Following on from the previous blog post where we created
a minimum permission user account for joining clusters to OCUM 6.1, this
unofficial blog post outlines how to do the same for OPM 1.0. As before, the
role was built starting with a read-only account, then looking at the
command-history.log and seeing what commands were error-ing regards lack of
access, then adding in just the required permissions.
Note: The role will
need to be reviewed for later releases of OnCommand Performance Manager and
Clustered Data ONTAP (tested with 8.2.1.)
Creating the OCPM Role
The commands below create a role called ocpm:
CLUSTERNAME::>
security
login role create -role ocpm -cmddirname DEFAULT -access readonly
security
login role create -role ocpm -cmddirname "cluster application-record"
-access all
security
login role create -role ocpm -cmddirname "volume modify" -access all
security
login role create -role ocpm -cmddirname "storage disk show" -access
all
Note: The role is constructed
resolving ONTAP errors as seen in the command-history.log. Insufficient
privileges errors were seen for “cluster-application-record-create”,
“volume-modify-iter”, and “storage-shelf-list-info”. Adding “volume modify all”
also effects "volume create" and "volume show". Adding
“storage disk show all” also affects "storage disk modify".
Creating the OCPM User
The command below creates a user called ocpm:
CLUSTERNAME::>
security
login create -username ocpm -application ontapi -role ocpm -authmethod password
Additional
Information
In CDOT 8.2.1, OPM needs to be able to enable QoS
counters on volumes. A volume that does not have a QoS policy will get added to
the hidden _Performance_Monitor_volumes QoS Policy Group - which the user
described above has the ability to do.
Example:
CLUSTERNAME::>
vol show -fields qos-policy-group -type RW
vserver
volume qos-policy-group
-------------
------ ----------------
VSERVER1 testvol
_Performance_Monitor_volumes
Comments
Post a Comment