Solved: ONTAP REST /docs/api permissions

isc-dario · ‎2020-08-05

Hi guys

I have made a REST API user with the permissions for reading volumes and svms (via security login rest-role on an ONTAP 9.6 system). The commands are working perfect but this user can't read /docs/api. Is there an additional permission for this?

Thanks for help!

RobertBlackhart · ‎2020-08-05

Hi isc-dario,

Yes, there is one more piece of access that you need to grant in order to allow custom roles to see the Swagger UI. Here is my cluster configuration that mimics what I think you have already done:

mycluster::> security login show -user-or-group-name restviewer

Vserver: mycluster
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
restviewer     http        password      restviewer       no     none

mycluster::> security login rest-role show -role restviewer
               Role                                    Access
Vserver        Name            API                     Level
----------     -------------   -------------------     ------
mycluster
               restviewer      /api/storage/volumes
                                                       readonly
                               /api/svm/svms           readonly
2 entries were displayed.

With this setup, I get a 401 if I try to log in with the restviewer account. So the other thing that needs done is to allow access to the web service for that role like this:

mycluster::> vserver services web access create -vserver mycluster -name docs-api -role restviewer

mycluster::>

After adding that, the docs page at /docs/api will load. However, there is a bug that I found while reproducing your issue. After you enter the credentials the first time and the docs load, another credential popup is shown. Entering the credentials again will not work. The workaround is to cancel the second authentication dialog. Then you can browse the docs normally.

If you want to track the progress of the bug to fix this issue, you can view this link (may take some time to be live): https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1342377

View solution in original post

RobertBlackhart · ‎2020-08-05

Hi isc-dario,

Yes, there is one more piece of access that you need to grant in order to allow custom roles to see the Swagger UI. Here is my cluster configuration that mimics what I think you have already done:

mycluster::> security login show -user-or-group-name restviewer

Vserver: mycluster
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
restviewer     http        password      restviewer       no     none

mycluster::> security login rest-role show -role restviewer
               Role                                    Access
Vserver        Name            API                     Level
----------     -------------   -------------------     ------
mycluster
               restviewer      /api/storage/volumes
                                                       readonly
                               /api/svm/svms           readonly
2 entries were displayed.

With this setup, I get a 401 if I try to log in with the restviewer account. So the other thing that needs done is to allow access to the web service for that role like this:

mycluster::> vserver services web access create -vserver mycluster -name docs-api -role restviewer

mycluster::>

After adding that, the docs page at /docs/api will load. However, there is a bug that I found while reproducing your issue. After you enter the credentials the first time and the docs load, another credential popup is shown. Entering the credentials again will not work. The workaround is to cancel the second authentication dialog. Then you can browse the docs normally.

If you want to track the progress of the bug to fix this issue, you can view this link (may take some time to be live): https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1342377

isc-dario · ‎2020-08-05

Hi Robert

Thank you! Worked! Did I miss this part in the documentation?

Thanks, Dario

RobertBlackhart · ‎2020-08-05

I'm not sure if this is documented well somewhere, I didn't see it.

ONTAP REST /docs/api permissions

Portfolio Updates | NetApp ONAIR