ONTAP Rest API Discussions

Security role create by RestApi broken

JihedLazid

got this error when he tried to run a Rest API Call for /api/storage/volume

00000005.000173e6 0020e504 Tue Apr 28 2020 04:53:02 -07:00 [kern_audit:info:2238] 8503e8000001567f :: ec1_netapp_cvo_ls_prod_dr_ext:CSODMGMT\svc-ls-cvo-iac :: GET /api/storage/volume :: Error: Forbidden
Error for this user was 403 – Forbidden …. RBAC.

/api/storage/volume
{
"error": {
"message": "not authorized for that command"
"code": "6"
}
}

Workaround provided:
Create a exact same role from ONTAP CLI and associate with user and it works fine.


Steps Taken:
Test with the affected user – doesn't work.
Test with admin user – worked fine.
Test with same role capabilities on another cluster – works fine.
Create a new role with same capabilities from CLI – works fine.
Re-associate user to old role with same capabilities as old role – fails.
Old role created by Ansible – works fine on another cluster with same version.

developed some python code that makes REST calls.
This code did work and nothing has changed. If you check the logs, you can see REST call on the 20th April that were successful.

Commands used to create the role :
security login rest-role create -vserver CVO_Prod -role cvo-rest-test -api /api/storage/volumes -access all
security login rest-role create -vserver CVO_Prod -role cvo-rest-test -api /api/protocols/cifs/shares -access all
security login rest-role create -vserver CVO_Prod -role cvo-rest-test -api /api/cluster/jobs -access all

Data collected related to both role : old one created by ansible and worked before, new one created by CLI as workaround

 

Any ideas ?

 

Thanks.

1 REPLY 1

christian_redel

i have the same issue

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public