6 Replies Latest reply: Mar 2, 2012 2:14 AM by anton_oks RSS

"Read only" cli- user

xavierpitz Novice
Currently Being Moderated

Hello,

 

I would like to configure on our NetApp storage systems, an user which will be allowed to connect himself via ssh, and that will be only allowed any non-modifying commands.

 

For example, I would like to allow him commands like those :

vol status <volname>

aggr status -r (or -s / -f)

rdfile <filepath>

snap list

lun show -m -g <igroup_name>

 

But not allow him commands like those :

vol size <volname> +Xg

aggr add <aggr_name> <ndisks> / aggr offline <aggr_name>

wrfile <filepath>

snap delete

lun offline <lunpath>

 

Does someone knows if (or already have) such a role with corresponding capabilities exists ?

 

If not, where can I find an exhaustive list of all existing capabilities so that I can build such a role ?

 

 

Best Regards,

    • Re: "Read only" cli- user
      xavierpitz Novice
      Currently Being Moderated

      Hello,

       

      As you mentioned, the "Role-Based Access Controls in Data ONTAP™: Granular Administration of Capabilities" doc is a great one.

      It explains (with examples) how to implement RBAC.

       

      At the end of the document (page 9), there's a list of all cli- capabilities.

       

      The problem it that this document is now 4+ years old.

      I'm sure that, since then, new capabilities have been implemented in DOT.

      I was not able to find any up-to-date list of implemented capabilities for DOT 7.2.4 7.2.5 7.2.6 or 7.3.

      I would be really interested in a per release exhaustive list of implemented capabilities.

       

      Moreover with such year-2004 capabilities, when for example the cli-aggr-* is granted to a role users with this one assigned he will not only be able to perform "aggr status -r/-s/-f" but also aggr offline/destroy commands.

      I want to be more granular than that.

       

      I hope that this is possible with the new capabilities that were probably introduced in DOT since then.

       

      It will be really great if someone already implemented such a role that is limited to "read-only" cli- capabilities.

       

      Regards,

      • Re: "Read only" cli- user
        donaldmann Sprinter
        Currently Being Moderated

        OnTap sysadmin guide seems to be a good place to start for any changes to this capability.

         

        I'm looking in the 7.3 sysadmin guide http://now.netapp.com/NOW/knowledge/docs/ontap/rel73/pdfs/ontap/sysadmin.pdf

         

        There is a filerview-readonly option - GUI only of course.  

         

        On page 109:

         

        Grants the specified role read-only access to FilerView.

        This capability type includes only the

        filerview-readonly capability, which grants the

        specified role the capability to view but not change

        manageable objects on systems managed by FilerView.

        Note:

        There is no predefined role or group for read-only

        FilerView access. You must first assign the

        filerview-readonly capability to a role and

        then assign the role to a group, before you can create

        a user in such a group.

        • Re: "Read only" cli- user
          xavierpitz Novice
          Currently Being Moderated

          Hello,

           

           

          A colleague already informed me about this filerview-readonly capability that was introduced in DOT 7.3.

           

          At page 107 from the "Data ONTAP® 7.3 System Administration Guide", there is a short list of capabilities present in DOT 7.3.

           

          Does anybody knows if I can find an exhaustive per-release capability list ?

          Some of our systems are still running DOT 7.2, and anyway my goal is to defile a read only role for cli- commands.

           

          It will be great if I can add a bunch of cli- capabilities into a role so that it would behave like the filerview-readonly role, but on the cli side.

           

          I already tried with cli-readonly, also on DOT 7.3, but there's no such a capability yet defined.

           

          To be granular I need to know all capabilities that exists, I really searched for this, and I was not able to find such a list yet.

           

           

          Regards,

More Like This

  • Retrieving data ...