Mailing List Archive

Creating a readonly user to monitor NetApp cluster via check_mk
Hello fellow toasters users ...

We're in the process of deploying a pair of new CDOT filers and
one of the things we'd like to setup with them is having check_mk
(nagios and rrd, under the hood) monitor various attributes. We have
a working instance at the moment using snmp to query the filers,
but check_mk also provides a "plugin" that claims to work with the
filer's web interface, so we'd like to examine that.

To that end, I've setup a read-only user on the filer, that I intend
will be able to access the web interface:

security login create -vserver fc1-na -user-or-group-name nul_cmk \
-application http -authentication-method password -role readonly \
-comment "check_mk monitoring"

The user shows up when I "show":

fc1-na::> security login show -vserver fc1-na -user-or-group-name nul_cmk

Vserver: fc1-na
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
nul_cmk http password readonly no none

The readonly role is unchanged from the OS default:

fc1-na::> security login role show -vserver fc1-na -role readonly
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
fc1-na readonly DEFAULT readonly
security none
security login password all
security login role show-user-capability all
set all
5 entries were displayed.

Trouble is that if I try to login to the web interface as that user,
the browser stays "stuck" at the "Loading system details..." spinner
widget. It's been there now for about two hours as I type this.
Of course, check_mk's plugin logs a timeout while trying to access
the interface.

I fully suspect that I'm missing something, of course, but I'm afraid
I haven't been able to find what that is. If someone out there has
experience creating such a user for readonly access, a pointer to where
I should be looking and/or documentation I should be reading would be
hugely appreciated. (cli is preferred because it's easier to document
what I've done that way, but if someone points me to resources in the
web interface I'm sure I'll be able to find what I need at the cli.)

--
----------------------------------------------------------------------
Sylvain Robitaille syl@encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
Re: Creating a readonly user to monitor NetApp cluster via check_mk [ In reply to ]
On Wed, 25 Apr 2018, Sylvain Robitaille wrote:

> ... I've setup a read-only user on the filer, that I intend
> will be able to access the web interface:
>
> security login create -vserver fc1-na -user-or-group-name nul_cmk \
> -application http -authentication-method password -role readonly \
> -comment "check_mk monitoring"
> ...
> Trouble is that if I try to login to the web interface as that user,
> the browser stays "stuck" at the "Loading system details..." spinner
> widget. ...

I'd like to express a boatload of gratitude to Avi Ben Emanuel of
Jerusalem College of Technology who presented me with the answer: I
needed to also grant access to the ontapi application for this user. It
now works:

fc1-ev::> security login show -user nul_cmk

Vserver: fc1-ev
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
nul_cmk http password readonly no none
nul_cmk ontapi password readonly no none
2 entries were displayed.

Sometimes "thank you" only scratches the surface ... I honestly
don't know how I might have discovered that myself ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters