Sunday, 7 December 2014

Creating a CDOT Readonly Role that can also Invoke AutoSupports

You cannot modify the pre-defined roles in Clustered Data ONTAP. You will get the following error:

Error: command failed: Cannot modify pre-defined roles.

So, to make a readonly role that allows autosupport, we first display the default readonly role:

NACLU1::> security login role show -role readonly
        Role     Command/                     Access
Vserver Name     Directory              Query Level
------- -------- --------- ------------------ --------
NACLU1  readonly DEFAULT                      readonly
NACLU1  readonly security                     none
NACLU1  readonly security login password      all
NACLU1  readonly set                          all

Then run the following commands to construct the new role:

security login role create -role CUSTOM_readonly -cmddirname DEFAULT -access readonly
security login role create -role CUSTOM_readonly -cmddirname security -access none
security login role create -role CUSTOM_readonly -cmddirname "security login password" -access all
security login role create -role CUSTOM_readonly -cmddirname set -access all
security login role create -role CUSTOM_readonly -cmddirname "system node autosupport" -access readonly
security login role create -role CUSTOM_readonly -cmddirname "system node autosupport invoke" -access all

Verify the role’s access privileges:

NACLU1::> security login role show -role CUSTOM_readonly
        Command/                             Access
Vserver Directory                      Query Level
------- --------- -------------------------- --------
NACLU1  DEFAULT                              readonly
NACLU1  security                             none
NACLU1  security login password              all
NACLU1  set                                  all
NACLU1  system node autosupport              readonly
NACLU1  system node autosupport invoke       all

To test the role allows sending of autosupports, create a user -

security login create -username rouser -authmethod password -role CUSTOM_readonly -application ssh

- and login with this account, and run:

system node autosupport invoke -node * -message TEST -type all

If you then need to modify existing users to have this new role, it requires:

security login show -role readonly
security login modify -username rouser -application * -role CUSTOM_readonly

Note 1: If users have different roles for different applications (non-standard), remove the wildcard and specify the particular application (console, http, ontapi, rsh, service-processor, snmp, ssh, telnet).
Note 2: The commands above were run on a Clustered Data ONTAP 8.2.1 Simulator.

No comments:

Post a Comment