NetApp ONTAP – RBAC User Role Sub-command / Query

ONTAP has rich Role-based access control capabilities. One of these extended capabilities is the ability to specify sub-commands and a query within the sub-command allowed for the user. Both the sub-command and query are independent methods shown together below. The example below is on my 2-node cluster named cmode-prod. The user “admin3” is created with a locked down sub-command and a locked down query allowing only the node root (mroot) aggregate on node2. The node root aggregate contains a system volume named vol0. You could set a query for vol0, but in this example we will set the query using the containing aggregate of vol0 with the same result.

  • We will specify a cmddirname volume show” to enable ONLY the “show” subcommand
  • We will specify a query “aggregate aggrname” to only allow query of a specific aggregate of the node mroot on node2 named “cmode_prod_02_aggr0

As admin, run “volume show” to see all volumes. Note that the cluster has no data aggregates so only the node vol0 volumes display on each node

ssh admin@cmode-prod

::> volume show

Vserver   Volume       Aggregate    State      Type       Size  Available Used%

——— ———— ———— ———- —- ———- ———- —–

cmode-prod-01 vol0     cmode_prod_01_aggr0 online RW 2.50GB   1.48GB   40%

cmode-prod-02 vol0     cmode_prod_02_aggr0 online RW 2.50GB   1.47GB   41%

2 entries were displayed.

Create a new role to allow a sub-command “volume show” and -query on cmode-prod

Create an access-control role named “admin3” for the admin (cluster management) Vserver. The role has all access to the “volume show” command but only within the “aggr0” aggregate on node2.

::> security login role create -role admin3 -cmddirname “volume show” -query “-aggregate cmode_prod_02_aggr0” -access all -vserver cmode-prod

Create a user “admin3” using the locked down “admin3” role

::> security login create -vserver cmode-prod -username admin3 -role admin3 -application ssh -authmethod password

Login as admin3 and run “volume show” and you will ONLY see the one volume in the aggregate allowed in the query

ssh admin3@cmode-prod

::> volume show

Vserver   Volume       Aggregate    State      Type       Size  Available Used%

——— ———— ———— ———- —- ———- ———- —–

cmode-prod-02

          vol0         cmode_prod_02_aggr0

                                    online     RW       2.50GB     1.55GB   37%

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s