ONTAP Rest API Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Rest API Discussions

Ask a Question

How to prevent user to delete volumes?

Quang-Chinh
NetApp
‎2022-01-28 02:34 AM
2,466 Views

Dear all,

 

Could you help us to know if there is a workaround to the following behavior?

"Since new clusters are using the REST API we cannot prevent users deleting the volumes, because volume modify command contains volume delete permission."

 

Thank you so much.

Regards,

 

Quang-Chinh

0 Kudos
4 REPLIES 4

degraaf
NetApp
‎2022-01-28 07:31 AM
2,445 Views

You can use a traditional login role to allow access to "volume modify" and prevent it for "volume delete" and allow that role for rest via "vserver services web access -name rest". This will cause DELETE on /api/storage/volumes/{uuid} to fail for users with the assigned role.

 

cluster-1::> security login role show -role test1                            
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
cluster-1 
           test1         DEFAULT                                       none
                         volume create                                 all
                         volume delete                                 none
                         volume modify                                 all
                         volume show                                   all
5 entries were displayed.

cluster-1::> vserver services web access show -name rest -role test1 
Vserver        Type     Service Name     Role  
-------------- -------- ---------------- ----------------
cluster-1 
               admin    rest             test1

 

Quang-Chinh
NetApp
‎2022-01-31 04:40 AM
In response to degraaf
2,380 Views

Hello, 

 

Customer provided the following feedback:

 

I have tested the provided solution.

Un fortunately even if we have a volume delete set to none, user still have possibility to remove the Volume.

This is because Volume modify -access all overrides on all volume permissions.

 

Could you help me to confirm this behavior? If so, is there any "workaround" to this?

 

Thank you.

0 Kudos

degraaf
NetApp
‎2022-01-31 05:42 AM
In response to Quang-Chinh
2,373 Views

What release do you see this in? I believe you are describing burt1361017, which was fixed in 9.8 and following releases.

0 Kudos

Quang-Chinh
NetApp
‎2022-02-03 05:09 AM
In response to degraaf
2,324 Views

Customer is still running old ONTAP and one of the key point for them to accept to upgrade to a higher version is this specific topic.

I've informed them about this BURT and asked them to try on a lab.

Thank you so much.

0 Kudos
All Community Forums
Public