Friday, 22 January 2021

[ONTAP 9.7+] Roles Created by NetApp’s VSC 9.7.1

From this link:
VSC, VASA Provider, SRA 9.7: Configuring User Roles and Privileges
 
The documentation tells us to download the ‘ONTAP Privileges’ file from:
https://{virtual_appliance_IP}:9083/vsc/config/VSC_ONTAP_User_Privileges.zip
 
This zip contains a file called VSC_user_roles.json. You upload the JSON file via the ONTAP 9.7+ System Manager -
Cluster > Settings > Users and Roles > Add User
- selecting ‘Virtualization products’ and choose ‘Product Capability’ which gives the choice -

  • VSC 9.7
  • VSC and VASA Provider 9.7
  • VSC and SRA 9.7
  • VSC, VASA Provider and SRA 9.7
- Specify  a user name (new user who will be assigned the role), password for the user, pick your privileges -
  • Discovery: Allows discovery of all connected storage controllers.
  • Create Storage: Allows creation of volumes and LUNs.
  • Modify Storage: Allows resizing and deduplicating of storage.
  • Destroy Storage: Allows destruction of volumes and LUNs.
  • NAS/SAN Role: Allows discovery of all connected storage controllers, only on VMware SRM environment.
- and finally click Add.
 
The above allows for a number of different roles (NAS/SAN Role only appears when SRA 9.7 is selected.)
 
Image: Add User > Virtualization Products > VSC_user_roles.json + Product Capability

 
Image: ONTAP 9.7 > Virtualization Products > Privileges

 
ONTAP Privileges
 
There’s too many different roles to document in this blog, so I’ll document just the one I’m particularly interested in, which is this one:
 
Virtualization Products:
Product = VSC, VASA Provider and SRA
Product Capability = VSC and VASA Provider 9.7
Privileges = Discovery + Create + Modify + Destroy
 
I’m not interested in SRA 9.7 product capability for this scenario. I want all the privileges, and later on I will attempt to modify the privileges to disable VMware Admins from creating/destroying flexvols (they need to be able to create/destroy LUNs), with an eye to giving them enough permission to do everything they need to do in order to manage VMs on VVOLs, just leave it to a storage admin to provision the flexvols for the VVOL datastores.
 
Note 1: “If VASA Provider is required for a particular storage controller, then the storage system must be added to VSC at the cluster level.” - source
Note 2: All the users are added with application = ontapi
 
These are the access and cmddirname specified by the role UnifiedVirtualApplianceVSC&VP9.7_Discovery_Create_Modify_Destroy:
 
ACCESS   : CMDDIRNAME
---------+-----------
none     : DEFAULT
readonly : cluster identity modify
readonly : cluster identity show
readonly : cluster modify
readonly : cluster peer show
readonly : cluster show
all      : job
readonly : job show-completed
all      : lun comment
all      : lun create
all      : lun delete
readonly : lun geometry
all      : lun igroup add
readonly : lun igroup create
readonly : lun igroup modify
all      : lun igroup set
readonly : lun igroup show
all      : lun mapping create
all      : lun mapping delete
all      : lun mapping show
all      : lun modify
all      : lun move
all      : lun offline
all      : lun online
all      : lun resize
all      : lun show
readonly : network fcp adapter modify
readonly : network fcp adapter show
readonly : network interface create
readonly : network interface delete
all      : network interface migrate
readonly : network interface modify
readonly : network interface show
readonly : network port delete
readonly : network port modify
readonly : network port show
all      : qos policy-group create
all      : qos policy-group modify
all      : qos policy-group show
readonly : security login create
readonly : security login delete
readonly : security login modify
readonly : security login role create
readonly : security login role delete
readonly : security login role modify
readonly : security login role show
readonly : security login role show-ontapi
all      : security login role show-user-capability
readonly : security login show
all      : set
readonly : snapmirror create
readonly : snapmirror list-destinations
readonly : snapmirror show
all      : snapmirror update-ls-set
readonly : storage aggregate create
readonly : storage aggregate modify
readonly : storage aggregate show
readonly : storage disk show
all      : storage failover modify
all      : storage failover show
readonly : system health alert modify
readonly : system health alert show
readonly : system health status show
readonly : system license delete
readonly : system license show
all      : system node autosupport invoke
readonly : system node modify
all      : system node run
readonly : system node show
readonly : version
all      : volume autosize
all      : volume clone create
all      : volume clone show
all      : volume create
all      : volume destroy
all      : volume efficiency modify
all      : volume efficiency off
all      : volume efficiency on
all      : volume efficiency show
all      : volume efficiency start
all      : volume efficiency stat
all      : volume efficiency stop
all      : volume file show-disk-usage
all      : volume modify
all      : volume offline
readonly : volume qtree create
readonly : volume qtree show
readonly : volume quota modify
readonly : volume quota report
readonly : volume quota show
all      : volume restrict
all      : volume show
all      : volume size
all      : volume snapshot create
all      : volume snapshot delete
all      : volume snapshot modify
all      : volume snapshot show
all      : volume unmount
readonly : vserver create
readonly : vserver export-policy create
readonly : vserver export-policy delete
all      : vserver export-policy rule create
all      : vserver export-policy rule delete
all      : vserver export-policy rule modify
all      : vserver export-policy rule setindex
all      : vserver export-policy rule show
readonly : vserver export-policy show
readonly : vserver fcp create
readonly : vserver fcp delete
readonly : vserver fcp initiator show
readonly : vserver fcp interface show
readonly : vserver fcp modify
readonly : vserver fcp show
readonly : vserver iscsi connection show
readonly : vserver iscsi create
readonly : vserver iscsi delete
all      : vserver iscsi interface accesslist add
readonly : vserver iscsi interface modify
readonly : vserver iscsi interface show
readonly : vserver iscsi modify
readonly : vserver iscsi session show
readonly : vserver iscsi show
readonly : vserver modify
readonly : vserver nfs create
readonly : vserver nfs delete
readonly : vserver nfs modify
readonly : vserver nfs show
all      : vserver nfs status
all      : vserver services name-service unix-group
all      : vserver services name-service unix-user
readonly : vserver show

No comments:

Post a Comment

Note: only a member of this blog may post a comment.