Software Development Kit (SDK) and API Discussions
Software Development Kit (SDK) and API Discussions
I am attempting to run "system-cli" calls that show some statistics. I am using a user called "monitor" that has role "readonly" [1] . This is on ONTAP 9.2. I keep getting "
Insufficient privileges: user \'monitor\' does not have write access to this resource" when I use the "system-cli" API [2] call but the exact same command works just fine via SSH [3].
What am I missing in the readonly role that would prevent access only when running the command via system-cli?
Thanks,
- Trey
[1]:
netapp-home::> security login show -user-or-group-name monitor Vserver: netapp-home Authentication Acct Is-Nsswitch User/Group Name Application Method Role Name Locked Group ---------------- ----------- --------- ---------------- ------ ----------- monitor console password readonly no no monitor http password readonly no no monitor ontapi password readonly no no monitor ssh password readonly no no monitor ssh publickey readonly - no 5 entries were displayed. netapp-home::> security login role show -role readonly Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ----------------------------------- -------- netapp-home readonly DEFAULT readonly security none security login password all security login role show-user-capability all set all 5 entries were displayed.
[2]:
>>> from NetApp.NaServer import * >>> s = NaServer('netapp-home', 1, 31) >>> s.set_style('LOGIN') >>> s.set_admin_user('monitor', 'OMIT') >>> s.set_transport_type('HTTPS') >>> import shlex >>> cmd = shlex.split('statistics show -object nfsv4_diag -instance nfs4_diag -counter storePool_* -raw -node netapp-home01') >>> args = NaElement('args') >>> for arg in cmd: ... args.child_add(NaElement('arg', arg)) ... >>> cli = NaElement('system-cli') >>> cli.child_add(args) >>> cli.child_add(NaElement('priv', 'diagnostic')) >>> out = s.invoke_elem(cli) >>> out.sprintf() u'<results status="failed" errno="13003" reason="Insufficient privileges: user \'monitor\' does not have write access to this resource"></results>\n' >>> s.set_admin_user('admin', 'OMIT') >>> out = s.invoke_elem(cli) >>> out.sprintf() u'<results status="passed">\n\t<cli-output>\n\nObject: nfsv4_diag\nInstance: nfs4_diag\nStart-time: 12/7/2017 11:11:00\nEnd-time: 12/7/2017 11:11:00\nScope: netapp-home01\n\n Counter Value\n -------------------------------- --------------------------------\n storePool_ByteLockAlloc 11\n storePool_ByteLockMax 1024005\n storePool_ClientAlloc 1305\n storePool_ClientMax 102402\n storePool_CopyStateAlloc 0\n storePool_CopyStateMax 10241\n storePool_DelegAlloc 32298\n storePool_DelegMax 1024002\n storePool_DelegStateAlloc 32298\n storePool_DelegStateMax 1024010\n storePool_LayoutAlloc 0\n storePool_LayoutMax 1024005\n storePool_LayoutStateAlloc 0\n storePool_LayoutStateMax 1024010\n storePool_LockStateAlloc 11\n storePool_LockStateMax 1024002\n storePool_OpenAlloc 204365\n storePool_OpenMax 1024002\n storePool_OpenStateAlloc 204365\n storePool_OpenStateMax 1024010\n storePool_OwnerAlloc 129643\n storePool_OwnerMax 1024002\n storePool_StateRefHistoryAlloc 0\n storePool_StateRefHistoryMax 9216008\n storePool_StringAlloc 130910\n storePool_StringMax 1024002\n26 entries were displayed.\n\n</cli-output>\n\t<cli-result-value>1</cli-result-value>\n</results>\n' >>>
[3]:
$ ssh -l monitor netapp-home "set diag; statistics show -object nfsv4_diag -instance nfs4_diag -counter storePool_* -raw -node netapp-home01" Password: Object: nfsv4_diag Instance: nfs4_diag Start-time: 12/7/2017 11:07:05 End-time: 12/7/2017 11:07:05 Scope: netapp-home01 Counter Value -------------------------------- -------------------------------- storePool_ByteLockAlloc 11 storePool_ByteLockMax 1024005 storePool_ClientAlloc 1303 storePool_ClientMax 102402 storePool_CopyStateAlloc 0 storePool_CopyStateMax 10241 storePool_DelegAlloc 32145 storePool_DelegMax 1024002 storePool_DelegStateAlloc 32145 storePool_DelegStateMax 1024010 storePool_LayoutAlloc 0 storePool_LayoutMax 1024005 storePool_LayoutStateAlloc 0 storePool_LayoutStateMax 1024010 storePool_LockStateAlloc 11 storePool_LockStateMax 1024002 storePool_OpenAlloc 204158 storePool_OpenMax 1024002 storePool_OpenStateAlloc 204158 storePool_OpenStateMax 1024010 storePool_OwnerAlloc 129557 storePool_OwnerMax 1024002 storePool_StateRefHistoryAlloc 0 storePool_StateRefHistoryMax 9216008 storePool_StringAlloc 130822 storePool_StringMax 1024002 26 entries were displayed.
Solved! See The Solution
Hello @treydock,
Just a couple of things before using the system-cli API...please remember that it is an unsupported, "private", API, so we do actively discourage it's use. It also has some quirks, noteably it has a buffer in the return output that, when it overflows, may incorrectly report that the call fails.
That being said, system-cli is the CLI equivalent of "system node run", so the user executing the command must have permission to that set of commands via ONTAPI.
Hope that helps.
Andrew
Hello @treydock,
Just a couple of things before using the system-cli API...please remember that it is an unsupported, "private", API, so we do actively discourage it's use. It also has some quirks, noteably it has a buffer in the return output that, when it overflows, may incorrectly report that the call fails.
That being said, system-cli is the CLI equivalent of "system node run", so the user executing the command must have permission to that set of commands via ONTAPI.
Hope that helps.
Andrew
@asulliva Thanks.
In case others come across this I had to modify a non-builtin role and use that role to make the necessary changes:
netapp-home::> security login role create -vserver netapp-home -role monitor -access all -cmddirname "system node run" -query "-command statistics *"
What is the equvalent call through the API for this command?
statistics show -object nfsv4_diag -instance nfs4_diag -counter storePool_* -raw -node netapp-home01"
Thank you for the heads up.