Role Based Access Control – RBAC Netapp Cluster Mode
Role Based Access Control – RBAC. Basically whenever we would like to create user in Netapp cluster mode, Create a role and assign capabilities. Map roles to users.
As you see above screen based on Access level we add capabilities to role and map created role to group. Create users and add them to group so that assigned capabilities will be applicable to members of group. Above mentioned role based access control is applicable only in 7-Mode DATA ONTAP.
In DATA ONTAP Cluster mode groups are eliminated. We just create an role and assign role directly to user.
Creating Role and assign capabilities – Role Based Access Control
ArkCluster::> security login role create -role AdminRole -vserver ArkCluster -cmddirname "volume" -access all
above command will create role called AdminRole and assign volume directory permission so that AdminRole can only execute volume level command
ArkCluster::> security login role show -vserver ArkCluster -role AdminRole Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ----------------------------------- -------- ArkCluster AdminRole DEFAULT none ArkCluster AdminRole volume all 2 entries were displayed.
To create role with all the privileges like admin we have to enable DEFAULT all. To modify the role we have to use below command
Modify Role
ArkCluster::> security login role modify -role AdminRole -cmddirname "DEFAULT" all
Delete Role
Below command will delete capability volume from role AdminRole
ArkCluster::> security login role delete -role AdminRole -cmddirname volume -vserver ArkCluster ArkCluster::> security login role show Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ----------------------------------- -------- ArkCluster AdminRole DEFAULT all ArkCluster AdminRole security login password all
Create User and Assign role
Users are segregated into 8 types in Netapp Cluster mode to simplify there purpose
- Console – To access console
- http – To access via web using browser GUI
- ontapi – To access via system manager application
- rsh – To access using RSH protocol (Prefer to collect perf data)
- service-processor – To get service processor access here there is no -Vserver name required (SP/RLM)
- snmp – SNMP access per monitoring Netapp
- ssh – Access filer via SSH (CLI)
- telnet – Telnet is an old technology which is not secure but still we can access Netapp node via telnet (CLI)
ArkCluster::> security login create ravi -application ssh -authmethod password -role AdminRole -vserver ArkCluster -comment "Ravi Netapp Admin" Please enter a password for user 'ravi': Please enter it again:
Above command will create an user ravi and assign role AdminRole in vserver ArkCluster
User authentication can be multiple types
- cert – SSL certificate authentication
- community – SNMP community strings
- domain – Active Directory authentication
- nsswitch – LDAP or NIS authentication
- password – Password
- publickey – Public-key authentication
- usm – SNMP user security model. Refer to “security snmpusers” man page for more details.
Delete User
ArkCluster::> security login delete -user-or-group-name ravi -application ssh -authmethod password -vserver ArkCluster Warning: Unable to list entries on node ArkCluster-01. Database is not open. ArkCluster::> security login show Vserver: ArkCluster Authentication Acct User/Group Name Application Method Role Name Locked ---------------- ----------- -------------- ---------------- ------ admin console password admin no admin http password admin no admin ontapi password admin no admin service-processor password admin no admin ssh password admin no autosupport console password autosupport no Error: show failed: database is not open 6 entries were displayed.
CLI commands for creating SVM roles
Command directory name | Command to be run |
---|---|
adduser | -cmddirname “adduser” -vserver SVM1 |
event generate-autosupport-log | -cmddirname “event generate-autosupport-log” -vserver SVM1 |
fcp | -cmddirname “fcp” -vserver SVM1 |
iscsi | -cmddirname “iscsi” -vserver SVM1 |
lun comment | -cmddirname “lun comment” -vserver SVM1 |
lun create | -cmddirname “lun create” -vserver SVM1 |
lun delete | -cmddirname “lun delete” -vserver SVM1 |
lun geometry | -cmddirname “lun geometry” -vserver SVM1 |
lun igroup add | -cmddirname “lun igroup add” -vserver SVM1 |
lun igroup create | -cmddirname “lun igroup create” -vserver SVM1 |
lun igroup set | -cmddirname “lun igroup set” -vserver SVM1 |
lun igroup show | -cmddirname “lun igroup show” -vserver SVM1 |
lun map | -cmddirname “lun map” -vserver SVM1 |
lun mapped show | -cmddirname “lun mapped show” -vserver SVM1 |
lun modify | -cmddirname “lun modify” -vserver SVM1 |
lun move | -cmddirname “lun move” -vserver SVM1 |
lun offline | -cmddirname “lun offline” -vserver SVM1 |
lun online | -cmddirname “lun online” -vserver SVM1 |
lun resize | -cmddirname “lun resize”-vserver SVM1 |
lun show | -cmddirname “lun show” -vserver SVM1 |
lun unmap | -cmddirname “lun unmap” -vserver SVM1 |
network | -cmddirname “network” -vserver SVM1 |
network connections | -cmddirname “network connections” -vserver SVM1 |
network connections active | -cmddirname “network connections active” -vserver SVM1 |
network connections listening show | -cmddirname “network connections listening show” -vserver SVM1 |
network interface | -cmddirname “network interface” -vserver SVM1 |
network routing-groups | -cmddirname “network routing-groups” -vserver SVM1 |
nfs | -cmddirname “nfs” -vserver SVM1 |
options | -cmddirname “options” -vserver SVM1 |
restore-file | -cmddirname “restore-file” -vserver SVM1 |
snapmirror | -cmddirname “snapmirror” -vserver SVM1 |
version | -cmddirname “version” -vserver SVM1 |
volume | -cmddirname “volume” |
volume autosize | -cmddirname “volume autosize” -vserver SVM1 |
volume clone | -cmddirname “volume clone” -vserver SVM1 |
volume clone create | -cmddirname “volume clone create” -vserver SVM1 |
volume create | -cmddirname “volume create” -vserver SVM1 |
volume destroy | -cmddirname “volume destroy” -vserver SVM1 |
volume efficiency off | -cmddirname “volume efficiency off” -vserver SVM1 |
volume efficiency on | -cmddirname “volume efficiency on” -vserver SVM1 |
volume efficiency start | -cmddirname “volume efficiency start” -vserver SVM1 |
volume efficiency show | -cmddirname “volume efficiency show” -vserver SVM1 |
volume file | -cmddirname “volume file” -vserver SVM1 |
volume file clone | -cmddirname “volume file clone” -vserver SVM1 |
volume file clone create | -cmddirname “volume file clone create” -vserver SVM1 |
volume modify | -cmddirname “volume modify” -vserver SVM1 |
volume mount | -cmddirname “volume mount” -vserver SVM1 |
volume offline | -cmddirname “volume offline” -vserver SVM1 |
volume show | -cmddirname “volume show” -vserver SVM1 |
volume size | -cmddirname “volume size” -vserver SVM1 |
volume snapshot create | -cmddirname “volume snapshot create” -vserver SVM1 |
volume snapshot delete | -cmddirname “volume snapshot delete” -vserver SVM1 |
volume snapshot restore | -cmddirname “volume snapshot restore” -vserver SVM1 |
volume unmount | -cmddirname “volume unmount” -vserver SVM1 |
vserver export-policy rule show | -cmddirname “vserver export-policy rule show” -vserver SVM1 |
vserver export-policy show | -cmddirname “vserver export-policy show” -vserver SVM1 |
vserver fcp initiator show | -cmddirname “vserver fcp initiator show” -vserver SVM1 |
vserver fcp show | -cmddirname “vserver fcp show” -vserver SVM1 |
vserver fcp status | -cmddirname “vserver fcp status” -vserver SVM1 |
vserver iscsi connection show | -cmddirname “vserver iscsi connection show” -vserver SVM1 |
vserver iscsi interface accesslist add | -cmddirname “vserver iscsi interface accesslist add” -vserver SVM1 |
vserver iscsi interface accesslist show | -cmddirname “vserver iscsi interface accesslist show” -vserver SVM1 |
vserver iscsi isns query |
-cmddirname “vserver iscsi isns query” -vserver SVM1 |
vserver iscsi nodename | -cmddirname “vserver iscsi nodename” -vserver SVM1 |
vserver iscsi session show | -cmddirname “vserver iscsi session show” -vserver SVM1 |
vserver iscsi show | -cmddirname “vserver iscsi show” -vserver SVM1 |
vserver iscsi status | -cmddirname “vserver iscsi status” -vserver SVM1 |
vserver nfs status | -cmddirname “vserver nfs status” -vserver SVM1 |
vserver services dns hosts show | -cmddirname “vserver services dns hosts show” -vserver SVM1 |
vserver services unix-group create | -cmddirname “vserver services unix-group create” -vserver SVM1 |
vserver services unix-group show | -cmddirname “vserver services unix-group show” -vserver SVM1 |
vserver services unix-user create | -cmddirname “vserver services unix-user create” -vserver SVM1 |
vserver services unix-user show | -cmddirname “vserver services unix-user show” -vserver SVM1 |
CLI commands for creating cluster roles
Command directory name | Command to be run |
---|---|
cluster identity show | -cmddirname “cluster identity show” -vserver ArkCluster |
event | -cmddirname “event” -vserver ArkCluster |
event config | -cmddirname “event config” -vserver ArkCluster |
event destination | -cmddirname “event destination” -vserver ArkCluster |
event log | -cmddirname “event log” -vserver ArkCluster |
event mailhistory | -cmddirname “event mailhistory” -vserver ArkCluster |
event route | -cmddirname “event route” -vserver ArkCluster |
event snmphistory | -cmddirname “event snmphistory” -vserver ArkCluster |
event status | -cmddirname “event status” -vserver ArkCluster |
fcp | -cmddirname “fcp” -vserver Snapcreator -vserver ArkCluster |
iscsi | -cmddirname “iscsi” -vserver Snapcreator -vserver ArkCluster |
lun comment | -cmddirname “lun comment” -vserver ArkCluster |
lun create | -cmddirname “lun create” -vserver ArkCluster |
lun delete | -cmddirname “lun delete” -vserver ArkCluster |
lun geometry | -cmddirname “lun geometry” -vserver ArkCluster |
lun igroup add | -cmddirname “lun igroup add” -vserver ArkCluster |
lun igroup create | -cmddirname “lun igroup create” -vserver ArkCluster |
lun igroup set | -cmddirname “lun igroup set” -vserver ArkCluster |
lun igroup show | -cmddirname “lun igroup show” -vserver ArkCluster |
lun map | -cmddirname “lun map” -vserver ArkCluster |
lun mapped show | -cmddirname “lun mapped show” -vserver ArkCluster |
lun modify | -cmddirname “lun modify” -vserver ArkCluster |
lun move | -cmddirname “lun move” -vserver ArkCluster |
lun offline | -cmddirname “lun offline” -vserver ArkCluster |
lun online | -cmddirname “lun online” -vserver ArkCluster |
lun resize | -cmddirname “lun resize” -vserver ArkCluster |
lun show | -cmddirname “lun show” -vserver ArkCluster |
lun unmap | -cmddirname “lun unmap” -vserver ArkCluster |
network | -cmddirname “network” -vserver ArkCluster |
network fcp adapter show | -cmddirname “network fcp adapter show” -vserver ArkCluster |
network interface show | -cmddirname “network interface show” -vserver ArkCluster |
nfs | -cmddirname “nfs” -vserver Snapcreator -vserver ArkCluster |
options | -cmddirname “options” -vserver ArkCluster |
security login role show | -cmddirname “security login role show” -vserver ArkCluster |
security login show | -cmddirname “security login show” -vserver ArkCluster |
snapmirror | -cmddirname “snapmirror” -vserver ArkCluster |
storage aggregate | -cmddirname “storage aggregate” -vserver ArkCluster |
system license show | -cmddirname “system license show” -vserver ArkCluster |
system node | -cmddirname “system node” -vserver ArkCluster |
system node autosupport | -cmddirname “system node autosupport” -vserver ArkCluster |
system node autosupport invoke | -cmddirname “system node autosupport invoke” -vserver ArkCluster |
system node show | -cmddirname “system node show” -vserver ArkCluster |
system node run | -cmddirname “system node run” -vserver ArkCluster |
system services ndmp | -cmddirname “system services ndmp” -vserver ArkCluster |
version | -cmddirname “version” -vserver ArkCluster |
version | security login role create -role bainew1 -vserver SnapCreator -cmddirname “version” -access readonly |
vserver export-policy rule create | -cmddirname “vserver export-policy rule create” -vserver ArkCluster |
vserver export-policy rule show | -cmddirname “vserver export-policy rule show” -vserver ArkCluster |
vserver export-policy show | -cmddirname “vserver export-policy show” -vserver ArkCluster |
vserver fcp initiator show | -cmddirname “vserver fcp initiator show” -vserver ArkCluster |
vserver fcp show | -cmddirname “vserver fcp show” -vserver ArkCluster |
vserver fcp status | -cmddirname “vserver fcp status” -vserver ArkCluster |
vserver iscsi connection show | -cmddirname “vserver iscsi connection show” -vserver ArkCluster |
vserver iscsi interface accesslist add | -cmddirname “vserver iscsi interface accesslist add” -vserver ArkCluster |
vserver iscsi interface accesslist show | -cmddirname “vserver iscsi interface accesslist show” -vserver ArkCluster |
vserver iscsi nodename | -cmddirname “vserver iscsi nodename” -vserver ArkCluster |
vserver iscsi session show | -cmddirname “vserver iscsi session” show -vserver ArkCluster |
vserver iscsi show | -cmddirname “vserver iscsi show” -vserver ArkCluster |
vserver iscsi status | -cmddirname “vserver iscsi status” -vserver ArkCluster |
vserver nfs status | -cmddirname “vserver nfs status” -vserver ArkCluster |
vserver services unix-group create | -cmddirname “vserver services unix-group create” -vserver ArkCluster |
vserver services unix-user create | -cmddirname “vserver services unix-user create” -vserver ArkCluster |
vserver services unix-group show | -cmddirname “vserver services unix-group show” -vserver ArkCluster |
vserver services unix-user show | -cmddirname “vserver services unix-user show” -vserver ArkCluster |
vserver show | -cmddirname “vserver show” -vserver ArkCluster |
volume autosize | -cmddirname “volume autosize” -vserver ArkCluster |
volume clone create | -cmddirname “volume clone create” -vserver ArkCluster |
volume create | -cmddirname “volume create” -vserver ArkCluster |
volume destroy | -cmddirname “volume destroy” -vserver ArkCluster |
volume efficiency off | -cmddirname “volume efficiency off” -vserver ArkCluster |
volume efficiency on | -cmddirname “volume efficiency on” -vserver ArkCluster |
volume efficiency show | -cmddirname “volume efficiency show” -vserver ArkCluster |
volume efficiency start | -cmddirname “volume efficiency start” -vserver ArkCluster |
volume file | -cmddirname “volume file” -vserver ArkCluster |
volume file clone create | -cmddirname “volume file clone create” -vserver ArkCluster |
volume file show-disk-usage |
role create -role bainew1 -vserver SnapCreator -cmddirname “volume file show-disk-usage” -access all |
volume modify | -cmddirname “volume modify” -vserver ArkCluster |
volume offline | -cmddirname “volume offline” -vserver ArkCluster |
volume show | -cmddirname “volume show” -vserver ArkCluster |
volume size | -cmddirname “volume size” -vserver ArkCluster |
volume snapshot create | -cmddirname “volume snapshot create” -vserver ArkCluster |
volume un-mount | -cmddirname “volume unmount” -vserver ArkCluster |
Conclusion
In Netapp Cluster mode there is no group concept just directly create an role and assign role to user. Capabilities will be added to role.
Related Articles
Adding Cluster ports to Netapp
Data Migration from 7-Mode Netapp to Cluster mode Netapp
Thanks for your wonderful Support and Encouragement