Hello Toasters,
Our ontap clusters contain a number of SVM's. For purposes of this post I'll classify our SVM's into two broad categories:
* SVM's that host storage resources for our ESXi clusters * SVM's that do NOT host storage resources for our ESXi clusters
We initially direct connected VSC to the SVM's hosting VMware resources. As documented by NetApp, this resulted in VSC provisioning volumes (NFS datastores) then mounting them via indirect paths (our SVMs have multiple lifs). We dont want datastores mounted via indirect paths, nor do we want to deal with the other limitations associated with direct connecting VSC to SVM's.
Now, AFAIK, the only option we're left with is connecting VSC to the cluster management LIF. The catch is we only want to allow VSC privileges to manage the SVM's hosting VMware resources. VSC should not have privileges to the non-Vmware related SVMs.
Is there a way to connect VSC to the cluster management LIF while only allowing VSC the ability to provision storage to and manage a subset of SVM's on the cluster?
We're currently running VSC 6.2.1 and ONTAP 9.2P2.
-Phil
You can create a LIF inside your SVM with the mgmt firewall policy.
It will still be able to provision storage from any aggregate though. I don't believe you can lock that down.
-----Original Message----- From: toasters-bounces@teaparty.net toasters-bounces@teaparty.net On Behalf Of Philbert Rupkins Sent: 04 May 2018 16:04 To: toasters@teaparty.net Subject: Restrict VSC to a Subset of SVM's
Hello Toasters,
Our ontap clusters contain a number of SVM's. For purposes of this post I'll classify our SVM's into two broad categories:
* SVM's that host storage resources for our ESXi clusters * SVM's that do NOT host storage resources for our ESXi clusters
We initially direct connected VSC to the SVM's hosting VMware resources. As documented by NetApp, this resulted in VSC provisioning volumes (NFS datastores) then mounting them via indirect paths (our SVMs have multiple lifs). We dont want datastores mounted via indirect paths, nor do we want to deal with the other limitations associated with direct connecting VSC to SVM's.
Now, AFAIK, the only option we're left with is connecting VSC to the cluster management LIF. The catch is we only want to allow VSC privileges to manage the SVM's hosting VMware resources. VSC should not have privileges to the non-Vmware related SVMs.
Is there a way to connect VSC to the cluster management LIF while only allowing VSC the ability to provision storage to and manage a subset of SVM's on the cluster?
We're currently running VSC 6.2.1 and ONTAP 9.2P2.
-Phil _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
You *might* be able to design your own role and assign that role to a user that is not admin and then use the cluster admin LIF. I am not entirely sure what details are needed for the role to work entirely. There might be something in the VSC docs about the roles needed to work properly.
just a suggestion to look at.
--tmac
*Tim McCarthy, **Principal Consultant*
*Proud Member of the #NetAppATeam https://twitter.com/NetAppATeam*
*I Blog at TMACsRack https://tmacsrack.wordpress.com/* 443-228-TMAC (*Google Voice*) 214-279-3926 (*eFAX*)
[image: FlexPod Design Badge] https://www.youracclaim.com/badges/58cf082d-acd8-4529-821a-bb7eb93a296c/public_url[image: NCIE SAN Badge] https://www.youracclaim.com/badges/162b629e-b4f1-48af-a8f9-d2a9517ec100/public_url[image: NCSIE Badge] https://www.youracclaim.com/badges/367c462d-d58b-4cbf-9e8d-a5068b247cd6/public_url[image: NCSE Badge] https://www.youracclaim.com/badges/618b30bf-7acc-473d-8b06-827062653565/public_url[image: NAHSE Badge] https://www.youracclaim.com/badges/aa9be0e4-2eac-45eb-85e0-0e11035b62a5/public_url[image: NetApp Certified Support Engineer - ONTAP Specialist] https://www.youracclaim.com/badges/7d45598f-c302-4e28-a16c-dd5c9c66e83d/public_url[image: SME Badge] https://www.youracclaim.com/badges/6eb5d0cd-acf4-40ac-a50c-73f1c0c009e9/public_url[image: NCDA Badge] https://www.youracclaim.com/badges/b41a5941-6885-4181-b984-21df36bc27a8/public_url[image: NCIE Data Protection Badge] https://www.youracclaim.com/badges/51e81930-cad0-4e1f-b54d-dde7f181516c/public_url[image: FlexPod Impl & Admin Badge] https://www.youracclaim.com/badges/53a73b2a-ca83-43b8-895e-3299735dd406/public_url
On Fri, May 4, 2018 at 11:50 AM Chris Hague Chris_Hague@ajg.com wrote:
You can create a LIF inside your SVM with the mgmt firewall policy.
It will still be able to provision storage from any aggregate though. I don't believe you can lock that down.
-----Original Message----- From: toasters-bounces@teaparty.net toasters-bounces@teaparty.net On Behalf Of Philbert Rupkins Sent: 04 May 2018 16:04 To: toasters@teaparty.net Subject: Restrict VSC to a Subset of SVM's
Hello Toasters,
Our ontap clusters contain a number of SVM's. For purposes of this post I'll classify our SVM's into two broad categories:
- SVM's that host storage resources for our ESXi clusters
- SVM's that do NOT host storage resources for our ESXi clusters
We initially direct connected VSC to the SVM's hosting VMware resources. As documented by NetApp, this resulted in VSC provisioning volumes (NFS datastores) then mounting them via indirect paths (our SVMs have multiple lifs). We dont want datastores mounted via indirect paths, nor do we want to deal with the other limitations associated with direct connecting VSC to SVM's.
Now, AFAIK, the only option we're left with is connecting VSC to the cluster management LIF. The catch is we only want to allow VSC privileges to manage the SVM's hosting VMware resources. VSC should not have privileges to the non-Vmware related SVMs.
Is there a way to connect VSC to the cluster management LIF while only allowing VSC the ability to provision storage to and manage a subset of SVM's on the cluster?
We're currently running VSC 6.2.1 and ONTAP 9.2P2.
-Phil _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Thanks for the suggestions. After a bit of RBAC research and consulting with folks with more experience, we begrudgingly gave VSC the access it needs to the cluster and all SVMs on said cluster, including the SVMs that are not hosting storage for our VMware environment.
It looks like the only way to restrict VSC access to particular group of SVMs is to slap an admin interface (lif) on the SVMs and add the SVMs directly to VSC. Of course adding SVMs directly to VSC comes with some well documented limitations. We ultimately decided the risk of our VMware admins provisioning storage to a non-VMware related SVM via VSC is pretty low so we added the cluster to VSC directly to allow for full VSC functionality.
On Fri, May 4, 2018 at 11:30 AM, tmac tmacmd@gmail.com wrote:
You *might* be able to design your own role and assign that role to a user that is not admin and then use the cluster admin LIF. I am not entirely sure what details are needed for the role to work entirely. There might be something in the VSC docs about the roles needed to work properly.
just a suggestion to look at.
--tmac
*Tim McCarthy, **Principal Consultant*
*Proud Member of the #NetAppATeam https://twitter.com/NetAppATeam*
*I Blog at TMACsRack https://tmacsrack.wordpress.com/* 443-228-TMAC (*Google Voice*) 214-279-3926 (*eFAX*)
[image: FlexPod Design Badge] https://www.youracclaim.com/badges/58cf082d-acd8-4529-821a-bb7eb93a296c/public_url[image: NCIE SAN Badge] https://www.youracclaim.com/badges/162b629e-b4f1-48af-a8f9-d2a9517ec100/public_url[image: NCSIE Badge] https://www.youracclaim.com/badges/367c462d-d58b-4cbf-9e8d-a5068b247cd6/public_url[image: NCSE Badge] https://www.youracclaim.com/badges/618b30bf-7acc-473d-8b06-827062653565/public_url[image: NAHSE Badge] https://www.youracclaim.com/badges/aa9be0e4-2eac-45eb-85e0-0e11035b62a5/public_url[image: NetApp Certified Support Engineer - ONTAP Specialist] https://www.youracclaim.com/badges/7d45598f-c302-4e28-a16c-dd5c9c66e83d/public_url[image: SME Badge] https://www.youracclaim.com/badges/6eb5d0cd-acf4-40ac-a50c-73f1c0c009e9/public_url[image: NCDA Badge] https://www.youracclaim.com/badges/b41a5941-6885-4181-b984-21df36bc27a8/public_url[image: NCIE Data Protection Badge] https://www.youracclaim.com/badges/51e81930-cad0-4e1f-b54d-dde7f181516c/public_url[image: FlexPod Impl & Admin Badge] https://www.youracclaim.com/badges/53a73b2a-ca83-43b8-895e-3299735dd406/public_url
On Fri, May 4, 2018 at 11:50 AM Chris Hague Chris_Hague@ajg.com wrote:
You can create a LIF inside your SVM with the mgmt firewall policy.
It will still be able to provision storage from any aggregate though. I don't believe you can lock that down.
-----Original Message----- From: toasters-bounces@teaparty.net toasters-bounces@teaparty.net On Behalf Of Philbert Rupkins Sent: 04 May 2018 16:04 To: toasters@teaparty.net Subject: Restrict VSC to a Subset of SVM's
Hello Toasters,
Our ontap clusters contain a number of SVM's. For purposes of this post I'll classify our SVM's into two broad categories:
- SVM's that host storage resources for our ESXi clusters
- SVM's that do NOT host storage resources for our ESXi clusters
We initially direct connected VSC to the SVM's hosting VMware resources. As documented by NetApp, this resulted in VSC provisioning volumes (NFS datastores) then mounting them via indirect paths (our SVMs have multiple lifs). We dont want datastores mounted via indirect paths, nor do we want to deal with the other limitations associated with direct connecting VSC to SVM's.
Now, AFAIK, the only option we're left with is connecting VSC to the cluster management LIF. The catch is we only want to allow VSC privileges to manage the SVM's hosting VMware resources. VSC should not have privileges to the non-Vmware related SVMs.
Is there a way to connect VSC to the cluster management LIF while only allowing VSC the ability to provision storage to and manage a subset of SVM's on the cluster?
We're currently running VSC 6.2.1 and ONTAP 9.2P2.
-Phil _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Hi Phil,
Two things just crossed my mind:
* the "RBAC user creator" tool, downloadable in the community, can create a role and a user that can get you probably 95% where you want to go.
* then modify the role(s) with the "-query" parameter to restrict access to only certain "vservers". Don't know if you can use wildcards here (your naming convention...), but you can assign the VSC-user multiple roles...
Greetings from Munich
Sebastian Goetze NCI
On Tue, May 22, 2018, 05:34 Philbert Rupkins philbertrupkins@gmail.com wrote:
Thanks for the suggestions. After a bit of RBAC research and consulting with folks with more experience, we begrudgingly gave VSC the access it needs to the cluster and all SVMs on said cluster, including the SVMs that are not hosting storage for our VMware environment.
It looks like the only way to restrict VSC access to particular group of SVMs is to slap an admin interface (lif) on the SVMs and add the SVMs directly to VSC. Of course adding SVMs directly to VSC comes with some well documented limitations. We ultimately decided the risk of our VMware admins provisioning storage to a non-VMware related SVM via VSC is pretty low so we added the cluster to VSC directly to allow for full VSC functionality.
On Fri, May 4, 2018 at 11:30 AM, tmac tmacmd@gmail.com wrote:
You *might* be able to design your own role and assign that role to a user that is not admin and then use the cluster admin LIF. I am not entirely sure what details are needed for the role to work entirely. There might be something in the VSC docs about the roles needed to work properly.
just a suggestion to look at.
--tmac
*Tim McCarthy, **Principal Consultant*
*Proud Member of the #NetAppATeam https://twitter.com/NetAppATeam*
*I Blog at TMACsRack https://tmacsrack.wordpress.com/* 443-228-TMAC (*Google Voice*) 214-279-3926 (*eFAX*)
[image: FlexPod Design Badge] https://www.youracclaim.com/badges/58cf082d-acd8-4529-821a-bb7eb93a296c/public_url[image: NCIE SAN Badge] https://www.youracclaim.com/badges/162b629e-b4f1-48af-a8f9-d2a9517ec100/public_url[image: NCSIE Badge] https://www.youracclaim.com/badges/367c462d-d58b-4cbf-9e8d-a5068b247cd6/public_url[image: NCSE Badge] https://www.youracclaim.com/badges/618b30bf-7acc-473d-8b06-827062653565/public_url[image: NAHSE Badge] https://www.youracclaim.com/badges/aa9be0e4-2eac-45eb-85e0-0e11035b62a5/public_url[image: NetApp Certified Support Engineer - ONTAP Specialist] https://www.youracclaim.com/badges/7d45598f-c302-4e28-a16c-dd5c9c66e83d/public_url[image: SME Badge] https://www.youracclaim.com/badges/6eb5d0cd-acf4-40ac-a50c-73f1c0c009e9/public_url[image: NCDA Badge] https://www.youracclaim.com/badges/b41a5941-6885-4181-b984-21df36bc27a8/public_url[image: NCIE Data Protection Badge] https://www.youracclaim.com/badges/51e81930-cad0-4e1f-b54d-dde7f181516c/public_url[image: FlexPod Impl & Admin Badge] https://www.youracclaim.com/badges/53a73b2a-ca83-43b8-895e-3299735dd406/public_url
On Fri, May 4, 2018 at 11:50 AM Chris Hague Chris_Hague@ajg.com wrote:
You can create a LIF inside your SVM with the mgmt firewall policy.
It will still be able to provision storage from any aggregate though. I don't believe you can lock that down.
-----Original Message----- From: toasters-bounces@teaparty.net toasters-bounces@teaparty.net On Behalf Of Philbert Rupkins Sent: 04 May 2018 16:04 To: toasters@teaparty.net Subject: Restrict VSC to a Subset of SVM's
Hello Toasters,
Our ontap clusters contain a number of SVM's. For purposes of this post I'll classify our SVM's into two broad categories:
- SVM's that host storage resources for our ESXi clusters
- SVM's that do NOT host storage resources for our ESXi clusters
We initially direct connected VSC to the SVM's hosting VMware resources. As documented by NetApp, this resulted in VSC provisioning volumes (NFS datastores) then mounting them via indirect paths (our SVMs have multiple lifs). We dont want datastores mounted via indirect paths, nor do we want to deal with the other limitations associated with direct connecting VSC to SVM's.
Now, AFAIK, the only option we're left with is connecting VSC to the cluster management LIF. The catch is we only want to allow VSC privileges to manage the SVM's hosting VMware resources. VSC should not have privileges to the non-Vmware related SVMs.
Is there a way to connect VSC to the cluster management LIF while only allowing VSC the ability to provision storage to and manage a subset of SVM's on the cluster?
We're currently running VSC 6.2.1 and ONTAP 9.2P2.
-Phil _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
-
Chris Hague -
Philbert Rupkins -
Sebastian P. Goetze -
tmac