If you’re looking to create an account with minimum
permissions for joining Clustered ONTAP clusters (tested with 8.2.1) to
OnCommand Unified Manager 6.1, this unofficial blog post might help. The role
was built starting with a read-only account, then looking at the
command-history.log and seeing what commands were error-ing regards lack of
access, then adding in just the required permissions.
Note: The role will
need to be reviewed for later releases of OnCommand Unified Manager and
Clustered Data ONTAP.
Requirements for
the User Account
The user account needs to support the following features:
- Allow the monitoring abilities of OCUM to work
- Allow SnapRestore to function for restores within the
same read-write volume
- Allow NDMP restore from other volumes (e.g.
SnapVault/DR read-only volumes.)
Pre-Requisites
The role requires that ‘vserver services ndmp’ is turned on
for the cluster in order for NDMP restores to work.
Commands:
CLUSTERNAME::>
vserver
services ndmp show -vserver CLUSTERNAME -fields enable
vserver
services ndmp on -vserver CLUSTERNAME
Note: Creating an OCUM
user that can also turn NDMP on, results in a pretty unrestricted account, like
the below. This is due to certain hardcoding of permissions to roles in CDOT 8.2.X.
UserName Application Method Role Name
---------- -----------
-------- ---------
ocum console password admin
ocum ontapi password admin
ocum ssh password backup
Creating the OCUM Role
The commands below create a role called ocum:
CLUSTERNAME::>
security
login role create -role ocum -cmddirname DEFAULT -access readonly
security
login role create -role ocum -cmddirname "volume file
show-disk-usage" -access all
security
login role create -role ocum -cmddirname "volume snapshot
restore-file" -access all
security
login role create -role ocum -cmddirname "storage aggregate
check_spare_low" -access all
Note 1: The first
and fourth lines are required for OCUM monitoring. Line 4 was because seeing an
alert for “aggr-check-spare-low” with “Insufficient privileges” in the
command-history.log.
Note 2: The second
and third lines are required for SnapRestore to function.
Note 3: I was
considering adding the 5th line below because seeing some errors from
“storage-shelf-list-info” in the command-history.log with “Enclosure services
not ready at this time” - I put this down to testing on a SIM though. Adding
“storage disk show all” also affects "storage disk modify".
::> security login role
create -role ocum -cmddirname "storage disk show" -access all
Creating the OCUM User
The commands below create a user called ocum:
CLUSTERNAME::>
security
login create -username ocum -application ontapi -role ocum -authmethod password
security
login create -username ocum -application ssh -role backup -authmethod password
Note: The second
line is required because only users with application ssh and the role admin or
backup can run the command “vserver services ndmp
generate-password” which is required for NDMP restores to function (also
the backup role comes with “vserver services ndmp”
all access.)
Comments
Post a Comment