like to automate volume cloning by RestAPI.  It should not run as admin, only with needed permission on SVM level.

Following rest-role is created:

 

Users are defines as follows:

security login show  -user-or-group-name DOM\storage

Vserver: Cluster1
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
DOM\storage  http        domain        readonly         -      none

Vserver: SVM1
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
DOM\storage  http        domain        ExchangeRestore  -      none

 

Rest Role:

security login rest-role show -vserver SVM1 -role ExchangeRestore
               Role                                    Access
Vserver        Name            API                     Level
----------     -------------   -------------------     ------
SVM1            ExchangeRestore   /api/protocols/san     readonly
                                  /api/protocols/san/lun-maps     all
                                  /api/storage         readonly
                                  /api/storage/luns     all
                                  /api/storage/volumes     all
                                  /api/svm             readonly

 

It works for Read of LUN / Volume / Snapshot. It doesn't work for Volume POST operation (vol clone). 

In this case, an log-in window in the browser opens and asking for login. There are somewhere permissions missing.

 

Is there a way to debug the RestAPI?

 

Marcis

1 REPLY 1

RobertBlackhart

I tried recreating your scenario to see if I could see the same. I wasn't successful in recreating the problem.

 

As far as debugging goes, there are a few steps I would try in general to figure out where and why a request might fail. I've listed these at increasing levels of diagnostic necessity as well as difficulty:

 

1. Use curl or Postman or some client that will easily show you the response headers and body

~/$ curl -iku storage https://xx.xx.xx.xx/api/storage/volumes
Enter host password for user 'storage':
HTTP/1.1 401 Unauthorized
Date: Tue, 18 May 2021 16:57:52 GMT
Server: Apache
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
WWW-Authenticate: Basic realm="ONTAP"
Content-Length: 65
Content-Type: text/html; charset=iso-8859-1

{"error":{"code":"6691623", "message":"User is not authorized."}}~/$
~/$

2. Look at the web server logs in ONTAP to see if there are any error messages:

[Tue May 18 14:04:51.521561 2021 +0000] [dot:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] [vserver ID 2] [service rest] Authentication denied for user storage, application http
[Tue May 18 14:04:55.538032 2021 +0000] [auth_basic:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] AH01617: user storage: authentication failure for "/api/storage/volumes": Password Mismatch

3. Trace the API through the server and compare the trace to a call you know works:

~/$ curl -iku storage -H "X-Trace-Threshold: 0" https://xx.xx.xx.xx/api/storage/aggregates
Enter host password for user 'storage':
HTTP/1.1 403 Forbidden
Date: Tue, 18 May 2021 17:00:53 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Length: 41092
Content-Type: application/hal+json

{
  "error": {
    "message": "not authorized for that command",
    "code": "6"
  },
  "trace_output": "
TRACE RESULTS
---------------------------------------------------------------------------------
Node           Thread  Time(s) Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs
-------------- ------ -------- --------- --------- ----------- ----------- ------
mycluster      main 0.001635     54040     54136      178392      124352   1032
---------------------------------------------------------------------------------
         TOTAL        0.001635     54040     54136      178392      124352   1032

%Parent / Label                                         Method                Dst Num !Ok Time(us)  Max  Min  Avg Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs
------------------------------------------------------- --------------------- --- --- --- -------- ---- ---- ---- --------- --------- ----------- ----------- ------
100% REST                                                                     svr   1   0     1635 1635 1635 1635     54040     54136      178392      124352   1032
.. 6% *unaccounted*                                                                 1   0      113    -    -  113     12360         -       17816        5456     39
.. 2% sequential_identifier                             get                   svr   1   0       46   46   46   46         0      2016        2688        2688      8

  < snipped for brevity >

Latency of printTrace: 0.003956s. Memory: 98336 net used, 163872 max, 4648624 allocated, 4550288 freed, 7396 allocations.
"
}~/$
~/$

 

Hopefully that gives you somewhere to start looking.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public