ONTAP Rest API Discussions

How to prevent user to delete volumes?

Quang-Chinh
2,465 Views

Dear all,

 

Could you help us to know if there is a workaround to the following behavior?

"Since new clusters are using the REST API we cannot prevent users deleting the volumes, because volume modify command contains volume delete permission."

 

Thank you so much.

Regards,

 

Quang-Chinh

4 REPLIES 4

degraaf
2,444 Views

You can use a traditional login role to allow access to "volume modify" and prevent it for "volume delete" and allow that role for rest via "vserver services web access -name rest". This will cause DELETE on /api/storage/volumes/{uuid} to fail for users with the assigned role.

 

cluster-1::> security login role show -role test1                            
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
cluster-1 
           test1         DEFAULT                                       none
                         volume create                                 all
                         volume delete                                 none
                         volume modify                                 all
                         volume show                                   all
5 entries were displayed.

cluster-1::> vserver services web access show -name rest -role test1 
Vserver        Type     Service Name     Role  
-------------- -------- ---------------- ----------------
cluster-1 
               admin    rest             test1

 

Quang-Chinh
2,379 Views

Hello, 

 

Customer provided the following feedback:

 

I have tested the provided solution.

Un fortunately even if we have a volume delete set to none, user still have possibility to remove the Volume.

This is because Volume modify -access all overrides on all volume permissions.

 

Could you help me to confirm this behavior? If so, is there any "workaround" to this?

 

Thank you.

degraaf
2,372 Views

What release do you see this in? I believe you are describing burt1361017, which was fixed in 9.8 and following releases.

Quang-Chinh
2,323 Views

Customer is still running old ONTAP and one of the key point for them to accept to upgrade to a higher version is this specific topic.

I've informed them about this BURT and asked them to try on a lab.

Thank you so much.

Public