RCU from VSC 2.0 problem with RBAC

f_duranti · ‎2010-07-24

Hi all, it seems that I've some problems to configure RBAC to use RCU from VSC 2.0.

I had RBAC configured from RCU 3.0 and it was working fine with that version. I've checked on the documentation and it seems that nothing changed but when I try to add a host to RCU part of VSC 2.0 I get an error saying that some role are missing.

It seems something related to some cli-* role missing from my definition. Anyone have the correct RBAC role to put on the storage to make RCU work on VSC 2.0?

Thanks

Francesco

costea · ‎2010-07-24

Some additional APIs have been added for the 3.1 version of RCU. They are found in the IAG.

The additional APIs required to add a controller to RCU 3.1 are these:

api-cf-get-partner
api-disk-list-info
api-fcp-adapter-list-info
api-fcp-get-cfmode
api-lun-get-vdisk-attributes
api-nfs-exportfs-list-rules
api-volume-options-list-info
api-lun-move
api-lun-unmap
api-lun-online

f_duranti · ‎2010-07-24

Thanks for the answer. I've checked back the installation guide for VSC and I can find those api listed in the VSC capabilities:

api-cf-get-partner
api-disk-list-info
api-fcp-adapter-list-info
api-fcp-get-cfmode
api-lun-get-vdisk-attributes
api-nfs-exportfs-list-rules
api-volume-options-list-info

So should I add the entire VSC user role capability to the capability used by RCU user (we had different user for vsc/rcu/smvi defined on the storage)?

I cannot find those in the documentation. Do you know in what specific role they need to go? create_clones/create_datastore/destroy_datastore/modify_datastore ?) :

api-lun-move
api-lun-unmap
api-lun-online

To make rcu 3.0 work i had only those roles defined (and i was using all but destroy_datastore role in the rcu user):

Name: rcu_create_clones
Info:
Allowed Capabilities: login-http-admin,api-system-get-version,api-system-get-info,api-system-cli,api-license-list-info,cli-ifconfig,api-aggr-list-info,api-volume-list-info,api-lun-list-info,api-lun-map-list-info,api-igroup-list-info,api-ems-autosupport-log,api-file-get-file-info,api-clone-*,api-file-create-directory,api-file-read-file,api-file-delete-file,api-file-write-file,cli-mv,api-file-delete-directory,cli-ndmpd,cli-ndmpcopy,api-useradmin-user-list,api-cf-status,api-snapshot-list-info,api-volume-autosize-get,api-iscsi-session-list-info,api-iscsi-portal-list-info,api-fcp-service-status,api-iscsi-service-status,cli-df,api-snapmirror-get-volume-status,api-quota-report,api-qtree-list,api-system-api-list,api-vfiler-list-info

Name: rcu_create_datastores
Info:
Allowed Capabilities: api-volume-create,api-volume-set-option,api-volume-autosize-set,api-sis-enable,api-sis-start,api-snapshot-create,api-snapshot-set-reserve,api-volume-clone-create,api-nfs-exportfs-list-rules-2,api-nfs-exportfs-modify-rule-2,api-nfs-exportfs-load-exports,api-igroup-create,api-lun-create-by-size,api-lun-map,api-lun-set-comment,api-igroup-add,cli-qtree,cli-iscsi,api-nfs-exportfs-append-rules-2

Name: rcu_destroy_datastores
Info:
Allowed Capabilities: api-volume-offline,api-volume-destroy,api-lun-offline,api-lun-destroy

Name: rcu_modify_datastores
Info:
Allowed Capabilities: api-volume-size,api-sis-disable,api-sis-stop,api-lun-resize

Thanks for the help

Francesco

costea · ‎2010-07-26

Hi Francesco,

All of these new capabilities (including the VSC user role) need to be added to the create_clones role.

-George