Minimum Permission User for Joining Clustered ONTAP Clusters to OnCommand Unified Manager 6.1

If you’re looking to create an account with minimum permissions for joining Clustered ONTAP clusters (tested with 8.2.1) to OnCommand Unified Manager 6.1, this unofficial blog post might help. The role was built starting with a read-only account, then looking at the command-history.log and seeing what commands were error-ing regards lack of access, then adding in just the required permissions.

Note: The role will need to be reviewed for later releases of OnCommand Unified Manager and Clustered Data ONTAP.

Requirements for the User Account

The user account needs to support the following features:

- Allow the monitoring abilities of OCUM to work
- Allow SnapRestore to function for restores within the same read-write volume
- Allow NDMP restore from other volumes (e.g. SnapVault/DR read-only volumes.)

Pre-Requisites

The role requires that ‘vserver services ndmp’ is turned on for the cluster in order for NDMP restores to work.

Commands:

CLUSTERNAME::>
vserver services ndmp show -vserver CLUSTERNAME -fields enable
vserver services ndmp on -vserver CLUSTERNAME

Note: Creating an OCUM user that can also turn NDMP on, results in a pretty unrestricted account, like the below. This is due to certain hardcoding of permissions to roles in CDOT 8.2.X.

UserName   Application Method   Role Name
---------- ----------- -------- ---------
ocum       console     password admin   
ocum       ontapi      password admin   
ocum       ssh         password backup  

Creating the OCUM Role

The commands below create a role called ocum:

CLUSTERNAME::>
security login role create -role ocum -cmddirname DEFAULT -access readonly
security login role create -role ocum -cmddirname "volume file show-disk-usage" -access all
security login role create -role ocum -cmddirname "volume snapshot restore-file" -access all
security login role create -role ocum -cmddirname "storage aggregate check_spare_low" -access all

Note 1: The first and fourth lines are required for OCUM monitoring. Line 4 was because seeing an alert for “aggr-check-spare-low” with “Insufficient privileges” in the command-history.log.
Note 2: The second and third lines are required for SnapRestore to function.
Note 3: I was considering adding the 5th line below because seeing some errors from “storage-shelf-list-info” in the command-history.log with “Enclosure services not ready at this time” - I put this down to testing on a SIM though. Adding “storage disk show all” also affects "storage disk modify".
::> security login role create -role ocum -cmddirname "storage disk show" -access all

Creating the OCUM User

The commands below create a user called ocum:

CLUSTERNAME::>
security login create -username ocum -application ontapi -role ocum -authmethod password
security login create -username ocum -application ssh -role backup -authmethod password

Note: The second line is required because only users with application ssh and the role admin or backup can run the command “vserver services ndmp generate-password” which is required for NDMP restores to function (also the backup role comes with “vserver services ndmpall access.)

Comments