ONTAP Rest API Discussions

RBAC over RestRoles

klmi
2,490 Views

HI all,

 

we are currently in the phase to switchover from ontapi to Rest-API.
For some regulations, we need to use RBAC, so that special AD-Groups/User get reduced API-Access to the vserver.

 

We need a role for Snapshot-Management (Backup Application), so this user only can create/delete snapshots on the vserver.

 

So far i can only get it working with giving RestAccess to API  /api/storage/volumes, but this would also give rights to create/destroy volumes and more.

 

I tried to create a more strict role, but it doesnot work.

Ontap_98::> security login rest-role create -vserver <vserver> -role rest_snapadmin -api /api/storage/volumes/{volume.uuid}/snapshots -access all

Error: command failed: Invalid character detected in URI.

 

Has anybody an Idea, how to restirct the Access to snapshot only operations with REST-API?

 

Best Regards,

Klaus

1 ACCEPTED SOLUTION

mbeattie
2,409 Views

Hi Klaus,

 

Whilst it's not currently possible to delegate permissions using the 'security login rest-role create' command you can use the traditional method as follows:

 

 

security login role create -role snapadmin -cmddirname "volume snapshot" -access all -query "-vserver vserver1 -volume cifs_data_001"

vserver services web access create -name rest -role snapadmin -vserver cluster1

security login create snapadmin -application http -authentication-method password -role snapadmin

curl -ku snapadmin:<password> -X GET "https://192.168.100.2/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots"

{
  "records": [
    {
      "uuid": "b43de933-4b7f-4bcd-b51d-b759b0752a4a",
      "name": "snapmirror.1b2e97b3-285c-11eb-9660-00505680d956_2150679890.2020-11-16_224256",
      "_links": {
        "self": {
          "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots/b43de933-4b7f-4bcd-b51d-b759b0752a4a"
        }
      }
    },
    {
      "uuid": "8c3ace7d-2b99-4dbe-b05c-f954ed37547c",
      "name": "snapmirror.1b2e97b3-285c-11eb-9660-00505680d956_2150679890.2020-11-19_020943",
      "_links": {
        "self": {
          "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots/8c3ace7d-2b99-4dbe-b05c-f954ed37547c"
        }
      }
    }
  ],
  "num_records": 2,
  "_links": {
    "self": {
      "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots"
    }
  }

 

 

Note: if you ever renamed the volume you'd also need to update the name in the 'query':

 

security login role create -role snapadmin -cmddirname "volume snapshot" -access all -query "-vserver vserver1 -volume cifs_data_001"

 

Hope that helps

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

3 REPLIES 3

mbeattie
2,434 Views

Hi Klaus,

 

I don't believe the current ONTAP release supports granular RBAC access to an individual volume via the REST API. I tested this on ONTAP 9.8 and got the same result (replacing '{volume.uuid}' with a volume's UUID)

 

cluster1::> security login rest-role creat -vserver vserver1 -role rest_snapadmin -api /api/storage/volumes/1c25a5c1-bd20-11ea-8d7a-00a098dea1f0/snapshots -access all
Error: command failed: Specified URI path is invalid or not supported. Verify that the URI contains only valid characters. Variable-path URIs are not supported.

 I think this may be available in a future ONTAP release however in the meantime you could rehost the volume in another SVM and delegate access to '/api/storage/volumes'

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mbeattie
2,410 Views

Hi Klaus,

 

Whilst it's not currently possible to delegate permissions using the 'security login rest-role create' command you can use the traditional method as follows:

 

 

security login role create -role snapadmin -cmddirname "volume snapshot" -access all -query "-vserver vserver1 -volume cifs_data_001"

vserver services web access create -name rest -role snapadmin -vserver cluster1

security login create snapadmin -application http -authentication-method password -role snapadmin

curl -ku snapadmin:<password> -X GET "https://192.168.100.2/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots"

{
  "records": [
    {
      "uuid": "b43de933-4b7f-4bcd-b51d-b759b0752a4a",
      "name": "snapmirror.1b2e97b3-285c-11eb-9660-00505680d956_2150679890.2020-11-16_224256",
      "_links": {
        "self": {
          "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots/b43de933-4b7f-4bcd-b51d-b759b0752a4a"
        }
      }
    },
    {
      "uuid": "8c3ace7d-2b99-4dbe-b05c-f954ed37547c",
      "name": "snapmirror.1b2e97b3-285c-11eb-9660-00505680d956_2150679890.2020-11-19_020943",
      "_links": {
        "self": {
          "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots/8c3ace7d-2b99-4dbe-b05c-f954ed37547c"
        }
      }
    }
  ],
  "num_records": 2,
  "_links": {
    "self": {
      "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots"
    }
  }

 

 

Note: if you ever renamed the volume you'd also need to update the name in the 'query':

 

security login role create -role snapadmin -cmddirname "volume snapshot" -access all -query "-vserver vserver1 -volume cifs_data_001"

 

Hope that helps

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

klmi
2,379 Views

Hi Mat,

 

many thanks for that useful info.

After enabling the Web Service for our (ontAPI) Role it worked also well with Rest with all RBAC Features.

 

Best Regards,

Klaus

Public