Sunday, 8 June 2014

RBAC: Security Login Roles in Clustered ONTAP 8.2.1

Note: This is a first post on this topic, and does not go into much detail, just enough for starters.

In Data ONTAP operating in 7-Mode, there was:

useradmin role add ROLE_NAME -a CAPABILITIES
useradmin group add GROUP_NAME -r ROLE_NAME
useradmin user add USER  -g GROUP_NAME

In Clustered ONTAP there’s the much more powerful:

CLUS::> security login role create -?
-vserver {vserver name}   Vserver (default: CLUS)
-role {text}              Role Name
-cmddirname {text}        Command / Directory
-access {Access}          Access Level (default: all)
-query {query}            Query (default: "")

Which is combined with:

CLUS::> security login create -?
-vserver {vserver name}   Vserver (default: CLUS)
-username {text}          User Name
-application {text}       Application
-authmethod {text}        Authentication Method
-role {text}              Role Name (default: admin)
-comment {text}           Comment Text

Default Admin (Cluster) Vserver Roles

CLUS::> security login role show -vserver CLUS
          Role          Command/                       Access
Vserver   Name          Directory                Query Level
--------- ------------- ------------------------ ----- --------
CLUS      TEST          DEFAULT                        none
CLUS      TEST          security                       all
CLUS      TEST          volume                         all
CLUS      admin         DEFAULT                        all
CLUS      autosupport   DEFAULT                        none
CLUS      autosupport   set                            all
CLUS      autosupport   system node autosupport        all
CLUS      backup        DEFAULT                        none
CLUS      backup        volume                         readonly
CLUS      backup        vserver services ndmp          all
CLUS      none          DEFAULT                        none
CLUS      readonly      DEFAULT                        readonly
CLUS      readonly      security                       none
CLUS      readonly      security login password        all
CLUS      readonly      set                            all

The pre-defined roles cannot be modified.
Error: command failed: Cannot modify pre-defined roles.

To create a role identical to readonly, called say readonly2, the commands are:

CLUS::>
security login role create -vserver CLUS -role readonly2 -cmddirname DEFAULT -access readonly
security login role create -vserver CLUS -role readonly2 -cmddirname security -access none
security login role create -vserver CLUS -role readonly2 -cmddirname "security login password" -access all
security login role create -vserver CLUS -role readonly2 -cmddirname set -access all

Security Login Role Show User Capability

Previously in the post "Show"s in Clustered ONTAP 8.2.1RC1 Clustershell I’d written that it’s not possible to see all the “show” commands from advanced or diagnostic privilege levels because of the showfh command, here’s a way to do it though:

CLUS::>
security login role create -vserver CLUS -role shows -cmddirname DEFAULT -access readonly
security login role create -vserver CLUS -role shows -cmddirname set -access all
security login create -username shows -application ssh -authmethod password -role shows -vserver CLUS

Login to the cluster over SSH using the shows account:

CLUS::> set -privilege diagnostic
CLUS::*> security login role show-user-capability


And in Clustered Data ONTAP 8.2.1 there were 651 entries displayed!

No comments:

Post a Comment