Readonly ontapi access

gasparuben · ‎2013-05-13

hi,

I have built a command to retrieve online stats for either a 7-mode or C-mode cluster.

I wanted to use a read-only account of the second one, so I set up (connecting to the cluster-mgmt lif):

cluster01::> security login show

Authentication Acct

Vserver UserName Application Method Role Name Locked

----------- ---------------- ----------- -------------- ---------------- ------

cluster01 cerndb_rman http password readonly no

cluster01 cerndb_rman ontapi password readonly no

cluster01 cerndb_rman ssh password readonly no

But when I try to query some data I get:

-RDBMS>-BD2:/ORA/dbs01/syscontrol/projects/dfm/bin$ ./smetrics -i 3 -n 2 dbnasb402:/backup/dbs05/BD2

Mon May 13 12:18:18 CEST 2013 : RunTime.CleanUpOlderThanDays: on </ORA/dbs01/syscontrol/local/logs/dfm> removed older than <30>.

Mon May 13 12:18:18 CEST 2013 : RunTime.RunStr running find /ORA/dbs01/syscontrol/local/logs/dfm -name \* -mtime +30 -exec rm -rf {} \;

Mon May 13 12:18:18 CEST 2013 : RunTime.CleanUpOlderThanDays: done.

Mon May 13 12:18:18 CEST 2013 : Main: BEGIN args - controller: <dbnasXX> volume_name: </backup/dbs05/BD2>

Mon May 13 12:18:18 CEST 2013 : RunTime.RetrievePasswordForUser: password found for <password_db>

Mon May 13 12:18:18 CEST 2013 : RunTime.GetClusterMgmtNode : nas: <dbnasXXX> matched in <dbnasXXX>

Mon May 13 12:18:18 CEST 2013 : RunTime.GetClusterMgmtNode : nas: <dbnasXXX> matched in <dbnasX>

Mon May 13 12:18:18 CEST 2013 : RunTime.GetIPFromCName: try to get ip from <dbnasb-cluster-mgmt>

Mon May 13 12:18:18 CEST 2013 : RunTime.RunStr running ping -c 1 dbnasb-cluster-mgmt

Mon May 13 12:18:18 CEST 2013 : RunTime.GetIPFromCName: IP <10.16.129.17> for <dbnasXXX-cluster-mgmt>

Mon May 13 12:18:18 CEST 2013 : RunTime_Zapi.GetVolInfoCmode : working with volume: </backup/dbs05/BD2>

Mon May 13 12:18:18 CEST 2013 : RunTime_Zapi.GetVolInfoCmode: query looks like:

<volume-get-iter>

<max-records>10</max-records>

<query>

<volume-attributes>

<volume-id-attributes>

<junction-path>/backup/dbs05/BD2</junction-path>

</volume-id-attributes>

</volume-attributes>

</query>

<desired-attributes>

<volume-autosize-attributes></volume-autosize-attributes>

<volume-id-attributes></volume-id-attributes>

<volume-space-attributes></volume-space-attributes>

</desired-attributes>

</volume-get-iter>

Mon May 13 12:18:20 CEST 2013 : RunTime.GetVolInfoCmode : Authorization failed, err number: 13002, status: failed

I then added:

cluster01::> security login show

Authentication Acct

Vserver UserName Application Method Role Name Locked

----------- ---------------- ----------- -------------- ---------------- ------

cluster01 toto http password readonly no

cluster01 toto ontapi password readonly no

cluster01 toto ssh password readonly no

dbvs toto http password vsadmin-readonly no

dbvs toto ontapi password vsadmin-readonly no

dbvs toto ssh password vsadmin-readonly no

But still same error.

Thanks a lot for your help!,

Ruben

gasparuben · ‎2013-05-13

I believe this is quite standard, but on my cluster running Ontap 8.1.2 the readonly role comes defined as:

cluster01::> security login role show -vserver cluster01 -role readonly

Role Command/ Access

Vserver Name Directory Query Level

---------- ------------- --------- ----------------------------------- --------

cluster01 readonly DEFAULT readonly

cluster01 readonly security none

cluster01 readonly security login password all

cluster01 readonly set all

4 entries were displayed.

Thanks,

Ruben

Readonly ontapi access

Introducing GenAI Search on NSS