Hi Toaster,
we currently have a problem with API access to the filers. We use options httpd.access and httpd.admin.access for enabling hosts for filer's API-control.
We now use the API for several issues e.g. the save of our databases. Sadly we found out that there is a limit for these options as it is for trusted.hosts. You can only add a fixed number of entries to these options.
I know that we are able to activate a whole subnet for accessing, but this is some how a security problem in my opinion. Has anyone a good idea how to deal with that situation?? Or has anybody knowledge if this restriction will be gone in future ontap releases??
Best regards and a nice weekend to the list
Jochen
You can do it via security roles.
Here's how I did it to allow read only access for our Windows users to our FilerView:
1. Created the the local Windows group named FilerView-ReadOnly
2. Created the security role FilerView-ReadOnly from the console of the filers
useradmin role add FilerView-ReadOnly -c "Read-only access to FilerView" -a login-http-admin,api-iscsi-service-status,cli-priv,cli-version,api-volume-list-info,api-aggr-list-info,api-aggr-options-list-info,api-aggr-get-filer-info,api-volume-size,api-volume-options-list-info,api-quota-status,api-volume-get-language,api-volume-get-filer-info,cli-uptime,cli-sysconfig,cli-netstat,cli-df,api-system-cli,api-options-get,cli-date,cli-timezone,api-volume-get-root-name,cli-sysstat,api-disk-list-info,api-snapshot-get-reserve,api-snapshot-get-schedule,api-disk-sanown-list-info,api-system-get-info,cli-storage,cli-snapmirror,cli-stty,cli-cifs,cli-httpstat,api-lun-list-info,cli-lun,cli-iscsi,api-iscsi-node-get-name,api-iscsi-target-alias-get-alias,api-iscsi-interface-list-info,cli-vif,cli-ndmpd
3. Assigned the role to the group FilerView-ReadOnly
useradmin group modify FilerView-ReadOnly -r FilerView-ReadOnly
The abilities assigned were determined by the brute force method... started with only logon-http-admin and reviewed the console error messages as I attempted to access each object in FilerView and then added the appropriate abilities. There are a couple that still stay the user doesn't have the ability to go into advanced priv mode, but that is ok as I don't want the ReadOnly group to be able to do that - too risky. On those particular screens, they are able to retrieve the information they would be looking for.
When the user accesses FilerView the put in their Windows username (domain\username) and Windows password.
On 12/7/07, Willeke, Jochen Jochen.Willeke@wincor-nixdorf.com wrote:
Hi Toaster,
we currently have a problem with API access to the filers. We use options httpd.access and httpd.admin.access for enabling hosts for filer's API-control.
We now use the API for several issues e.g. the save of our databases. Sadly we found out that there is a limit for these options as it is for trusted.hosts. You can only add a fixed number of entries to these options.
I know that we are able to activate a whole subnet for accessing, but this is some how a security problem in my opinion. Has anyone a good idea how to deal with that situation?? Or has anybody knowledge if this restriction will be gone in future ontap releases??
Best regards and a nice weekend to the list
Jochen
Bill's solution below is excellent and it solves the problem from an authentication point of view.
Unfortunately the access control value is only 256 bytes long; therefore limiting the number of hosts. One possible way to mitigate this problem is use IP address masking. This only helps if all the hosts are on one subnet.
Please follow bug # 67318 for access control issues, and bug # 192592 for read-only FilerView issues.
- Rick -
-----Original Message----- From: Bill Holland [mailto:hollandwl@gmail.com] Sent: Friday, December 07, 2007 8:48 AM To: Willeke, Jochen Cc: toasters@mathworks.com Subject: Re: httpd.access -- number of entries
You can do it via security roles.
Here's how I did it to allow read only access for our Windows users to our FilerView:
1. Created the the local Windows group named FilerView-ReadOnly
2. Created the security role FilerView-ReadOnly from the console of the filers
useradmin role add FilerView-ReadOnly -c "Read-only access to FilerView" -a login-http-admin,api-iscsi-service-status,cli-priv,cli-version,api-volume-list-info,api-aggr-list-info,api-aggr-options-list-info,api-aggr-get-filer-info,api-volume-size,api-volume-options-list-info,api-quota-status,api-volume-get-language,api-volume-get-filer-info,cli-uptime,cli-sysconfig,cli-netstat,cli-df,api-system-cli,api-options-get,cli-date,cli-timezone,api-volume-get-root-name,cli-sysstat,api-disk-list-info,api-snapshot-get-reserve,api-snapshot-get-schedule,api-disk-sanown-list-info,api-system-get-info,cli-storage,cli-snapmirror,cli-stty,cli-cifs,cli-httpstat,api-lun-list-info,cli-lun,cli-iscsi,api-iscsi-node-get-name,api-iscsi-target-alias-get-alias,api-iscsi-interface-list-info,cli-vif,cli-ndmpd
3. Assigned the role to the group FilerView-ReadOnly
useradmin group modify FilerView-ReadOnly -r FilerView-ReadOnly
The abilities assigned were determined by the brute force method... started with only logon-http-admin and reviewed the console error messages as I attempted to access each object in FilerView and then added the appropriate abilities. There are a couple that still stay the user doesn't have the ability to go into advanced priv mode, but that is ok as I don't want the ReadOnly group to be able to do that - too risky. On those particular screens, they are able to retrieve the information they would be looking for.
When the user accesses FilerView the put in their Windows username (domain\username) and Windows password.
On 12/7/07, Willeke, Jochen < Jochen.Willeke@wincor-nixdorf.com mailto:Jochen.Willeke@wincor-nixdorf.com > wrote:
Hi Toaster,
we currently have a problem with API access to the filers. We use options httpd.access and httpd.admin.access for enabling hosts for filer's API-control.
We now use the API for several issues e.g. the save of our databases. Sadly we found out that there is a limit for these options as it is for trusted.hosts. You can only add a fixed number of entries to these options.
I know that we are able to activate a whole subnet for accessing, but this is some how a security problem in my opinion. Has anyone a good idea how to deal with that situation?? Or has anybody knowledge if this restriction will be gone in future ontap releases??
Best regards and a nice weekend to the list
Jochen
Hi,
unfortunaly we do use linux hosts for accessing the API. But i will try if this works for API access as well.
Regards and thanks for your explanation.
Jochen
________________________________
From: Bill Holland [mailto:hollandwl@gmail.com] Sent: Friday, December 07, 2007 5:48 PM To: Willeke, Jochen Cc: toasters@mathworks.com Subject: Re: httpd.access -- number of entries
You can do it via security roles.
Here's how I did it to allow read only access for our Windows users to our FilerView:
1. Created the the local Windows group named FilerView-ReadOnly
2. Created the security role FilerView-ReadOnly from the console of the filers
useradmin role add FilerView-ReadOnly -c "Read-only access to FilerView" -a login-http-admin,api-iscsi-service-status,cli-priv,cli-version,api-volum e-list-info,api-aggr-list-info,api-aggr-options-list-info,api-aggr-get-f iler-info,api-volume-size,api-volume-options-list-info,api-quota-status, api-volume-get-language,api-volume-get-filer-info,cli-uptime,cli-sysconf ig,cli-netstat,cli-df,api-system-cli,api-options-get,cli-date,cli-timezo ne,api-volume-get-root-name,cli-sysstat,api-disk-list-info,api-snapshot- get-reserve,api-snapshot-get-schedule,api-disk-sanown-list-info,api-syst em-get-info,cli-storage,cli-snapmirror,cli-stty,cli-cifs,cli-httpstat,ap i-lun-list-info,cli-lun,cli-iscsi,api-iscsi-node-get-name,api-iscsi-targ et-alias-get-alias,api-iscsi-interface-list-info,cli-vif,cli-ndmpd
3. Assigned the role to the group FilerView-ReadOnly
useradmin group modify FilerView-ReadOnly -r FilerView-ReadOnly
The abilities assigned were determined by the brute force method... started with only logon-http-admin and reviewed the console error messages as I attempted to access each object in FilerView and then added the appropriate abilities. There are a couple that still stay the user doesn't have the ability to go into advanced priv mode, but that is ok as I don't want the ReadOnly group to be able to do that - too risky. On those particular screens, they are able to retrieve the information they would be looking for.
When the user accesses FilerView the put in their Windows username (domain\username) and Windows password.
On 12/7/07, Willeke, Jochen <Jochen.Willeke@wincor-nixdorf.com > wrote:
Hi Toaster, we currently have a problem with API access to the filers. We use options httpd.access and httpd.admin.access for enabling hosts for filer's API-control. We now use the API for several issues e.g. the save of our databases. Sadly we found out that there is a limit for these options as it is for trusted.hosts. You can only add a fixed number of entries to these options. I know that we are able to activate a whole subnet for accessing, but this is some how a security problem in my opinion. Has anyone a good idea how to deal with that situation?? Or has anybody knowledge if this restriction will be gone in future ontap releases?? Best regards and a nice weekend to the list Jochen
-
Bill Holland -
Ehrhart, Rick -
Willeke, Jochen