Virtualization Articles and Resources

RBAC User Creator tool for VSC, VASA Provider and Storage Replication Adapter 7.0 for VMware vSphere

Introduction

 

The RBAC User Creator for ONTAP® tool is a C# application that enables you to create RBAC users within ONTAP.
The list of privileges created are stored in an XML (ontapPrivs.xml) file. The XML file enables you to gather the following information:

1. You can verify the privileges of the new user created by RBAC User Creator tool.
2. You can add privileges or products later without the need to recompile the application.

 

The RBAC User Creator tool is a framework where all the products and the privileges for those products are listed in the XML file. You can easily add support for another product or product version by updating the information in the XML file.

 

RBAC User Creator tool for Virtual Storage Console, VASA Provider, and Storage Replication Adapter 7.0


This article describes how to use the RBAC User Creator tool for Virtual Storage Console, VASA Provider, and Storage Replication Adapter 7.0 for VMware vSphere. You can use the tool to create users for the below functionalities:


1. Virtual Storage Console
2. Virtual Storage Console and VASA Provider
3. Virtual Storage Console and Storage Replication Adapter
4. Virtual Storage Console, VASA Provider and Storage Replication Adapter

Please note that VSC, VASA Provider, and SRA 7.0 supports ONTAP versions 9.0 onwards only.


Once you have downloaded and installed the RBAC User Creator tool from the ToolChest, you will need to perform the below steps to provide support for VSC, VASA Provider and SRA 7.0.

Step 1: Replace XML for VSC, VASA Provider and SRA 7.0 support

 

To enable support for VSC, VASA Provider and SRA 7.0, please perform the following:

 

1. Download and keep a copy of the ontapPrivs.xml file (attached below).
2. Access the install directory of the RBAC User Creator tool.
This information is provided during installation. For example:- The default path would be: C:\Program Files (x86)\NetApp\RBAC User Creator
3. Replace the existing ontapPrivs.xml file with the downloaded .xml file.
4. Restart the RBAC User Creator tool.

You can start using the RBAC User Creator tool to create new roles and users.

 

Step 2: Setting up user names and privileges

 

You can create ONTAP user names with the privileges required for VSC, VASA Provider and SRA.

 

1. Enter the name of the admin user and IP of the storage system for which you want to create the user.
2. Click LOGIN .
The tool determines the controller type.
3. As the storage system is running ONTAP, the list of SVMs are displayed.
RBAC User Creator supports creating users on the Cluster-Admin SVM as well as on Data SVMs. Select the appropriate SVM from the drop-down list.
4. Select the product and product version depending on your requirements.
• For 7.0, you must select product as “VSC, VASA Provider and SRA”.
• If you wish to use only VSC, you must select product version as “VSC 7.0”.
• If you wish to use VASA Provider along with VSC, then you must select the product version as “VSC and VASA Provider 7.0”.
• If you wish to use SRA along with VSC, then you must select the product version as “VSC and SRA 7.0”.
• If you wish to use all three, VSC, VASA Provider and SRA, then you must select the product version as “VSC, VASA Provider and SRA 7.0”.
5. Select all the ONTAP privilege roles that apply.
RBAC User Creator tool merges all the privileges from the selected roles and combines them in a sorted list.
6. Enter a name for the role, user, and password, and then click Submit.
NOTE: RBAC User Creator requires admin storage credentials for creating new user names.

Step 3: Adding storage systems

 

1. Log in into your VSC, VASA Provider and SRA plugin from the vCenter.
2. Add the storage system using the new username and password.

 

Known issues

 

While providing a role name, do not provide any names that begin with “vsadmin”. This will prevent creating any new roles or users.


Downloading and using RBAC User Creator

 

Refer to the following link for details regarding download and usage of RBAC User Creator tool:
How to use the RBAC User Creator for ONTAP

 

Resources

 

Warning!

This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.

Replies

When using this XML I've run into issues.  Many invalid commands due to version levels.  As near as i can see the syntax of ::

 

ontap-level-greater-equals

ontap-level-less

 

do not work (v2.7 of the tool).  Is there a more recent version of the tool that allows for this?  I've used

 

<ontap-dependent value="xxx">

...

</ontap-dependent>

 

 as a work around.

I receive the error "Command failed: Missing Input: role-query" when I try to create a user via RBAC user creator for VSC and VASA Provider 7.0 for all Data ONTAP privilege roles (Discovery, Create Storage, Modify Storage, Destroy Storage and Policy-Based Mgmt). The XML-file was replaced as described in your article. I am using RBAC tool version 2.7 and Data ONTAP 9.2.

Do you have any ideas what causes this issue?

 

Thank you in advance and kind regards,

Sascha

 

RBAC_error.png

@dhickey : Did you replace the xml with the one attached in this community article? I hope the errors should not be seen after that. The attached xml file is the most recent version of the privileges required for the product.

 

 

@skuebart : Looks like the tool is failing to assign certain privileges to the user. You could try running a set of commands directly from the Ontap CLI to create new roles by following the KB article which I have mentioned below:

 

For creating roles and users at the cluster level, please check https://kb.netapp.com/app/answers/answer_view/a_id/1001058

 

For creating roles and users at the SVM level, please check https://kb.netapp.com/app/answers/answer_view/a_id/1001056

 

 

Hi,

 

same like Saschas error in my environment. Error from the LOG was:

 

2017-11-29 17:25:24,860 DEBUG [ZapiUtils.modifyCModeLoginRole]: <security-login-role-modify>
<vserver>svm_cuba_esx</vserver>
<role-name>vvol_demo</role-name>
<command-directory-name>lun mapping create</command-directory-name>
<access-level>all</access-level>
</security-login-role-modify>

2017-11-29 17:25:25,129 ERROR [ZapiUtils.modifyCModeLoginRole]: Modify entry [lun mapping create(access all)] failed
2017-11-29 17:25:25,129 ERROR [ZapiUtils.modifyCModeLoginRole]: API FAILED: Missing Input: role-query

 

 

When I ignore the VSC 7.0 Version and use the old XML for 6.2 the process is working fine

 

Best regards

Andreas

ERROR [ZapiUtils.createCModeLoginRole]: API FAILED: A Vserver admin cannot use command directory "security login profiles" with access level "all". Use a different access level.

 

I am trying to configure the VSC, VASA SRA 7.1 Appliance and when trying to use the RBAC User Create tool I get the error above.

I have replaced the ontapPrivs.xml with the 7.0 version but when I try to create a new user or modify an exisitng one to give them the following

privilege roles I seem to get the error no matter what options I select.

 

Command failed.png

 

 

The way to fix the problems are as follows: (I'm using ONTAP 9.3)

 

1: 

When configuring at the cluster level you may get the error "Missing Input:  role-query".

The way to fix this to click the Login button and have it re-login to the cluster.

Fill out the form exactly as you had it filled out before and then re-submit the job.  

It always works the second time.

 

2:  if you are getting the "A Vserver admin cannot use directory vserver services unix-group" or "vserver services unix-user" with access level all"

The way to fix this is to edit the XML file and comment out lines 1585 and 1586.  They will look like this

 

<!-- <command ontap-level-less="8.3">vserver services unix-group</command> -->

<!-- <command ontap-level-less="8.3">vserver services unix-user</command> -->

 

you might be thinking that you need them, no you don't.  The lines right below them, that have "ontap-level-greater-equals="8.3"" have all of the individual commands listed.

 

I'm sure that some of the other command directory ones are something similar, but I have only had these two issues with 9.3

Forums