Configure user roles and privileges
You can configure new user roles and privileges for managing storage backends using the JSON file provided with ONTAP tools and ONTAP System Manager.
What you'll need
-
You should have downloaded the ONTAP Privileges file from ONTAP tools using
https://<loadbalancerIP>:8443/virtualization/user-privileges/users_roles.zip
.You can create users at cluster or direct storage virtual machines (SVMs) level. You can also create users without using the user_roles.json file and if done so, you need to have a minimum set of privileges at SVM level. -
You should have logged in with administrator privileges for the storage backend.
Steps
-
Extract the downloaded
https://<loadbalancerIP>:8443/virtualization/user-privileges/users_roles.zip
file. -
Access ONTAP System Manager. To access ONTAP system manager use the cluster management IP of the cluster.
-
Login as the cluster or SVM user.
-
Select CLUSTER > Settings > Users and Roles pane.
-
Select Add under Users.
-
In the Add User dialog box, select Virtualization products.
-
Select Browse to select and upload the ONTAP Privileges JSON file.
The PRODUCT field is auto populated.
-
Select the required capability from the PRODUCT CAPABILITY drop-down menu.
The ROLE field is auto populated based on the product capability selected.
-
Enter the required username and password.
-
Select the privileges (Discovery, Create Storage, Modify Storage, Destroy Storage, NAS/SAN Role) required for the user, and then click Add.
The new role and user is added and you can see the detailed privileges under the role that you have configured.
The uninstall operation does not remove ONTAP tool roles but removes the localized names for the ONTAP tool specific privileges and appends the prefix XXX missing privilege to them. When you reinstall ONTAP tools or upgrade to a newer version of the ONTAP tools, all of the standard ONTAP tools roles and ONTAP tools-specific privileges are restored.
|
SVM aggregate mapping requirements
To use direct SVM credentials for provisioning datastores, internally ONTAP tools create volumes on the aggregate specified in the datastores POST API. The ONTAP does not allow the creation of volumes on unmapped aggregates on an SVM using direct SVM credentials. To resolve this, you need to map the SVMs with the aggregates using the REST API or CLI as described here.
REST API:
PATCH "/api/svm/svms/f16f0935-5281-11e8-b94d-005056b46485" '{"aggregates":{"name":["aggr1","aggr2","aggr3"]}}'
ONTAP CLI:
sti115_vsim_ucs630f_aggr1 vserver show-aggregates AvailableVserver Aggregate State Size Type SnapLock Type-------------- -------------- ------- ---------- ------- --------------svm_test sti115_vsim_ucs630f_aggr1 online 10.11GB vmdisk non-snaplock
Create ONTAP user and role manually
Follow the instructions in this section to create the user and roles manually without using the JSON file.
-
Access ONTAP System Manager. To access ONTAP system manager use the cluster management IP of the cluster.
-
Login as the cluster or SVM user.
-
Select CLUSTER > Settings > Users and Roles pane.
-
Create Roles:
-
Select Add under Roles table.
-
Enter the ROLE NAME and Role Attributes details.
Add the REST API PATH and the respective access from the drop down.
-
Add all the needed APIs and save the changes.
-
-
Create Users:
-
Select Add under Users table.
-
In the Add User dialog box, select System Manager.
-
Enter the USERNAME.
-
Select the ROLE from the options created in the Create Roles step above.
-
Enter the applications to give access to and the authentication method. The ONTAPI and HTTP are the required application and the authentication type is Password.
-
Set the Password for the User and Save the user.
-
List of minimum privileges required for non-admin global scoped cluster user
The minimum privileges required for non-admin global scoped cluster user created without using the users JSON file is listed in this section. If cluster is added in local scope, it is recommended to use the JSON file to create the users, as ONTAP tools require more than just the Read privileges for provisioning on ONTAP.
Using APIs:
API |
ACCESS LEVEL |
USED FOR |
/api/cluster |
Read-Only |
Cluster Configuration Discovery |
/api/cluster/licensing/licenses |
Read-Only |
License Check for Protocol specific licenses |
/api/cluster/nodes |
Read-Only |
Platform type discovery |
/api/storage/aggregates |
Read-Only |
Aggregate space check during Datastore/Volume provisioning |
/api/storage/cluster |
Read-Only |
To get the Cluster level Space and Efficiency Data |
/api/storage/disks |
Read-Only |
To get the Disks associated in an Aggregate |
/api/storage/qos/policies |
Read/Create/Modify |
QoS and VM Policy management |
/api/svm/svms |
Read-Only |
To get SVM configuration in case the Cluster is added locally. |
/api/network/ip/interfaces |
Read-Only |
Add Storage Backend - To identify the management LIF scope is Cluster/SVM |
/api |
Read-Only |
Cluster user must have this privilege to get the correct storage backend status. Otherwise, ONTAP tools Manager UI shows "unknown" storage backend status. |