OpenStack Discussions

Manila deploy Failed with Message "Reason - 13003: Insufficient privileges: user"

Mitsuhiko
5,785 Views

Hi,Now I failed to deploy the Manila with NetApp Driver on share server management in reference to below docs.

https://netapp-openstack-dev.github.io/openstack-docs/queens/manila/configuration/ontap_configuration/section_ontap-config.html#account-permission-con...
https://netapp-openstack-dev.github.io/openstack-docs/rocky/manila/configuration/manila_config_files/section_unified-driver-with-share-server.html

 

I created user called "manila_user" and role called "manila_dhss_true" in Netapp to deploy manila
but in the manila-share-log, an error message "NaApiError: NetApp API failed. Reason - 13003: Insufficient privileges: user 'manila_user' does not have read access to this resource" is displayed.
I can guess that there is a problem.

If you know, can you confirm what is the cause?

By the way, if I use the "admin" user, it will boot normally.

cluster1::> #User
cluster1::> security login show

Vserver: cluster1
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
manila_user http password manila_dhss_true no none
manila_user ontapi password manila_dhss_true no none
manila_user ssh password manila_dhss_true no none

cluster1::> #Role
cluster1::> security login role show -vserver cluster1 -role manila_dhss_true
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
cluster1 manila_dhss_true
DEFAULT none
event all
network interface all
network port readonly
network port vlan all
qos policy-group all
security readonly
storage aggregate readonly
storage disk readonly
system license readonly
system node readonly
version readonly
volume all
volume snapshot all
vserver all
vserver cifs create all
vserver cifs delete all
vserver cifs modify all
vserver cifs share all
vserver cifs show all
vserver export-policy all
vserver nfs kerberos interface all
vserver nfs kerberos realm all
vserver services name-service dns create all
vserver services name-service dns delete all
vserver services name-service dns modify all
vserver services name-service dns show all
vserver services name-service ldap client all
vserver services name-service ldap create all
vserver services name-service ldap delete all
vserver services name-service ldap modify all
vserver services name-service ldap show all
32 entries were displayed.

cluster1::>

 

Regards,

1 ACCEPTED SOLUTION

balaramesh
5,485 Views

Hi Mitsuhiko

 

Good to hear back from you! 

 

Yes, it seems likely the "network options" cmddir must be added to your user role to fix this. That is the correct action to be taken to rectify this. Due to the periodic changes in ONTAP versions with respect to the command directory organization, creating custom user roles differs and requires modification based on the ONTAP version. The easier solution would be to use the "admin" user, since it is guaranteed to have the required command dirs. 

 

I would also recommend you join our Slack channel at http://www.netapp.io/slack/. The Slack community is active and contains a combination of developers and operators. There is a good possibility of getting faster responses as well!

View solution in original post

5 REPLIES 5

balaramesh
5,704 Views

Hi Mitsuhiko

 

What version of ONTAP are you using? The problem is with the creation of a SVM-scoped user. Depending upon the backends defined in manila.conf, the NetApp login specified would need to have sufficient privileges to access the required SVM. I recommend using the "admin" login credentials. The security roles and the privileges that can be associated with each role (cluster-scoped or SVM-scoped) vary between ONTAP versions and using the "admin" user credentials would ensure continuous functioning across any ONTAP version.

balaramesh
5,683 Views

I was able to identify the reason the error was coming up: The NetApp Manila driver is periodically updating the share status and polling backends to retrieve utilization and performance counters. The "manila_user" account does not have privileges to run the required zapi call(perf-object-counter-list-info). You would have to add the "statistics" cmddir to the manila_dhss_role with access level all

Mitsuhiko
5,544 Views


Hi balaramesh,

Thanks for the reply.I ran the command based on your advice but failed.
Checking the contents of "manila-share-log" showed that "Net-options-get" of NetApp API failed.
Since it was assumed that the "network options" command privilege was insufficient from this log,
we confirmed that manila-share starts normally when executing the following command.

"security login role create -role manila_dhss_true -cmddirname "network options" -access readonly"

cluster1::> security login role create -role manila_dhss_true -cmddirname "network options" -access readonly

Is it possible to check whether there is a problem with addition of this privilege?

cluster1::> security login role show -vserver cluster1 -role manila_dhss_true
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
cluster1 manila_dhss_true
DEFAULT none
event all
network interface all
network options readonly
network port readonly
network port vlan all
qos policy-group all
security readonly
statistics all
storage aggregate readonly
storage disk readonly
system license readonly
system node readonly
version readonly
volume all
volume snapshot all
vserver all
vserver cifs create all
vserver cifs delete all
vserver cifs modify all
vserver cifs share all
vserver cifs show all
vserver export-policy all
vserver nfs kerberos interface all
vserver nfs kerberos realm all
vserver services name-service dns create all
vserver services name-service dns delete all
vserver services name-service dns modify all
vserver services name-service dns show all
vserver services name-service ldap client all
vserver services name-service ldap create all
vserver services name-service ldap delete all
vserver services name-service ldap modify all
vserver services name-service ldap show all
34 entries were displayed.

cluster1::>

Also,the version of this cluster is below

cluster1::> version
NetApp Release 9.3P5: Sat May 19 15:11:37 UTC 2018

 

Regards,

balaramesh
5,486 Views

Hi Mitsuhiko

 

Good to hear back from you! 

 

Yes, it seems likely the "network options" cmddir must be added to your user role to fix this. That is the correct action to be taken to rectify this. Due to the periodic changes in ONTAP versions with respect to the command directory organization, creating custom user roles differs and requires modification based on the ONTAP version. The easier solution would be to use the "admin" user, since it is guaranteed to have the required command dirs. 

 

I would also recommend you join our Slack channel at http://www.netapp.io/slack/. The Slack community is active and contains a combination of developers and operators. There is a good possibility of getting faster responses as well!

Mitsuhiko
5,408 Views


Hi balaramesh,

 

I understanded that the problem is fixed and configuration is not wrong.

 

I will try using Slack channel from the next time.

 

Thank you for your cooperation.

Regards,

Public