Solved: Re: REST API "User is not authorized."

geeko · ‎2023-02-01

Hi,

I try to connect via HTTP as part of this Ansible task:

- name: Get LUNs
netapp.ontap.na_ontap_rest_info:
hostname: '{{ ontap_host }}'
cert_filepath: '{{ ontap_crt }}'
key_filepath: '{{ ontap_key }}'
gather_subset:
- 'storage/luns'
fields:
- 'comment'
https: True
validate_certs: False
register: lun_info

but receive:

Error using REST for version, error: {'code': '6691623', 'message': 'User is not authorized.'}.

The user and role should be configured correctly:

fc-netapp::> security login show -user-or-group-name orchestrator

Vserver: fc-netapp
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
orchestrator http cert georg_dev - none

Vserver: vs_wilde
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
orchestrator http cert georg_dev - none
2 entries were displayed.

fc-netapp::> security login rest-role show -role georg_dev
Role Access
Vserver Name API Level
---------- ------------- ------------------- ------
fc-netapp georg_dev /api/cluster all
/api/cluster/ all
vs_wilde georg_dev /api/storage all
/api/storage/ all
4 entries were displayed.

A second user using username/passphrase authentication is able to connect using this role, only this new certificate based user won't work. I configured it according to https://netapp.io/2020/06/25/cert4uid-pswd/ and the variables shown above reference the respective certificate/key pair.

What could I be missing?

Thanks for any ideas!

MOHANRAJB · ‎2023-02-07

certname should be same in cert create and install commands and also in login account creation step.

[linux ~]$ openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout name.key -out name.pem -subj “/C=US/ST=NC/L=RTP/O=NetApp/CN=cert_user”

security certificate install -type client-ca -cert-name cert_user -vserver <cluster short name>

security login create -user-or-group-name cert_user -application ontapi -authentication-method cert

security login create -user-or-group-name cert_user -application http -authentication-method cert

In https://netapp.io/2020/06/25/cert4uid-pswd/ cert is created for cert_user but admin user is configured in ontap.

but david warn about user
For the CN=cert_user this needs to be the user that will be connecting, so for admin again it would be CN=admin.

View solution in original post

MOHANRAJB · ‎2023-02-07

certname should be same in cert create and install commands and also in login account creation step.

[linux ~]$ openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout name.key -out name.pem -subj “/C=US/ST=NC/L=RTP/O=NetApp/CN=cert_user”

security certificate install -type client-ca -cert-name cert_user -vserver <cluster short name>

security login create -user-or-group-name cert_user -application ontapi -authentication-method cert

security login create -user-or-group-name cert_user -application http -authentication-method cert

In https://netapp.io/2020/06/25/cert4uid-pswd/ cert is created for cert_user but admin user is configured in ontap.

but david warn about user
For the CN=cert_user this needs to be the user that will be connecting, so for admin again it would be CN=admin.