Saturday, 3 August 2013

NetApp Data ONTAP Logins for SMVI and SRM

  
The NetApp Virtual Storage Console (which includes SMVI - SnapManager for Virtual Infrastructure) makes an excellent combination with VMware Site Recovery Manager and the NetApp SRA. The SMVI backup jobs are used to trigger the SnapMirror updates, SRM manages the DR.

The following post contains some notes considering login accounts for SMVI and SRM, and how to create them. This is written specifically for Data ONTAP operating in 7-Mode.

The SMVI login - smvi_user - is used when controllers are added in the 'Backup and Recovery > Setup' section of the VSC. The SRM login - srm_user - is used when Array Based Replication is configured in SRM.

Options:

1. Use the root account:

Note: Changing the root account password will also require updating SMVI and SRM configuration.

2. Use newly created accounts in the Administrators group:

useradmin user add smvi_user -g Administrators
useradmin user add srm_user -g Administrators

- Or a domain account (if controller is domain joined) -

useradmin domainuser add DOMAIN\smvi_user -g Administrators
useradmin domainuser add DOMAIN\srm_user -g Administrators

3. Use newly created accounts with specific access rights:

3.1 The SMVI User:

useradmin role add api-access -a api-*,login-http-admin,cli-ifconfig
useradmin group add api-group -r api-access

useradmin user add smvi_user -g api-group

- Or a domain account -

useradmin domainuser add DOMAIN\smvi_user -g api-group

3.2 The SRM User:

Part 1 - Create a role with sufficient rights

NAS RBAC rights - NAS only SRM 5 environment with SRA 2.0:

FAS> useradmin role add srm_role -a login-http-admin,api-system-get-info,api-system-get-version,api-system-cli,cli-ifconfig,api-ems-autosupport-log,api-net-resolve,api-qtree-list,api-snapshot-list-info,api-volume-clone-create,api-volume-online,api-volume-list-info,api-volume-size,api-volume-offline,api-volume-destroy,api-snapmirror-get-status,api-snapmirror-abort,api-snapmirror-quiesce,api-snapmirror-break,api-snapmirror-list-connections,api-snapmirror-set-connection,api-snapmirror-set-sync-schedule,api-snapmirror-set-schedule,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapmirror-update,api-snapmirror-resync,api-vfiler-list-info,api-nfs-exportfs-list-rules,api-nfs-exportfs-list-rules-2,api-fcp-node-get-name,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-igroup-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-serial-number,api-igroup-add,api-igroup-create,api-igroup-destroy,api-nfs-exportfs-modify-rule,api-nfs-exportfs-delete-rules,api-nfs-exportfs-append-rules
SAN RBAC rights - SAN (FC or iSCSI) only SRM 5 environment with SRA 2.0:

FAS> useradmin role add srm_role -a login-http-admin,api-system-get-info,api-system-get-version,api-system-cli,cli-ifconfig,api-ems-autosupport-log,api-net-resolve,api-qtree-list,api-snapshot-list-info,api-volume-clone-create,api-volume-online,api-volume-list-info,api-volume-size,api-volume-offline,api-volume-destroy,api-snapmirror-get-status,api-snapmirror-abort,api-snapmirror-quiesce,api-snapmirror-break,api-snapmirror-list-connections,api-snapmirror-set-connection,api-snapmirror-set-sync-schedule,api-snapmirror-set-schedule,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapmirror-update,api-snapmirror-resync,api-vfiler-list-info,api-nfs-exportfs-list-rules,api-nfs-exportfs-list-rules-2,api-fcp-node-get-name,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-igroup-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-serial-number,api-igroup-add,api-igroup-create,api-igroup-destroy,api-lun-online,api-lun-set-space-reservation-info,api-lun-map,api-lun-unmap

NAS and SAN RBAC rights:

FAS> useradmin role add srm_role -a login-http-admin,api-system-get-info,api-system-get-version,api-system-cli,cli-ifconfig,api-ems-autosupport-log,api-net-resolve,api-qtree-list,api-snapshot-list-info,api-volume-clone-create,api-volume-online,api-volume-list-info,api-volume-size,api-volume-offline,api-volume-destroy,api-snapmirror-get-status,api-snapmirror-abort,api-snapmirror-quiesce,api-snapmirror-break,api-snapmirror-list-connections,api-snapmirror-set-connection,api-snapmirror-set-sync-schedule,api-snapmirror-set-schedule,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapmirror-update,api-snapmirror-resync,api-vfiler-list-info,api-nfs-exportfs-list-rules,api-nfs-exportfs-list-rules-2,api-fcp-node-get-name,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-igroup-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-serial-number,api-igroup-add,api-igroup-create,api-igroup-destroy,api-lun-online,api-lun-set-space-reservation-info,api-lun-map,api-lun-unmap,api-nfs-exportfs-modify-rule,api-nfs-exportfs-delete-rules,api-nfs-exportfs-append-rules

Part 2 - Verify rights

FAS> useradmin role list srm_role

Part 3 - Create a group with the role

FAS> useradmin group add srm_group -r srm_role

Part 4 - Create a user in the group

FAS> useradmin user add srm_user -g srm_group

- Or a domain account -

FAS> useradmin domainuser add DOMAIN_NAME\srm_user -g srm_group

Additional Notes

Setting/re-setting passwords are done when logged in as root and using the passwd command:

useradmin user list
passwd

Example output:

FAS> passwd
Login: srm_user
New password:
Retype new password:
FAS>

Appendix: 7-Mode Password Options

FAS> options security
security.passwd.firstlogin.enable off
security.passwd.lockout.numtries 4294967295
security.passwd.rootaccess.enable on
security.passwd.rules.enable on
security.passwd.rules.everyone on
security.passwd.rules.history 0
security.passwd.rules.maximum 256
security.passwd.rules.minimum 8
security.passwd.rules.minimum.alphabetic 2
security.passwd.rules.minimum.digit 1
security.passwd.rules.minimum.lowercase 0
security.passwd.rules.minimum.symbol 0
security.passwd.rules.minimum.uppercase 0

No comments:

Post a Comment