The NetApp Virtual
Storage Console (which includes SMVI - SnapManager for Virtual Infrastructure)
makes an excellent combination with VMware Site Recovery Manager and the NetApp
SRA. The SMVI backup jobs are used to trigger the SnapMirror updates, SRM
manages the DR.
The following post contains some notes considering login
accounts for SMVI and SRM, and how to create them. This is written specifically
for Data ONTAP operating in 7-Mode.
The SMVI login - smvi_user - is used when controllers are
added in the 'Backup and Recovery > Setup' section of the VSC. The SRM login - srm_user - is used when Array Based
Replication is configured in SRM.
Options:
1. Use the root
account:
Note: Changing the root
account password will also require updating SMVI and SRM configuration.
2. Use newly
created accounts in the Administrators group:
useradmin user add smvi_user -g Administrators
useradmin user add srm_user -g Administrators
- Or a domain account (if controller is domain joined) -
useradmin domainuser add DOMAIN\smvi_user -g Administrators
useradmin domainuser add DOMAIN\srm_user -g Administrators
3. Use newly
created accounts with specific access rights:
3.1 The SMVI
User:
useradmin role add api-access -a
api-*,login-http-admin,cli-ifconfig
useradmin group add api-group -r api-access
useradmin user add smvi_user -g api-group
- Or a domain account -
useradmin domainuser add DOMAIN\smvi_user -g api-group
3.2 The SRM
User:
Part 1 - Create a
role with sufficient rights
NAS RBAC rights -
NAS only SRM 5 environment with SRA 2.0:
FAS> useradmin role
add srm_role -a
login-http-admin,api-system-get-info,api-system-get-version,api-system-cli,cli-ifconfig,api-ems-autosupport-log,api-net-resolve,api-qtree-list,api-snapshot-list-info,api-volume-clone-create,api-volume-online,api-volume-list-info,api-volume-size,api-volume-offline,api-volume-destroy,api-snapmirror-get-status,api-snapmirror-abort,api-snapmirror-quiesce,api-snapmirror-break,api-snapmirror-list-connections,api-snapmirror-set-connection,api-snapmirror-set-sync-schedule,api-snapmirror-set-schedule,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapmirror-update,api-snapmirror-resync,api-vfiler-list-info,api-nfs-exportfs-list-rules,api-nfs-exportfs-list-rules-2,api-fcp-node-get-name,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-igroup-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-serial-number,api-igroup-add,api-igroup-create,api-igroup-destroy,api-nfs-exportfs-modify-rule,api-nfs-exportfs-delete-rules,api-nfs-exportfs-append-rules
SAN RBAC rights -
SAN (FC or iSCSI) only SRM 5 environment with SRA 2.0:
FAS> useradmin role
add srm_role -a
login-http-admin,api-system-get-info,api-system-get-version,api-system-cli,cli-ifconfig,api-ems-autosupport-log,api-net-resolve,api-qtree-list,api-snapshot-list-info,api-volume-clone-create,api-volume-online,api-volume-list-info,api-volume-size,api-volume-offline,api-volume-destroy,api-snapmirror-get-status,api-snapmirror-abort,api-snapmirror-quiesce,api-snapmirror-break,api-snapmirror-list-connections,api-snapmirror-set-connection,api-snapmirror-set-sync-schedule,api-snapmirror-set-schedule,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapmirror-update,api-snapmirror-resync,api-vfiler-list-info,api-nfs-exportfs-list-rules,api-nfs-exportfs-list-rules-2,api-fcp-node-get-name,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-igroup-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-serial-number,api-igroup-add,api-igroup-create,api-igroup-destroy,api-lun-online,api-lun-set-space-reservation-info,api-lun-map,api-lun-unmap
NAS and SAN RBAC
rights:
FAS> useradmin role
add srm_role -a
login-http-admin,api-system-get-info,api-system-get-version,api-system-cli,cli-ifconfig,api-ems-autosupport-log,api-net-resolve,api-qtree-list,api-snapshot-list-info,api-volume-clone-create,api-volume-online,api-volume-list-info,api-volume-size,api-volume-offline,api-volume-destroy,api-snapmirror-get-status,api-snapmirror-abort,api-snapmirror-quiesce,api-snapmirror-break,api-snapmirror-list-connections,api-snapmirror-set-connection,api-snapmirror-set-sync-schedule,api-snapmirror-set-schedule,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapmirror-update,api-snapmirror-resync,api-vfiler-list-info,api-nfs-exportfs-list-rules,api-nfs-exportfs-list-rules-2,api-fcp-node-get-name,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-igroup-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-serial-number,api-igroup-add,api-igroup-create,api-igroup-destroy,api-lun-online,api-lun-set-space-reservation-info,api-lun-map,api-lun-unmap,api-nfs-exportfs-modify-rule,api-nfs-exportfs-delete-rules,api-nfs-exportfs-append-rules
Part 2 - Verify
rights
FAS> useradmin role
list srm_role
Part 3 - Create a
group with the role
FAS> useradmin group
add srm_group -r srm_role
Part 4 - Create a
user in the group
FAS> useradmin user
add srm_user -g
srm_group
- Or a domain account -
FAS> useradmin
domainuser add DOMAIN_NAME\srm_user -g srm_group
Additional Notes
Setting/re-setting passwords are done when logged in as
root and using the passwd command:
useradmin user list
passwd
Example output:
FAS> passwd
Login: srm_user
New password:
Retype new
password:
FAS>
Appendix:
7-Mode Password Options
FAS> options
security
security.passwd.firstlogin.enable off
security.passwd.lockout.numtries 4294967295
security.passwd.rootaccess.enable on
security.passwd.rules.enable on
security.passwd.rules.everyone on
security.passwd.rules.history 0
security.passwd.rules.maximum 256
security.passwd.rules.minimum 8
security.passwd.rules.minimum.alphabetic 2
security.passwd.rules.minimum.digit 1
security.passwd.rules.minimum.lowercase 0
security.passwd.rules.minimum.symbol 0
security.passwd.rules.minimum.uppercase 0
Comments
Post a Comment