Note: This is a first
post on this topic, and does not go into much detail, just enough for starters.
In Data ONTAP operating in 7-Mode, there was:
useradmin role add ROLE_NAME -a CAPABILITIES
useradmin group add GROUP_NAME -r ROLE_NAME
useradmin user add USER -g GROUP_NAME
In Clustered ONTAP there’s the much more powerful:
CLUS::>
security login role create -?
-vserver
{vserver name} Vserver (default: CLUS)
-role {text} Role Name
-cmddirname
{text} Command / Directory
-access {Access} Access Level (default: all)
-query {query} Query (default: "")
Which is combined with:
CLUS::>
security login create -?
-vserver
{vserver name} Vserver (default: CLUS)
-username
{text} User Name
-application
{text} Application
-authmethod
{text} Authentication Method
-role {text} Role Name (default: admin)
-comment
{text} Comment
Text
Default Admin
(Cluster) Vserver Roles
CLUS::>
security login role show -vserver CLUS
Role
Command/ Access
Vserver Name Directory Query Level
---------
------------- ------------------------ ----- --------
CLUS TEST DEFAULT none
CLUS TEST security all
CLUS TEST volume all
CLUS admin DEFAULT all
CLUS autosupport DEFAULT none
CLUS autosupport set all
CLUS autosupport system node autosupport all
CLUS backup DEFAULT none
CLUS backup volume readonly
CLUS backup vserver services ndmp all
CLUS none DEFAULT none
CLUS readonly DEFAULT readonly
CLUS readonly security none
CLUS readonly security login password all
CLUS readonly set all
The pre-defined roles cannot be modified.
Error: command failed: Cannot
modify pre-defined roles.
To create a role identical to readonly, called say
readonly2, the commands are:
CLUS::>
security login role create -vserver CLUS
-role readonly2 -cmddirname DEFAULT -access readonly
security login role create -vserver CLUS
-role readonly2 -cmddirname security -access none
security login role create -vserver CLUS
-role readonly2 -cmddirname "security login password" -access all
security login role create -vserver CLUS
-role readonly2 -cmddirname set -access all
Security Login
Role Show User Capability
Previously in the post "Show"s
in Clustered ONTAP 8.2.1RC1 Clustershell I’d written that it’s not possible
to see all the “show” commands from advanced or diagnostic privilege levels
because of the showfh command, here’s a way to do it though:
CLUS::>
security login role create -vserver CLUS -role
shows -cmddirname DEFAULT -access readonly
security login role create -vserver CLUS
-role shows -cmddirname set -access all
security login create -username shows
-application ssh -authmethod password -role shows -vserver CLUS
Login to the cluster over SSH using the shows account:
CLUS::>
set -privilege diagnostic
CLUS::*>
security login role show-user-capability
And in Clustered Data ONTAP 8.2.1 there were 651 entries
displayed!
Comments
Post a Comment