Video Screencast Help

Can Veritas CommandCentral Storage (CCS) complete discovery with a read only account for Network Appliance filers?

Created: 06 Mar 2012 • Updated: 12 Feb 2013
Language Translations
RodP's picture
+1 1 Vote
Login to vote

 

Problem:

Customer's Storage Administrator may not be willing to allow applications or service identities to have administrative access for discovery purposes.

Caveat is that there will not be the ability to manage the array from the application leaving options such as LUN creation or destruction nonfunctional.

 

Error:

No Arrays support LUN creation

User 'Named' denied access - missing required capability: 'Capability_unassigned'

where 'Capability_unassigned' = the capability like 'cli-vfiler' and 'Named'= userI

Environment:

NetApp Ontapi
8.0.1P5 7-Mode
8.0.1 7-Mode
8.0P5
7.3.3
7.3.2P3
7.3.1.1

CCS 5.2RU2

VERSION=5.2RU2
KIT=5.2.2203.0

FIXID=F520022590954
DATE=Wed Jan 25 13:22:23 2012
DESCRIPTION=CC Storage 5.2RU2 Hotfix for Control Host - NetApp Explorer HotFix#1

FIXID=F520022567036
DATE=Wed Jan 25 13:43:53 2012
DESCRIPTION=CC Storage 5.2RU2 Jumbo Hotfix for Control Hosts
OBSOLETES=F520022533111

 
CCS 5.2RU3

VERSION=5.2RU3
KIT=5.2.2539.0

 

Cause

Full functionality is designed to work with full root access user.

 

Solution

To use this behavior there are no codes changes required on the CCS application side. Using Network Appliance (NetApp)  tools, a root capable user should configure a new ReadOnly user for use as the credentials with CCS device configuration.

Note: explanations of the capabilities in the NetApp Ontapi version installed are available in the Role-Based Access Control for Data manual.

As example:

Capability types.

Capability Type

Description

api

Grants the specified role the capability to execute Data ONTAP API calls. The api-* type includes all of the Data ONTAP API calls. These commands are only available with login-http-admin, so in general, any api-* command must also include this login. The format for this is api-<ontap-api-command>, which means allow a specific command/subcommand. Here, it is possible to list only subcommands, like api-system-get-info, or a command and its subcommands, like api-system-get-* , or even api-system-*.
api-* Grants the specified role all api capabilities.
api-api_call_family-* Grants the specified role the capability to call all API routine in the family api_call_family.
api-api_call Grants the specified role the capability to call the API routine api_call.
Note: You have more fine-grained control of the command set with the api capabilities because you can give subcommand capabilities as well. Users with api capability also require the login-http-admin capability to execute API calls.

Demonstrated technique will rely on the useradmin command as documented in the Data ONTAP® <version>
System Administration Guide

The configuration change will require the creation of a new user, group and roles. Roles are plural as the command will exceed the clipboard limitation of the command line and use of a second role as a workaround is required.

Requirements:

Root equivalent access to the NetApp telnet console as the steps will be performed from the commandline and not Operations Manager or the GUI.

Knowledge of the NetApp filer servername, IP and ports opened from the CCS Management Server (MS) to the NetApp filer(s) through any firewalls:

80  HTTP over TCP/IP  for ONTAPI discovery and SICL-based monitoring
443  HTTPS and SSL over TCP/IP for ONTAPI discovery and SICL-based monitoring
portmap 111 UDP for SICL-based monitoring

Admin access to the CCS Console GUI  with the ability to add devices to the configuration.

See the attached Technical articles for configuration and connection requirements between the CCS Control Host (CH) and the filer(s).

Steps:

Prior to configuring the device from the CCS MS there must be valid credentials.

Note: if the configuration steps in the application are completed prior to the Filer user creation the Administrator of the filer will see errors in the NetApp syslog similar to:

Tue Jan 31 16:19:22 PST [FilerName: useradmin.unauthorized.user:warning]: User 'ReadOnly' denied access - missing required capability: 'login-http-admin'

Connect to the filer via ssh / telnet and login as a root equivalent user with appropriate capabilities to create a new user.

1) Create a new group for the ReadOnly user:

netfiler01> useradmin group add RO_Group

Sat Feb  3 17:05:00 PST[netfiler01: useradmin.added.deleted:info]: The group 'RO_Group' has been added.
Group <RO_Group> added.
 

2) Create the user and assign it to the new group:

netfiler01> useradmin user add ReadOnly -g RO_Group
New password: Un1quePW
Retype new password:Un1quePW

User <ReadOnly> added.
  Sat Feb  3 17:11:00PST [c2107-netfiler01: useradmin.added.deleted:info]: The user 'ReadOnly' has been added.
 

3) Create the roles required with the appropriate capabilities:

Note: These must be contiguous on a single line.

Note: If exceeding the line length, there will be a failure such as:

- when truncated for an entry = Error: Invalid capability

- when exceeded the line = not found.  Type '?' for a list of commands

netfiler01> useradmin role add RO_role_1 -a api-aggr-get-root-name,api-aggr-list-info,api-cifs-share-list-iter-start,api-disk-list-info,api-fcp-adapter-initiators-list-info,api-fcp-adapter-list-info,api-fcp-get-cfmode,api-igroup-list-info,api-iscsi-adapter-initiators-list-info,api-iscsi-adapter-list-info,api-iscsi-node-get-name,api-license-list-info,api-lun-get-serial-number,api-lun-get-space-reservation-info,api-lun-list-info,api-lun-map-list-info,api-nfs-exportfs-list-rules,api-perf-object-get-instances,api-qtree-list,api-quota-report-iter-start,api-quota-status,api-snapmirror-get-status,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapshot-get-reserve,api-snapshot-get-schedule,api-snapshot-list-info,api-snapshot-reserve-list-info,api-snapshot-volume-info,api-system-cli,api-system-get-info,api-system-get-ontapi-version,api-system-get-version,api-vfiler-list-info,api-volume-get-root-name,api-volume-list-info,login-http-admin,api-cifs-share-list-iter-next
Sat Feb  3 17:19:00 PST [netfiler01: useradmin.added.deleted:info]: The role 'RO_role_1' has been added.
Role <RO_role_1> added.

to complete the rest of the capabilities and remain under the line limit create a second role

netfiler01> useradmin role add RO_role_2 -a api-vfiler-get-status,api-quota-report-iter-next,cli-priv,cli-version,cli-sysconfig,cli-cf,cli-nis,cli-aggr,cli-vol,cli-vfiler,security-api-vfiler,cli-lun,cli-ifconfig,cli-storage                    

Sat Feb  3 17:21:00 PST[netfiler01: useradmin.added.deleted:info]: The role 'RO_role_2' has been added.
Role <RO_role_2> added.

4) add your roles to the group previously created:

netfiler01> useradmin group modify ReadOnly -r RO_role_1,RO_role_2

Sat Feb  3 17:24:00 PST [netfiler01: useradmin.added.deleted:info]: The group 'RO_Group' has been modified.
Group <RO_Group> modified.

5) Confirm you have the expected capabilities:

netfiler01> useradmin user list ReadOnly
Name: ReadOnly
Info:
Rid: 131080
Groups: RO_Group
Full Name:
Allowed Capabilities: api-aggr-get-root-name,api-aggr-list-info,api-cifs-share-list-iter-start,api-disk-list-info,api-fcp-adapter-initiators-list-info,api-fcp-adapter-list-info,api-fcp-get-cfmode,api-igroup-list-info,api-iscsi-adapter-initiators-list-info,api-iscsi-adapter-list-info,api-iscsi-node-get-name,api-license-list-info,api-lun-get-serial-number,api-lun-get-space-reservation-info,api-lun-list-info,api-lun-map-list-info,api-nfs-exportfs-list-rules,api-perf-object-get-instances,api-qtree-list,api-quota-report-iter-start,api-quota-status,api-snapmirror-get-status,api-snapmirror-list-schedule,api-snapmirror-list-sync-schedule,api-snapshot-get-reserve,api-snapshot-get-schedule,api-snapshot-list-info,api-snapshot-reserve-list-info,api-snapshot-volume-info,api-system-cli,api-system-get-info,api-system-get-ontapi-version,api-system-get-version,api-vfiler-list-info,api-volume-get-root-name,api-volume-list-info,login-http-admin,api-cifs-share-list-iter-next,api-vfiler-get-status,api-quota-report-iter-next,cli-priv,cli-version,cli-sysconfig,cli-cf,cli-nis,cli-aggr,cli-vol,cli-vfiler,security-api-vfiler,cli-lun,cli-ifconfig,cli-storage
Password min/max age in days: 0/4294967295
Status: enabled

The ReadOnly user should also now be able to login to the filer console to view status and test to ensure there can be no changes committed.

http://netfiler01/na_admin

The NetApp configuration is completed and the storage administrator can now login to the CCS admin GUI Console.

 

6) https://<MS_serverName>:14191

7) Navigate to the devices page where  the functionality of adding a device resides:

  Settings Summary  »   Configured Devices  

8) Configure a new device by selecting Go

9) In the popup box, choose the device type and vendor, then click Next:

10) Enter the required information correctly and click on Next:

11) With the verify button the credentials will be confirmed when Next is clicked:

Note: a successful status is required to complete the configuration and clicking Finish will return back to the application.

Note: there is a time out value and too great of a delay will result in being logged out and require re-authentication and repetition of the above configuration steps.

Once configuration is completed there will be a requirement to allow full discover to complete which can take some time but will show the device and explorer in Normal condition.

The application will then be populated with the  data and the tabs for access to the data show on the device overview page:

The storage administrator can now generate CCS reports, use the NetApp data in rolled up reports to Veritas CommandCentral Enterprise Reporter.