VMware Solutions Discussions

VSC 9.6 - Crash when using the privileges from the RBAC User Creator Tool

sanadmin_stadtdo
5,015 Views

Hello community,

 

we are currently using VSC 9.6. If storage systems are added with a vscadmin who has received his privileges from the current RBAC User Creator Tool, the complete VSC will crash and have to be set up again.

 

The following messages appear - among others - in the VSC.LOG:

2019-12-09 06:39:47,930 [qtp557725225-3896 - /vsc/remoting/exoforceRmiExporter?sessionId=40f538d75057f26d857ae13c9113ae69fc380937&serviceUrl=https://vmc_serv.stadtdo.de:443/sdk] WARN (ZAPIInvoker) - invokeZAPI(0): failed OntapConnectionImpl{ipAddress=fas27501.stadtdo.de, userName=vscadmin, port=443, ssl=true} API failed. Insufficient privileges: user 'vscadmin' does not have read access to this resource (errno=13003) null
2019-12-09 06:39:47,930 [qtp557725225-3896 - /vsc/remoting/exoforceRmiExporter?sessionId=40f538d75057f26d857ae13c9113ae69fc380937&serviceUrl=https://vmc_serv.stadtdo.de:443/sdk] ERROR (RMIServiceImpl) - getAllStorageSystems - Error getting controllers -
Unable to load volumes for: AbstractController: id: bbfe3d81-7ae0-11e9-ba14-00a098fbe31aname: SVM_NFS-VMW02ip address: fas27501.stadtdo.de. Caused by: Insufficient privileges: user 'vscadmin' does not have read access to this resource (errno=13003)

 

Unfortunately I don't know which privileges are missing. It can only be due to the privileges, because it works if I give the vscadmin admin rights.

 

Any idea?

 

Many thanks and greetings

 

Michael

 

6 REPLIES 6

Roopeshwari
4,977 Views

Hi,

You have not mentioned which version of ONTAP Cluster is being used to create user. Hope you are using one of these ONTAP version which are supported for VSC 9.6:

Please follow steps mentioned in this article to create a user for VSC, it should work fine.

https://community.netapp.com/t5/Virtualization-Articles-and-Resources/How-to-use-the-RBAC-User-Creator-for-Data-ONTAP/ta-p/86601

 

 

sanadmin_stadtdo
4,910 Views

Hi,

Sorry, I forgot to tell you: we use FAS systems with ontap 9.5.

We've been using VSC for a long time (since version 2.1). Since the RBAC User Creator Tool existed, we have also used it to create the corresponding roles, without any problems so far. This time it doesn't work.


The hint from mjdalton1 on: https://docs.netapp.com/vapp-96/index.jsp?topic=%2Fcom.netapp.doc.vsc-dsg%2FGUID-999F3BFE-4005-42EC-9CF5-127DD6699297.html&lang=en refers to the roles "Discovery, Create Storage, Modify Storage and Destroy Storage" - but what content/commands do these roles have?  The roles themselves don't exit - do they?

 

I only know "FAQ: VSC, VASA, and SRA 7.0 ONTAP RBAC Configuration" ( https://kb.netapp.com/app/answers/answer_view/a_id/1001058). - Well, then I seem to have to rummage through here.

 

Best regards

 

Michael



Roopeshwari
4,896 Views

Hi Micheal,

 

Please follow this link and download latest ontapPrivs.xml and replace it in your RBAC Tool.

Select 'VSC, VASA Provider and SRA' for Product and 'VSC, VASA Provider and SRA 9.6' for version. Select role in checkbox and create a user for your SVM and add it to VSC. It should work fine or please share error \logs in case of  a failure.

https://mysupport.netapp.com/tools/info/ECMLP2434785I.html?pcfContentID=ECMLP2434785&productID=61965&language=en-US

The RBAC User Creator for Data ONTAP tool enables you to quickly and easily set up role-based access control (RBAC) for NetApp storage systems. It supports multiple NetApp products and both clustered Data ONTAP and Data ONTAP operating in 7-mode environments.  

 

This tool, privileges XML file and instructions for using it are available on the NetApp ToolChest:

 

Because this tool stores privileges in an XML file (ontapPrivs.xml), NetApp can update it with new information without having to recompile it. Also, the XML file allows you to clearly see the privileges being used.

 

sanadmin_stadtdo
4,840 Views

Hi,


I'm sorry, but I can't select 'VSC, VASA Provider and SRA' for Product and 'VSC, VASA Provider and SRA 9.6' - it doesn't exist.

 

Unfortunately I cannot find any "9.6" ontapPriv.xml under the given link. The file contains the previous data that I have used before. Here are the first lines of this ontapPriv.xml:

 

<?xml version="1.0" encoding="utf-8"?><privs>
<product id="vsc70" label="VSC, VASA Provider and SRA" description="VSC, VASA Provider and SRA">
<vsc70 id="vsc70" label="VSC 7.x">
<cluster-mode>
<admin-vserver>
<role id="discovery" label="Discovery"
description="This role allows for the discovery of all the connected storage controllers.">
<read-only>
:
:

 

Any idea? What am I doing wrong?

Best regards

 

Michael

Roopeshwari
4,791 Views

Hi,

 

Regret inconvenience caused. 

 

Please replace ontapPrivs.xml with following file:

https://kb.netapp.com/ci/okcsFattach/get/1032542_5

 

Thanks,

Roopeshwari U

 

 

Public