SolidFire and HCI

read-only access for powershell toolkit

EamonnH
5,305 Views

Hi,

 

Does anyone have a definitive list of the APIs that need to be granted to allow read-only access from powershell? We're trying to automate reporting, but we need to ensure there is no possibility of the script changing anything.

 

Any and all advice gratefully received.

 

Regards,

Eamonn

1 ACCEPTED SOLUTION

mbeattie
5,218 Views

Hi,

 

One option to consider (that actually relates to solidfire Smiley Happy ) and assuming you have WFA in your environment would be to add the solidfire system (or systems) to WFA using this pack from the automation store:

 

https://automationstore.netapp.com/pack-detail.shtml?packUuid=cac25243-4e66-4630-a58d-ee16c7d93217&packVersion=1.0.0

 

Once the solidfire system\systems are aquired by the WFA datasource the configuration of your systems will reside in the "solidfire" database on the WFA server which you could query as a read only user. This way you wouldn't need to provide any API access directly to the solidfire systems directly for reporting purposes although the solidfire credentials to acquire the datasource would need to be configured within WFA.

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

5 REPLIES 5

elementx
5,275 Views

You don't grant access to APIs, you grant access to cluster admins. 

 


PS /home/sean> get-help New-SFClusterAdmin -examples

NAME
New-SFClusterAdmin

SYNOPSIS
[Cluster] Adds a new cluster admin.


-------------------------- EXAMPLE 1 --------------------------

PS C:\>New-SFClusterAdmin -Username AdminUser -Password NewPass -Access "nodes","drives"

Adds a cluster admin user with full access to the "nodes" and "drives" groups of API methods.

The most common access levels are:

"administrator" - Full access to all API methods
"reporting" - Access to only readonly API methods with some limitations

 

Add one of these reporting accounts. Whatever this guy does, the only thing he can do is Get-*. 

 

PS /home/sean> New-SFClusterAdmin -Username DirkD -Password B00GInites -AcceptEula:$true -Access reporting


AuthMethod : Cluster
Access : {administrator}
ClusterAdminID : 1
Username : admin
Attributes :

AuthMethod : Cluster
Access : {read, reporting, volumes}
ClusterAdminID : 6
Username : sean
Attributes : {}

AuthMethod : Cluster
Access : {read, reporting}
ClusterAdminID : 7
Username : DirkD
Attributes : {}

 

Now this account can Get-* all sorts of info including this below.

 

PS /home/sean> Connect-SFCluster 192.168.1.30 -Username DirkD -Password B00GInites

 

PS /home/sean> Get-SFAccount -AccountID 1


AccountID : 1
Username : vcenter
Status : active
Volumes : {5, 6}
InitiatorSecret : WOWWOWWOW
TargetSecret : 0dD':6n9T4$:.UB3

 

But at least some things are off limits.

 

PS /home/sean> Get-SFClusterAdmin
Get-SFClusterAdmin : xPermissionDenied: xPermissionDenied
At line:1 char:1
+ Get-SFClusterAdmin
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (SolidFire.Cluster.Get.GetSFClusterAdmin:GetSFClusterAdmin) [Get-SFClusterAdmin], Exception
+ FullyQualifiedErrorId : 0,SolidFire.Cluster.Get.GetSFClusterAdmin
StorageContainerID : 00000000-0000-0000-0000-000000000000
Attributes : {}

 

If you want to prevent read-access to iSCSI accounts and passwords, you could set up one PS script to run as User A, and save output to a folder owned by User B, that way you can control what info is accesseed through User A, and User B could be normal staff without access to sensitive data. 

mbeattie
5,243 Views

Hi Eamonn,

 

The first response to your question appears to be based on NetApp Solidfire? Could you please specify what systems you are trying to automate reporting for? If you want to automate reporting for Clustered DATA ONTAP then it would make more sense create a read-only database user in OCUM used for querying to the information that OCUM has already discovered about the clusters in your environment rather than invoke API's to query the clusters directly.

 

If you want to automate reporting for Clustered Data ONTAP systems then the following may be of interest to you:

 

https://blog.netapp.com/more-ways-to-extract-the-data-you-need-from-oncommand-unified-manager/

https://www.netapp.com/us/media/tr-4565.pdf

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

elementx
5,231 Views

The first response to your question appears to be based on NetApp Solidfire? 

 

Well, the question has been posted under https://community.netapp.com/t5/SolidFire-PowerShell-Discussions/. 

If it's ment for another section perhaps it could be re-posted (with additional detail) to the right area of the forums to lessen the confusion.

mbeattie
5,226 Views

Didn't notice that when i replied. A fair and valid point Smiley Happy

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mbeattie
5,219 Views

Hi,

 

One option to consider (that actually relates to solidfire Smiley Happy ) and assuming you have WFA in your environment would be to add the solidfire system (or systems) to WFA using this pack from the automation store:

 

https://automationstore.netapp.com/pack-detail.shtml?packUuid=cac25243-4e66-4630-a58d-ee16c7d93217&packVersion=1.0.0

 

Once the solidfire system\systems are aquired by the WFA datasource the configuration of your systems will reside in the "solidfire" database on the WFA server which you could query as a read only user. This way you wouldn't need to provide any API access directly to the solidfire systems directly for reporting purposes although the solidfire credentials to acquire the datasource would need to be configured within WFA.

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public