Hi
I’m trying to create a local user role that allows login via the web GUI, and update the snapmirror relations, but not be able to delete them or any volumes for that matter…
I thought this was a walk in the park, but somehow I run into the same issue…
I start by creating a simple role:
security login role ad -role ro -cmddirname DEFAULT -access all security login role create -role ro -cmddirname volume -access readonly
I create a new user and assign the role:
security login create -user-or-group-name rotest -application http -authentication-method password -role ro
When trying to login, it fails like the password is wrong…. But why?
I even tried to create a role identical to the admin role (basically just the first of the two lines above), and even twith that, it is not possible to login to the web GUI…
I’m beginning to fear that you need to have the admin role in order to login to the web GUI…
Can someone please confirm that this is true… I almost cannot believe it 😉
/Heino
We ran into this same issue, trying to create RO user for GUI and found that custom roles are not supported for login to sysmgr. That same user could ssh with the same role defined, but no GUI.
On Mon, Nov 30, 2020 at 11:23 AM Heino Walther hw@beardmann.dk wrote:
Hi
I’m trying to create a local user role that allows login via the web GUI, and update the snapmirror relations, but not be able to delete them or any volumes for that matter…
I thought this was a walk in the park, but somehow I run into the same issue…
I start by creating a simple role:
security login role ad -role ro -cmddirname DEFAULT -access all
security login role create -role ro -cmddirname volume -access readonly
I create a new user and assign the role:
security login create -user-or-group-name rotest -application http -authentication-method password -role ro
When trying to login, it fails like the password is wrong…. But why?
I even tried to create a role identical to the admin role (basically just the first of the two lines above), and even twith that, it is not possible to login to the web GUI…
I’m beginning to fear that you need to have the admin role in order to login to the web GUI…
Can someone please confirm that this is true… I almost cannot believe it 😉
/Heino _______________________________________________ Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters
OK thanks.. make sense (sadly). Would have been great to allow users to login and perform certain tasks. Guess they will all just have to learn command-line or REST 😉
/Heino
Fra: mE notsoworried@gmail.com Dato: mandag, 30. november 2020 kl. 19.44 Til: Heino Walther hw@beardmann.dk Cc: toasters@teaparty.net toasters@teaparty.net Emne: Re: Security Roles... We ran into this same issue, trying to create RO user for GUI and found that custom roles are not supported for login to sysmgr. That same user could ssh with the same role defined, but no GUI.
Well yes and no, I tried the same technique… I even tried just to create my own role with “DEFAULT / ALL” defined just like the admin role… but once I assigned this to a user he was no longer able to login to the web GUI…
BTW. The link you send it for OCUM and as far as I know that uses the API to talk to the cluster… 😊
/Heino
Fra: vwpolo1234@gmx.de vwpolo1234@gmx.de Dato: tirsdag, 1. december 2020 kl. 08.56 Til: Heino Walther hw@beardmann.dk Cc: mE notsoworried@gmail.com, toasters@teaparty.net toasters@teaparty.net Emne: Aw: SV: Security Roles...
Have you tried this KB ?:
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Infrastructure_Managem...
Works fine with a SIM Gesendet: Montag, 30. November 2020 um 19:47 Uhr Von: "Heino Walther" hw@beardmann.dk An: "mE" notsoworried@gmail.com Cc: "toasters@teaparty.net" toasters@teaparty.net Betreff: SV: Security Roles... OK thanks.. make sense (sadly). Would have been great to allow users to login and perform certain tasks. Guess they will all just have to learn command-line or REST 😉
/Heino
Fra: mE notsoworried@gmail.com Dato: mandag, 30. november 2020 kl. 19.44 Til: Heino Walther hw@beardmann.dk Cc: toasters@teaparty.net toasters@teaparty.net Emne: Re: Security Roles... We ran into this same issue, trying to create RO user for GUI and found that custom roles are not supported for login to sysmgr. That same user could ssh with the same role defined, but no GUI.
_______________________________________________ Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters
"Heino" == Heino Walther hw@beardmann.dk writes:
Heino> Well yes and no, I tried the same technique… I even tried just Heino> to create my own role with “DEFAULT / ALL” defined just like Heino> the admin role… but once I assigned this to a user he was no Heino> longer able to login to the web GUI…
Heino> BTW. The link you send it for OCUM and as far as I know that Heino> uses the API to talk to the cluster… 😊
As I recall, but I haven't looked into this recently for newer versions, the roles in cDOT are either crazy limited, or crazy wide open. You can't create a role to do anything such as create a new volume in an aggregate, that you also give them *delete* privs as well.
So I think now the goal is to use the API and Ansible to create more locked down setups for end users, which you then secure to your liking.
Especially so since the Work Flow Automation tool is going away too.
John
-
Heino Walther -
John Stoffel -
mE -
vwpolo1234@gmx.de