Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I would like to automate volume cloning by RestAPI. It should not run as admin, only with needed permission on SVM level.
Following rest-role is created:
Users are defines as follows:
security login show -user-or-group-name DOM\storage
Vserver: Cluster1
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
DOM\storage http domain readonly - none
Vserver: SVM1
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
DOM\storage http domain ExchangeRestore - none
Rest Role:
security login rest-role show -vserver SVM1 -role ExchangeRestore
Role Access
Vserver Name API Level
---------- ------------- ------------------- ------
SVM1 ExchangeRestore /api/protocols/san readonly
/api/protocols/san/lun-maps all
/api/storage readonly
/api/storage/luns all
/api/storage/volumes all
/api/svm readonly
It works for Read of LUN / Volume / Snapshot. It doesn't work for Volume POST operation (vol clone).
In this case, an log-in window in the browser opens and asking for login. There are somewhere permissions missing.
Is there a way to debug the RestAPI?
Marcis
1 REPLY 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried recreating your scenario to see if I could see the same. I wasn't successful in recreating the problem.
As far as debugging goes, there are a few steps I would try in general to figure out where and why a request might fail. I've listed these at increasing levels of diagnostic necessity as well as difficulty:
1. Use curl or Postman or some client that will easily show you the response headers and body
~/$ curl -iku storage https://xx.xx.xx.xx/api/storage/volumes
Enter host password for user 'storage':
HTTP/1.1 401 Unauthorized
Date: Tue, 18 May 2021 16:57:52 GMT
Server: Apache
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
WWW-Authenticate: Basic realm="ONTAP"
Content-Length: 65
Content-Type: text/html; charset=iso-8859-1
{"error":{"code":"6691623", "message":"User is not authorized."}}~/$
~/$
2. Look at the web server logs in ONTAP to see if there are any error messages:
[Tue May 18 14:04:51.521561 2021 +0000] [dot:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] [vserver ID 2] [service rest] Authentication denied for user storage, application http
[Tue May 18 14:04:55.538032 2021 +0000] [auth_basic:error] [pid 7483:tid 34395781888] [client xx.xx.xx.xx:44680] AH01617: user storage: authentication failure for "/api/storage/volumes": Password Mismatch
3. Trace the API through the server and compare the trace to a call you know works:
~/$ curl -iku storage -H "X-Trace-Threshold: 0" https://xx.xx.xx.xx/api/storage/aggregates
Enter host password for user 'storage':
HTTP/1.1 403 Forbidden
Date: Tue, 18 May 2021 17:00:53 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Length: 41092
Content-Type: application/hal+json
{
"error": {
"message": "not authorized for that command",
"code": "6"
},
"trace_output": "
TRACE RESULTS
---------------------------------------------------------------------------------
Node Thread Time(s) Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs
-------------- ------ -------- --------- --------- ----------- ----------- ------
mycluster main 0.001635 54040 54136 178392 124352 1032
---------------------------------------------------------------------------------
TOTAL 0.001635 54040 54136 178392 124352 1032
%Parent / Label Method Dst Num !Ok Time(us) Max Min Avg Net Bytes Max Bytes Alloc Bytes Freed Bytes Allocs
------------------------------------------------------- --------------------- --- --- --- -------- ---- ---- ---- --------- --------- ----------- ----------- ------
100% REST svr 1 0 1635 1635 1635 1635 54040 54136 178392 124352 1032
.. 6% *unaccounted* 1 0 113 - - 113 12360 - 17816 5456 39
.. 2% sequential_identifier get svr 1 0 46 46 46 46 0 2016 2688 2688 8
< snipped for brevity >
Latency of printTrace: 0.003956s. Memory: 98336 net used, 163872 max, 4648624 allocated, 4550288 freed, 7396 allocations.
"
}~/$
~/$
Hopefully that gives you somewhere to start looking.
