Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Storage Resource Monitor (SRM) > SRM: Permissions needed to monitor NetApp Cluster mode files and gather data

SRM: Permissions needed to monitor NetApp Cluster mode files and gather data

7/25/16

Overview

This article contains the permissions needed for Storage Resource Monitor to monitor NetApp Clusters and gather data. NetApp Cluster mode permissions are related to the CLI commands, which produces same result and are set based on these permissions. Each user used for monitoring has to be assigned in a role with all required capabilities.

For more information, please consult the documentation supplied with your array, or contact your vendor.

Environment

  • SRM 6.0+

Detail

Permissions needed

The following permissions are needed for Storage Resource Monitor to gather data using NetApp. NetApp Cluster mode permissions are related to the CLI commands, which produces same result and are set based on these permissions. Each user used for monitoring has to be assigned in a role with all required Capabilities.

These API capabilities are required for Cluster Mode. Because permissions are set to the CLI commands, which displays the particular data, the tables below also show command names. These are used to assign permission to the specific API.

Api Name Related CLI command
aggr-get-iter storage aggregate show
cifs-server-get-iter vserver cifs show
cifs-share-get-iter vserver cifs share show
cluster-identity-get cluster identity show
diagnosis-status-get system health status show
fcp-initiator-get-iter vserver fcp initiator show
fcp-interface-get-iter vserver fcp interface show
igroup-get-iter lun igroup show
iscsi-initiator-get-iter vserver iscsi initiator show
iscsi-service-get-iter vserver iscsi show
lun-get-iter lun show
lun-map-get-iter lun mapped show
net-interface-get-iter network interface show
nfs-exportfs-list-rules-2 vserver export-policy show
perf-object-get-instances statistics show
quota-report-iter volume quota report
storage-disk-get-iter storage disk show
system-get-vendor-info system node autosupport show
system-get-version version
volume-get-iter volume show
vserver-get-iter vserver show
license-list-info system license show
license-v2-list-info system license show

Log in to the NetApp CLI and follow these steps to create a read-only user with sufficient privileges for monitoring the device in SRM.

Summary of required steps

  1. Create a new role and assign the specific command privileges under the read only access level or use the built-in ‘Read Only’ role.
  2. Create a monitoring user and assign it to the role.

Detailed steps

  1. Skip this step if you are going to use the built-in ‘Read Only’ role.

Create new role and assign the specific command privileges under the read only access level:

security login role create -role testrole -cmddirname "security login role show-ontapi" -access readonly

You can verify if a particular role has a permission assigned by using the following command:

security login role show -role testrole

To assign all permissions listed above, you can copy and paste following text:

security login role create -role testrole -cmddirname "storage aggregate show" -access readonly

security login role create -role testrole -cmddirname "vserver cifs show" -access readonly

security login role create -role testrole -cmddirname "vserver cifs share show" -access readonly

security login role create -role testrole -cmddirname "cluster identity show" -access readonly

security login role create -role testrole -cmddirname "system health status show" -access readonly

security login role create -role testrole -cmddirname "vserver fcp initiator show" -access readonly

security login role create -role testrole -cmddirname "vserver fcp interface show" -access readonly

security login role create -role testrole -cmddirname "lun igroup show" -access readonly

security login role create -role testrole -cmddirname "vserver iscsi initiator show" -access readonly

security login role create -role testrole -cmddirname "vserver iscsi show" -access readonly

security login role create -role testrole -cmddirname "lun show" -access readonly

security login role create -role testrole -cmddirname "lun mapped show" -access readonly

security login role create -role testrole -cmddirname "network interface show" -access readonly

security login role create -role testrole -cmddirname "vserver export-policy show" -access readonly

security login role create -role testrole -cmddirname "statistics show" -access readonly

security login role create -role testrole -cmddirname "volume quota report" -access readonly

security login role create -role testrole -cmddirname "storage disk show" -access readonly

security login role create -role testrole -cmddirname "system node autosupport show" -access readonly

security login role create -role testrole -cmddirname "version" -access readonly

security login role create -role testrole -cmddirname "volume show" -access readonly

security login role create -role testrole -cmddirname "vserver show" -access readonly

security login role create -role testrole -cmddirname "system license show" -access readonly

These commands might produce warnings that they will affect other permissions. These warnings can be ignored.

  1. Create the monitoring user with this role:

  • If you are using the built-in Read Only role:

security login create -role readonly -username <user name> -application ontapi -authmethod <authMethod>

  • If you are using the custom role created above:

security login create -role testrole -username <user name> -application ontapi -authmethod <authMethod>

<user name> is the user name of the user created. For a domain user, user <domain>\<user name>. Make sure to use all lower case letters for the domain and user name.

<authMethod> is 'domain' if you are adding a domain user to the role. Otherwise it is 'password'.

Example 1: creating a local user 'test' using built-in role

security login create -role readonly -username test -application ontapi -authmethod password

Example 2: creating a local user 'test' using custom role 'testrole'

security login create -role testrole -username test -application ontapi -authmethod password

Example 3: creating a domain user 'test' using custom role 'testrole'

security login create -role testrole -username testdomain\test -application ontapi -authmethod domain

Changing the permissions would require assigning the user to the role again.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

 

 

Last modified
14:46, 16 Nov 2016

Tags

Classifications

(not set)