VSC 9.6 - Crash when using the privileges from the RBAC User Creator Tool

sanadmin_stadtdo · ‎2019-12-11

Hello community,

we are currently using VSC 9.6. If storage systems are added with a vscadmin who has received his privileges from the current RBAC User Creator Tool, the complete VSC will crash and have to be set up again.

The following messages appear - among others - in the VSC.LOG:

2019-12-09 06:39:47,930 [qtp557725225-3896 - /vsc/remoting/exoforceRmiExporter?sessionId=40f538d75057f26d857ae13c9113ae69fc380937&serviceUrl=https://vmc_serv.stadtdo.de:443/sdk] WARN (ZAPIInvoker) - invokeZAPI(0): failed OntapConnectionImpl{ipAddress=fas27501.stadtdo.de, userName=vscadmin, port=443, ssl=true} API failed. Insufficient privileges: user 'vscadmin' does not have read access to this resource (errno=13003) null
2019-12-09 06:39:47,930 [qtp557725225-3896 - /vsc/remoting/exoforceRmiExporter?sessionId=40f538d75057f26d857ae13c9113ae69fc380937&serviceUrl=https://vmc_serv.stadtdo.de:443/sdk] ERROR (RMIServiceImpl) - getAllStorageSystems - Error getting controllers -
Unable to load volumes for: AbstractController: id: bbfe3d81-7ae0-11e9-ba14-00a098fbe31aname: SVM_NFS-VMW02ip address: fas27501.stadtdo.de. Caused by: Insufficient privileges: user 'vscadmin' does not have read access to this resource (errno=13003)

Unfortunately I don't know which privileges are missing. It can only be due to the privileges, because it works if I give the vscadmin admin rights.

Any idea?

Many thanks and greetings

Michael

Roopeshwari · ‎2019-12-11

Hi,

You have not mentioned which version of ONTAP Cluster is being used to create user. Hope you are using one of these ONTAP version which are supported for VSC 9.6:

ONTAP 9.1

ONTAP 9.3

ONTAP 9.4

ONTAP 9.5

ONTAP 9.6

ONTAP 9.7

Please follow steps mentioned in this article to create a user for VSC, it should work fine.

https://community.netapp.com/t5/Virtualization-Articles-and-Resources/How-to-use-the-RBAC-User-Creator-for-Data-ONTAP/ta-p/86601

sanadmin_stadtdo · ‎2019-12-11

Hi,

Sorry, I forgot to tell you: we use FAS systems with ontap 9.5.

We've been using VSC for a long time (since version 2.1). Since the RBAC User Creator Tool existed, we have also used it to create the corresponding roles, without any problems so far. This time it doesn't work.

The hint from mjdalton1 on: https://docs.netapp.com/vapp-96/index.jsp?topic=%2Fcom.netapp.doc.vsc-dsg%2FGUID-999F3BFE-4005-42EC-9CF5-127DD6699297.html&lang=en refers to the roles "Discovery, Create Storage, Modify Storage and Destroy Storage" - but what content/commands do these roles have? The roles themselves don't exit - do they?

I only know "FAQ: VSC, VASA, and SRA 7.0 ONTAP RBAC Configuration" ( https://kb.netapp.com/app/answers/answer_view/a_id/1001058). - Well, then I seem to have to rummage through here.

Best regards

Michael

Roopeshwari · ‎2019-12-12

Hi Micheal,

Please follow this link and download latest ontapPrivs.xml and replace it in your RBAC Tool.

Select 'VSC, VASA Provider and SRA' for Product and 'VSC, VASA Provider and SRA 9.6' for version. Select role in checkbox and create a user for your SVM and add it to VSC. It should work fine or please share error \logs in case of a failure.

https://mysupport.netapp.com/tools/info/ECMLP2434785I.html?pcfContentID=ECMLP2434785&productID=61965&language=en-US

The RBAC User Creator for Data ONTAP tool enables you to quickly and easily set up role-based access control (RBAC) for NetApp storage systems. It supports multiple NetApp products and both clustered Data ONTAP and Data ONTAP operating in 7-mode environments.

This tool, privileges XML file and instructions for using it are available on the NetApp ToolChest:

Because this tool stores privileges in an XML file (ontapPrivs.xml), NetApp can update it with new information without having to recompile it. Also, the XML file allows you to clearly see the privileges being used.

sanadmin_stadtdo · ‎2019-12-17

Hi,

I'm sorry, but I can't select 'VSC, VASA Provider and SRA' for Product and 'VSC, VASA Provider and SRA 9.6' - it doesn't exist.

Unfortunately I cannot find any "9.6" ontapPriv.xml under the given link. The file contains the previous data that I have used before. Here are the first lines of this ontapPriv.xml:

<?xml version="1.0" encoding="utf-8"?><privs>
<product id="vsc70" label="VSC, VASA Provider and SRA" description="VSC, VASA Provider and SRA">
<vsc70 id="vsc70" label="VSC 7.x">
<cluster-mode>
<admin-vserver>
<role id="discovery" label="Discovery"
description="This role allows for the discovery of all the connected storage controllers.">
<read-only>
:
:

Any idea? What am I doing wrong?

Best regards

Michael

Roopeshwari · ‎2019-12-19

Hi,

Regret inconvenience caused.

Please replace ontapPrivs.xml with following file:

https://kb.netapp.com/ci/okcsFattach/get/1032542_5

Thanks,

Roopeshwari U

mjdalton1 · ‎2019-12-11

Discovery adds storage systems to VSC

https://docs.netapp.com/vapp-96/index.jsp?topic=%2Fcom.netapp.doc.vsc-dsg%2FGUID-999F3BFE-4005-42EC-9CF5-127DD6699297.html&lang=en

VSC 9.6 - Crash when using the privileges from the RBAC User Creator Tool

We're on Discord, are you?

Meet Explore, NetApp’s digital sales platform