Software Development Kit (SDK) and API Discussions

Data ONTAP API Failed: Invalid query (Roles -> Roles Attribute)

iz2hfg
2,724 Views

Hi everybody,

I have a problem with "GUI" (ONTAP 9 Custer mode) concerning the "Query" on Role ->Role Attribute.

In fact the NetApp documentatin (that I have found) is incomplete........... because it is not listed the sintax................the example is only one "-aggr <aggrname>" but the question is what is the sintax to add other query?

 

I would thanks in advance for the help and attention (:-))

 

Kind regards 

franco

1 ACCEPTED SOLUTION

iz2hfg
2,694 Views

Hi,
I have solved.......... and I think that the CLI example below can help some folks, anyway there is second big issue that I must understand!

 

It is NOT clear what are the real benefit to use a filter added via "Query"..............


In fact I have tried with a lot of test to create/modify some "role" (via CLI, it is most simple) to add some type of  "query" but apparently the filters not running with a logics and apparently it is not possible to add a query for some the "cmddirname".

 

See the example below:

 

>security login role modify -vserver ITVARNAPPXX  -role snap_role -access all -cmddirname "volume" -query "-aggr ITVARNAPPXXA_aggr1"

 

>security login role modify -vserver ITVARNAPPXX  -role snap_role -access all -cmddirname "volume clone" -query "-vserver svm_share_XX"

 

ITVARNAPPXX::> security login role show -role snap_role
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
ITVARNAPPXX
           snap_role     DEFAULT                                       none
                         volume               -aggr ITVARNAPPXXA_aggr1 all
                         volume clone            -vserver svm_share_XX all
                         volume clone create                           all
                         volume clone show                             all
                         volume create                                 all
                         volume delete                                 all
                         volume modify                                 all
                         volume offline                                all
                         volume show                                   all
                         volume snapshot create                        all
                         volume snapshot delete                        all
                         volume snapshot modify                        all
                         volume snapshot show                          all
14 entries were displayed.

ITVARNAPPXX::>

 

Above all it is not at all clear (for me.......) the mechanism into the "cmddirname"  because, for a logics, there is a "father" and under the "sons" that they depend of his otherwise.........


In fact into my example, you can see the "role" where the specific userid is able to operate (by query) the "volume" command and - in theory - onto the indicated aggregate only but it is not true.

 

The second one command "volume clone" and here also the "role" should be able to operate into the indicated SVM only but it is not true.

 

Thanks to explain me how to create a "tree" of commands for the role with a permission to execute the commands only but for the specific filter (query) only otherwise the userid can create/remove the volumes/clone/snapshot into other SVM and so on!

 

Kind regards

franco

 

View solution in original post

1 REPLY 1

iz2hfg
2,695 Views

Hi,
I have solved.......... and I think that the CLI example below can help some folks, anyway there is second big issue that I must understand!

 

It is NOT clear what are the real benefit to use a filter added via "Query"..............


In fact I have tried with a lot of test to create/modify some "role" (via CLI, it is most simple) to add some type of  "query" but apparently the filters not running with a logics and apparently it is not possible to add a query for some the "cmddirname".

 

See the example below:

 

>security login role modify -vserver ITVARNAPPXX  -role snap_role -access all -cmddirname "volume" -query "-aggr ITVARNAPPXXA_aggr1"

 

>security login role modify -vserver ITVARNAPPXX  -role snap_role -access all -cmddirname "volume clone" -query "-vserver svm_share_XX"

 

ITVARNAPPXX::> security login role show -role snap_role
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
ITVARNAPPXX
           snap_role     DEFAULT                                       none
                         volume               -aggr ITVARNAPPXXA_aggr1 all
                         volume clone            -vserver svm_share_XX all
                         volume clone create                           all
                         volume clone show                             all
                         volume create                                 all
                         volume delete                                 all
                         volume modify                                 all
                         volume offline                                all
                         volume show                                   all
                         volume snapshot create                        all
                         volume snapshot delete                        all
                         volume snapshot modify                        all
                         volume snapshot show                          all
14 entries were displayed.

ITVARNAPPXX::>

 

Above all it is not at all clear (for me.......) the mechanism into the "cmddirname"  because, for a logics, there is a "father" and under the "sons" that they depend of his otherwise.........


In fact into my example, you can see the "role" where the specific userid is able to operate (by query) the "volume" command and - in theory - onto the indicated aggregate only but it is not true.

 

The second one command "volume clone" and here also the "role" should be able to operate into the indicated SVM only but it is not true.

 

Thanks to explain me how to create a "tree" of commands for the role with a permission to execute the commands only but for the specific filter (query) only otherwise the userid can create/remove the volumes/clone/snapshot into other SVM and so on!

 

Kind regards

franco

 

Public