Role Based Access Control – RBAC Netapp Cluster Mode

Role Based Access Control – RBAC.  Basically whenever we would like to create user in Netapp cluster mode, Create a role and assign capabilities. Map roles to users.

RBAC Role based access control

RBAC

As you see above screen based on Access level we add capabilities to role and map created role to group. Create users and add them to group so that assigned capabilities will be applicable to members of group. Above mentioned role based access control is applicable only in 7-Mode DATA ONTAP. 

In DATA ONTAP Cluster mode groups are eliminated. We just create an role and assign role directly to user.

Creating Role and assign capabilities – Role Based Access Control

ArkCluster::> security login role create -role AdminRole -vserver ArkCluster -cmddirname "volume" -access all

above command will create role called AdminRole and assign volume directory permission so that AdminRole can only execute volume level command

ArkCluster::> security login role show -vserver ArkCluster -role AdminRole
 Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
ArkCluster AdminRole DEFAULT none
ArkCluster AdminRole volume all

2 entries were displayed.

To create role with all the privileges like admin we have to enable DEFAULT all. To modify the role we have to use below command

Modify Role

ArkCluster::> security login role modify -role AdminRole -cmddirname "DEFAULT" all

Delete Role

Below command will delete capability volume from role AdminRole

ArkCluster::> security login role delete -role AdminRole -cmddirname volume -vserver ArkCluster
ArkCluster::> security login role show
 Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
ArkCluster AdminRole DEFAULT all
ArkCluster AdminRole security login password all

Create User and Assign role

Users are segregated into 8 types in Netapp Cluster mode to simplify there purpose

  • Console – To access console
  • http – To access via web using browser GUI
  • ontapi – To access via system manager application 
  • rsh – To access using RSH protocol (Prefer to collect perf data)
  • service-processor – To get service processor access here there is no -Vserver name required (SP/RLM)
  • snmp – SNMP access per monitoring Netapp
  • ssh – Access filer via SSH (CLI)
  • telnet – Telnet is an old technology which is not secure but still we can access Netapp node via telnet (CLI)
ArkCluster::> security login create ravi -application ssh -authmethod password -role AdminRole -vserver ArkCluster -comment "Ravi Netapp Admin"

Please enter a password for user 'ravi':
Please enter it again:

Above command will create an user ravi and assign role AdminRole in vserver ArkCluster

User authentication can be multiple types

  • cert – SSL certificate authentication
  • community – SNMP community strings
  • domain – Active Directory authentication
  • nsswitch – LDAP or NIS authentication
  • password – Password
  • publickey – Public-key authentication
  • usm – SNMP user security model. Refer to “security snmpusers” man page for more details.

Delete User

ArkCluster::> security login delete -user-or-group-name ravi -application ssh -authmethod password -vserver ArkCluster

Warning: Unable to list entries on node ArkCluster-01. Database is not open.

ArkCluster::> security login show

Vserver: ArkCluster
 Authentication Acct
User/Group Name Application Method Role Name Locked
---------------- ----------- -------------- ---------------- ------
admin console password admin no
admin http password admin no
admin ontapi password admin no
admin service-processor
 password admin no
admin ssh password admin no
autosupport console password autosupport no

Error: show failed: database is not open
6 entries were displayed.

CLI commands for creating SVM roles

Command directory name Command to be run
adduser -cmddirname “adduser” -vserver SVM1
event generate-autosupport-log -cmddirname “event generate-autosupport-log” -vserver SVM1
fcp -cmddirname “fcp” -vserver SVM1
iscsi -cmddirname “iscsi” -vserver SVM1
lun comment -cmddirname “lun comment” -vserver SVM1
lun create -cmddirname “lun create” -vserver SVM1
lun delete -cmddirname “lun delete” -vserver SVM1
lun geometry -cmddirname “lun geometry” -vserver SVM1
lun igroup add -cmddirname “lun igroup add” -vserver SVM1
lun igroup create -cmddirname “lun igroup create” -vserver SVM1
lun igroup set -cmddirname “lun igroup set” -vserver SVM1
lun igroup show -cmddirname “lun igroup show” -vserver SVM1
lun map -cmddirname “lun map” -vserver SVM1
lun mapped show -cmddirname “lun mapped show” -vserver SVM1
lun modify -cmddirname “lun modify” -vserver SVM1
lun move -cmddirname “lun move” -vserver SVM1
lun offline -cmddirname “lun offline” -vserver SVM1
lun online -cmddirname “lun online” -vserver SVM1
lun resize -cmddirname “lun resize”-vserver SVM1
lun show -cmddirname “lun show” -vserver SVM1
lun unmap -cmddirname “lun unmap” -vserver SVM1
network -cmddirname “network” -vserver SVM1
network connections -cmddirname “network connections” -vserver SVM1
network connections active -cmddirname “network connections active” -vserver SVM1
network connections listening show -cmddirname “network connections listening show” -vserver SVM1
network interface -cmddirname “network interface” -vserver SVM1
network routing-groups -cmddirname “network routing-groups” -vserver SVM1
nfs -cmddirname “nfs” -vserver SVM1
options -cmddirname “options” -vserver SVM1
restore-file -cmddirname “restore-file” -vserver SVM1
snapmirror -cmddirname “snapmirror” -vserver SVM1
version -cmddirname “version” -vserver SVM1
volume -cmddirname “volume”
volume autosize -cmddirname “volume autosize” -vserver SVM1
volume clone -cmddirname “volume clone” -vserver SVM1
volume clone create -cmddirname “volume clone create” -vserver SVM1
volume create -cmddirname “volume create” -vserver SVM1
volume destroy -cmddirname “volume destroy” -vserver SVM1
volume efficiency off -cmddirname “volume efficiency off” -vserver SVM1
volume efficiency on -cmddirname “volume efficiency on” -vserver SVM1
volume efficiency start -cmddirname “volume efficiency start” -vserver SVM1
volume efficiency show -cmddirname “volume efficiency show” -vserver SVM1
volume file -cmddirname “volume file” -vserver SVM1
volume file clone -cmddirname “volume file clone” -vserver SVM1
volume file clone create -cmddirname “volume file clone create” -vserver SVM1
volume modify -cmddirname “volume modify” -vserver SVM1
volume mount -cmddirname “volume mount” -vserver SVM1
volume offline -cmddirname “volume offline” -vserver SVM1
volume show -cmddirname “volume show” -vserver SVM1
volume size -cmddirname “volume size” -vserver SVM1
volume snapshot create -cmddirname “volume snapshot create” -vserver SVM1
volume snapshot delete -cmddirname “volume snapshot delete” -vserver SVM1
volume snapshot restore -cmddirname “volume snapshot restore” -vserver SVM1
volume unmount -cmddirname “volume unmount” -vserver SVM1
vserver export-policy rule show -cmddirname “vserver export-policy rule show” -vserver SVM1
vserver export-policy show -cmddirname “vserver export-policy show” -vserver SVM1
vserver fcp initiator show -cmddirname “vserver fcp initiator show” -vserver SVM1
vserver fcp show -cmddirname “vserver fcp show” -vserver SVM1
vserver fcp status -cmddirname “vserver fcp status” -vserver SVM1
vserver iscsi connection show -cmddirname “vserver iscsi connection show” -vserver SVM1
vserver iscsi interface accesslist add -cmddirname “vserver iscsi interface accesslist add” -vserver SVM1
vserver iscsi interface accesslist show -cmddirname “vserver iscsi interface accesslist show” -vserver SVM1
vserver iscsi isns
query
-cmddirname “vserver iscsi isns query” -vserver SVM1
vserver iscsi nodename -cmddirname “vserver iscsi nodename” -vserver SVM1
vserver iscsi session show -cmddirname “vserver iscsi session show” -vserver SVM1
vserver iscsi show -cmddirname “vserver iscsi show” -vserver SVM1
vserver iscsi status -cmddirname “vserver iscsi status” -vserver SVM1
vserver nfs status -cmddirname “vserver nfs status” -vserver SVM1
vserver services dns hosts show -cmddirname “vserver services dns hosts show” -vserver SVM1
vserver services unix-group create -cmddirname “vserver services unix-group create” -vserver SVM1
vserver services unix-group show -cmddirname “vserver services unix-group show” -vserver SVM1
vserver services unix-user create -cmddirname “vserver services unix-user create” -vserver SVM1
vserver services unix-user show -cmddirname “vserver services unix-user show” -vserver SVM1

CLI commands for creating cluster roles

Command directory name Command to be run
cluster identity show -cmddirname “cluster identity show” -vserver ArkCluster
event -cmddirname “event” -vserver ArkCluster
event config -cmddirname “event config” -vserver ArkCluster
event destination -cmddirname “event destination” -vserver ArkCluster
event log -cmddirname “event log” -vserver ArkCluster
event mailhistory -cmddirname “event mailhistory” -vserver ArkCluster
event route -cmddirname “event route” -vserver ArkCluster
event snmphistory -cmddirname “event snmphistory” -vserver ArkCluster
event status -cmddirname “event status” -vserver ArkCluster
fcp -cmddirname “fcp” -vserver Snapcreator -vserver ArkCluster
iscsi -cmddirname “iscsi” -vserver Snapcreator -vserver ArkCluster
lun comment -cmddirname “lun comment” -vserver ArkCluster
lun create -cmddirname “lun create” -vserver ArkCluster
lun delete -cmddirname “lun delete” -vserver ArkCluster
lun geometry -cmddirname “lun geometry” -vserver ArkCluster
lun igroup add -cmddirname “lun igroup add” -vserver ArkCluster
lun igroup create -cmddirname “lun igroup create” -vserver ArkCluster
lun igroup set -cmddirname “lun igroup set” -vserver ArkCluster
lun igroup show -cmddirname “lun igroup show” -vserver ArkCluster
lun map -cmddirname “lun map” -vserver ArkCluster
lun mapped show -cmddirname “lun mapped show” -vserver ArkCluster
lun modify -cmddirname “lun modify” -vserver ArkCluster
lun move -cmddirname “lun move” -vserver ArkCluster
lun offline -cmddirname “lun offline” -vserver ArkCluster
lun online -cmddirname “lun online” -vserver ArkCluster
lun resize -cmddirname “lun resize” -vserver ArkCluster
lun show -cmddirname “lun show” -vserver ArkCluster
lun unmap -cmddirname “lun unmap” -vserver ArkCluster
network -cmddirname “network” -vserver ArkCluster
network fcp adapter show -cmddirname “network fcp adapter show” -vserver ArkCluster
network interface show -cmddirname “network interface show” -vserver ArkCluster
nfs -cmddirname “nfs” -vserver Snapcreator -vserver ArkCluster
options -cmddirname “options” -vserver ArkCluster
security login role show -cmddirname “security login role show” -vserver ArkCluster
security login show -cmddirname “security login show” -vserver ArkCluster
snapmirror -cmddirname “snapmirror” -vserver ArkCluster
storage aggregate -cmddirname “storage aggregate” -vserver ArkCluster
system license show -cmddirname “system license show” -vserver ArkCluster
system node -cmddirname “system node” -vserver ArkCluster
system node autosupport -cmddirname “system node autosupport” -vserver ArkCluster
system node autosupport invoke -cmddirname “system node autosupport invoke” -vserver ArkCluster
system node show -cmddirname “system node show” -vserver ArkCluster
system node run -cmddirname “system node run” -vserver ArkCluster
system services ndmp -cmddirname “system services ndmp” -vserver ArkCluster
version -cmddirname “version” -vserver ArkCluster
version security login role create -role bainew1 -vserver SnapCreator -cmddirname “version” -access readonly
vserver export-policy rule create -cmddirname “vserver export-policy rule create” -vserver ArkCluster
vserver export-policy rule show -cmddirname “vserver export-policy rule show” -vserver ArkCluster
vserver export-policy show -cmddirname “vserver export-policy show” -vserver ArkCluster
vserver fcp initiator show -cmddirname “vserver fcp initiator show” -vserver ArkCluster
vserver fcp show -cmddirname “vserver fcp show” -vserver ArkCluster
vserver fcp status -cmddirname “vserver fcp status” -vserver ArkCluster
vserver iscsi connection show -cmddirname “vserver iscsi connection show” -vserver ArkCluster
vserver iscsi interface accesslist add -cmddirname “vserver iscsi interface accesslist add” -vserver ArkCluster
vserver iscsi interface accesslist show -cmddirname “vserver iscsi interface accesslist show” -vserver ArkCluster
vserver iscsi nodename -cmddirname “vserver iscsi nodename” -vserver ArkCluster
vserver iscsi session show -cmddirname “vserver iscsi session” show -vserver ArkCluster
vserver iscsi show -cmddirname “vserver iscsi show” -vserver ArkCluster
vserver iscsi status -cmddirname “vserver iscsi status” -vserver ArkCluster
vserver nfs status -cmddirname “vserver nfs status” -vserver ArkCluster
vserver services unix-group create -cmddirname “vserver services unix-group create” -vserver ArkCluster
vserver services unix-user create -cmddirname “vserver services unix-user create” -vserver ArkCluster
vserver services unix-group show -cmddirname “vserver services unix-group show” -vserver ArkCluster
vserver services unix-user show -cmddirname “vserver services unix-user show” -vserver ArkCluster
vserver show -cmddirname “vserver show” -vserver ArkCluster
volume autosize -cmddirname “volume autosize” -vserver ArkCluster
volume clone create -cmddirname “volume clone create” -vserver ArkCluster
volume create -cmddirname “volume create” -vserver ArkCluster
volume destroy -cmddirname “volume destroy” -vserver ArkCluster
volume efficiency off -cmddirname “volume efficiency off” -vserver ArkCluster
volume efficiency on -cmddirname “volume efficiency on” -vserver ArkCluster
volume efficiency show -cmddirname “volume efficiency show” -vserver ArkCluster
volume efficiency start -cmddirname “volume efficiency start” -vserver ArkCluster
volume file -cmddirname “volume file” -vserver ArkCluster
volume file clone create -cmddirname “volume file clone create” -vserver ArkCluster
volume file
show-disk-usage
role create -role bainew1 -vserver SnapCreator -cmddirname “volume
file show-disk-usage” -access all
volume modify -cmddirname “volume modify” -vserver ArkCluster
volume offline -cmddirname “volume offline” -vserver ArkCluster
volume show -cmddirname “volume show” -vserver ArkCluster
volume size -cmddirname “volume size” -vserver ArkCluster
volume snapshot create -cmddirname “volume snapshot
create” -vserver ArkCluster
volume un-mount -cmddirname “volume unmount” -vserver ArkCluster

 

Conclusion

In Netapp Cluster mode there is no group concept just directly create an role and assign role to user. Capabilities will be added to role.

Related Articles

Adding Cluster ports to Netapp

Data Migration from 7-Mode Netapp to Cluster mode Netapp

Thanks for your wonderful Support and Encouragement