Can Veritas CommandCentral Storage (CCS) complete discovery with a read only account for Network Appliance filers?
Problem: Customer's Storage Administrator may not be willing to allow applications or service identities to have administrative access for discovery purposes. Caveat is that there will not be the ability to manage the array from the application leaving options such as LUN creation or destruction nonfunctional. |
Error: No Arrays support LUN creation User 'Named' denied access - missing required capability: 'Capability_unassigned' where 'Capability_unassigned' = the capability like 'cli-vfiler' and 'Named'= userI |
Environment: NetApp Ontapi CCS 5.2RU2 VERSION=5.2RU2 FIXID=F520022590954 FIXID=F520022567036 VERSION=5.2RU3 |
Cause Full functionality is designed to work with full root access user. |
Solution To use this behavior there are no codes changes required on the CCS application side. Using Network Appliance (NetApp) tools, a root capable user should configure a new ReadOnly user for use as the credentials with CCS device configuration. Note: explanations of the capabilities in the NetApp Ontapi version installed are available in the Role-Based Access Control for Data manual. As example:
Demonstrated technique will rely on the useradmin command as documented in the Data ONTAP® <version> The configuration change will require the creation of a new user, group and roles. Roles are plural as the command will exceed the clipboard limitation of the command line and use of a second role as a workaround is required. Requirements: Root equivalent access to the NetApp telnet console as the steps will be performed from the commandline and not Operations Manager or the GUI. Knowledge of the NetApp filer servername, IP and ports opened from the CCS Management Server (MS) to the NetApp filer(s) through any firewalls: 80 HTTP over TCP/IP for ONTAPI discovery and SICL-based monitoring Admin access to the CCS Console GUI with the ability to add devices to the configuration. See the attached Technical articles for configuration and connection requirements between the CCS Control Host (CH) and the filer(s). Steps: Prior to configuring the device from the CCS MS there must be valid credentials. Note: if the configuration steps in the application are completed prior to the Filer user creation the Administrator of the filer will see errors in the NetApp syslog similar to: Tue Jan 31 16:19:22 PST [FilerName: useradmin.unauthorized.user:warning]: User 'ReadOnly' denied access - missing required capability: 'login-http-admin' Connect to the filer via ssh / telnet and login as a root equivalent user with appropriate capabilities to create a new user. 1) Create a new group for the ReadOnly user: netfiler01> useradmin group add RO_Group Sat Feb 3 17:05:00 PST[netfiler01: useradmin.added.deleted:info]: The group 'RO_Group' has been added. 2) Create the user and assign it to the new group: netfiler01> useradmin user add ReadOnly -g RO_Group User <ReadOnly> added. 3) Create the roles required with the appropriate capabilities: Note: These must be contiguous on a single line. Note: If exceeding the line length, there will be a failure such as: - when truncated for an entry = Error: Invalid capability - when exceeded the line = not found. Type '?' for a list of commands netfiler01> useradmin role add RO_role_1 -a api-aggr-get-root-name,api-aggr-list-info,api-cifs-share-list-iter-start,api-disk-list-info,api-fcp-adapter-initiators-list-info,api-fcp-adapter-list-info,api-fcp-get-cfmode,api-igroup-list-info,api-iscsi-adapter-initiators-list-info,api-iscsi-adapter-list-info,api-iscsi-node-get-name,api-license-list-info,api-lun-get-serial-number,api-lun-get-space-reservation-info,api-lun-list-info,api-lun-map-list-info,api-nfs-exportfs-list-rules,api-perf-object-get-instances,api-qtree-list,api-quota-report-iter-start,api-quota-status,api-snapmirror-get-status,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapshot-get-reserve,api-snapshot-get-schedule,api-snapshot-list-info,api-snapshot-reserve-list-info,api-snapshot-volume-info,api-system-cli,api-system-get-info,api-system-get-ontapi-version,api-system-get-version,api-vfiler-list-info,api-volume-get-root-name,api-volume-list-info,login-http-admin,api-cifs-share-list-iter-next to complete the rest of the capabilities and remain under the line limit create a second role netfiler01> useradmin role add RO_role_2 -a api-vfiler-get-status,api-quota-report-iter-next,cli-priv,cli-version,cli-sysconfig,cli-cf,cli-nis,cli-aggr,cli-vol,cli-vfiler,security-api-vfiler,cli-lun,cli-ifconfig,cli-storage Sat Feb 3 17:21:00 PST[netfiler01: useradmin.added.deleted:info]: The role 'RO_role_2' has been added. 4) add your roles to the group previously created: netfiler01> useradmin group modify ReadOnly -r RO_role_1,RO_role_2 Sat Feb 3 17:24:00 PST [netfiler01: useradmin.added.deleted:info]: The group 'RO_Group' has been modified. 5) Confirm you have the expected capabilities: netfiler01> useradmin user list ReadOnly The ReadOnly user should also now be able to login to the filer console to view status and test to ensure there can be no changes committed. The NetApp configuration is completed and the storage administrator can now login to the CCS admin GUI Console.
6) https://<MS_serverName>:14191 7) Navigate to the devices page where the functionality of adding a device resides: Settings Summary » Configured Devices 8) Configure a new device by selecting Go 9) In the popup box, choose the device type and vendor, then click Next: 10) Enter the required information correctly and click on Next: 11) With the verify button the credentials will be confirmed when Next is clicked: Note: a successful status is required to complete the configuration and clicking Finish will return back to the application. Note: there is a time out value and too great of a delay will result in being logged out and require re-authentication and repetition of the above configuration steps. Once configuration is completed there will be a requirement to allow full discover to complete which can take some time but will show the device and explorer in Normal condition. The application will then be populated with the data and the tabs for access to the data show on the device overview page: The storage administrator can now generate CCS reports, use the NetApp data in rolled up reports to Veritas CommandCentral Enterprise Reporter. |