Mailing List Archive

Restrict VSC to a Subset of SVM's
Hello Toasters,

Our ontap clusters contain a number of SVM's. For purposes of this
post I'll classify our SVM's into two broad categories:

* SVM's that host storage resources for our ESXi clusters
* SVM's that do NOT host storage resources for our ESXi clusters

We initially direct connected VSC to the SVM's hosting VMware
resources. As documented by NetApp, this resulted in VSC provisioning
volumes (NFS datastores) then mounting them via indirect paths (our
SVMs have multiple lifs). We dont want datastores mounted via indirect
paths, nor do we want to deal with the other limitations associated
with direct connecting VSC to SVM's.

Now, AFAIK, the only option we're left with is connecting VSC to the
cluster management LIF. The catch is we only want to allow VSC
privileges to manage the SVM's hosting VMware resources. VSC should
not have privileges to the non-Vmware related SVMs.

Is there a way to connect VSC to the cluster management LIF while only
allowing VSC the ability to provision storage to and manage a subset
of SVM's on the cluster?

We're currently running VSC 6.2.1 and ONTAP 9.2P2.

-Phil
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
RE: Restrict VSC to a Subset of SVM's [ In reply to ]
You can create a LIF inside your SVM with the mgmt firewall policy.

It will still be able to provision storage from any aggregate though. I don't believe you can lock that down.


-----Original Message-----
From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On Behalf Of Philbert Rupkins
Sent: 04 May 2018 16:04
To: toasters@teaparty.net
Subject: Restrict VSC to a Subset of SVM's

Hello Toasters,

Our ontap clusters contain a number of SVM's. For purposes of this post I'll classify our SVM's into two broad categories:

* SVM's that host storage resources for our ESXi clusters
* SVM's that do NOT host storage resources for our ESXi clusters

We initially direct connected VSC to the SVM's hosting VMware resources. As documented by NetApp, this resulted in VSC provisioning volumes (NFS datastores) then mounting them via indirect paths (our SVMs have multiple lifs). We dont want datastores mounted via indirect paths, nor do we want to deal with the other limitations associated with direct connecting VSC to SVM's.

Now, AFAIK, the only option we're left with is connecting VSC to the cluster management LIF. The catch is we only want to allow VSC privileges to manage the SVM's hosting VMware resources. VSC should not have privileges to the non-Vmware related SVMs.

Is there a way to connect VSC to the cluster management LIF while only allowing VSC the ability to provision storage to and manage a subset of SVM's on the cluster?

We're currently running VSC 6.2.1 and ONTAP 9.2P2.

-Phil
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
Re: Restrict VSC to a Subset of SVM's [ In reply to ]
You *might* be able to design your own role and assign that role to a user
that is not admin and then use the cluster admin LIF.
I am not entirely sure what details are needed for the role to work
entirely. There might be something in the VSC docs about the roles needed
to work properly.

just a suggestion to look at.

--tmac

*Tim McCarthy, **Principal Consultant*

*Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*

*I Blog at TMACsRack <https://tmacsrack.wordpress.com/>*
443-228-TMAC (*Google Voice*)
214-279-3926 (*eFAX*)

[image: FlexPod Design Badge]
<https://www.youracclaim.com/badges/58cf082d-acd8-4529-821a-bb7eb93a296c/public_url>[image:
NCIE SAN Badge]
<https://www.youracclaim.com/badges/162b629e-b4f1-48af-a8f9-d2a9517ec100/public_url>[image:
NCSIE Badge]
<https://www.youracclaim.com/badges/367c462d-d58b-4cbf-9e8d-a5068b247cd6/public_url>[image:
NCSE Badge]
<https://www.youracclaim.com/badges/618b30bf-7acc-473d-8b06-827062653565/public_url>[image:
NAHSE Badge]
<https://www.youracclaim.com/badges/aa9be0e4-2eac-45eb-85e0-0e11035b62a5/public_url>[image:
NetApp Certified Support Engineer - ONTAP Specialist]
<https://www.youracclaim.com/badges/7d45598f-c302-4e28-a16c-dd5c9c66e83d/public_url>[image:
SME Badge]
<https://www.youracclaim.com/badges/6eb5d0cd-acf4-40ac-a50c-73f1c0c009e9/public_url>[image:
NCDA Badge]
<https://www.youracclaim.com/badges/b41a5941-6885-4181-b984-21df36bc27a8/public_url>[image:
NCIE Data Protection Badge]
<https://www.youracclaim.com/badges/51e81930-cad0-4e1f-b54d-dde7f181516c/public_url>[image:
FlexPod Impl & Admin Badge]
<https://www.youracclaim.com/badges/53a73b2a-ca83-43b8-895e-3299735dd406/public_url>


On Fri, May 4, 2018 at 11:50 AM Chris Hague <Chris_Hague@ajg.com> wrote:

> You can create a LIF inside your SVM with the mgmt firewall policy.
>
> It will still be able to provision storage from any aggregate though. I
> don't believe you can lock that down.
>
>
> -----Original Message-----
> From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On
> Behalf Of Philbert Rupkins
> Sent: 04 May 2018 16:04
> To: toasters@teaparty.net
> Subject: Restrict VSC to a Subset of SVM's
>
> Hello Toasters,
>
> Our ontap clusters contain a number of SVM's. For purposes of this post
> I'll classify our SVM's into two broad categories:
>
> * SVM's that host storage resources for our ESXi clusters
> * SVM's that do NOT host storage resources for our ESXi clusters
>
> We initially direct connected VSC to the SVM's hosting VMware resources.
> As documented by NetApp, this resulted in VSC provisioning volumes (NFS
> datastores) then mounting them via indirect paths (our SVMs have multiple
> lifs). We dont want datastores mounted via indirect paths, nor do we want
> to deal with the other limitations associated with direct connecting VSC to
> SVM's.
>
> Now, AFAIK, the only option we're left with is connecting VSC to the
> cluster management LIF. The catch is we only want to allow VSC privileges
> to manage the SVM's hosting VMware resources. VSC should not have
> privileges to the non-Vmware related SVMs.
>
> Is there a way to connect VSC to the cluster management LIF while only
> allowing VSC the ability to provision storage to and manage a subset of
> SVM's on the cluster?
>
> We're currently running VSC 6.2.1 and ONTAP 9.2P2.
>
> -Phil
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
Re: Restrict VSC to a Subset of SVM's [ In reply to ]
Thanks for the suggestions. After a bit of RBAC research and consulting
with folks with more experience, we begrudgingly gave VSC the access it
needs to the cluster and all SVMs on said cluster, including the SVMs that
are not hosting storage for our VMware environment.

It looks like the only way to restrict VSC access to particular group of
SVMs is to slap an admin interface (lif) on the SVMs and add the SVMs
directly to VSC. Of course adding SVMs directly to VSC comes with some
well documented limitations. We ultimately decided the risk of our VMware
admins provisioning storage to a non-VMware related SVM via VSC is pretty
low so we added the cluster to VSC directly to allow for full VSC
functionality.


On Fri, May 4, 2018 at 11:30 AM, tmac <tmacmd@gmail.com> wrote:

> You *might* be able to design your own role and assign that role to a user
> that is not admin and then use the cluster admin LIF.
> I am not entirely sure what details are needed for the role to work
> entirely. There might be something in the VSC docs about the roles needed
> to work properly.
>
> just a suggestion to look at.
>
> --tmac
>
> *Tim McCarthy, **Principal Consultant*
>
> *Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*
>
> *I Blog at TMACsRack <https://tmacsrack.wordpress.com/>*
> 443-228-TMAC (*Google Voice*)
> 214-279-3926 (*eFAX*)
>
> [image: FlexPod Design Badge]
> <https://www.youracclaim.com/badges/58cf082d-acd8-4529-821a-bb7eb93a296c/public_url>[image:
> NCIE SAN Badge]
> <https://www.youracclaim.com/badges/162b629e-b4f1-48af-a8f9-d2a9517ec100/public_url>[image:
> NCSIE Badge]
> <https://www.youracclaim.com/badges/367c462d-d58b-4cbf-9e8d-a5068b247cd6/public_url>[image:
> NCSE Badge]
> <https://www.youracclaim.com/badges/618b30bf-7acc-473d-8b06-827062653565/public_url>[image:
> NAHSE Badge]
> <https://www.youracclaim.com/badges/aa9be0e4-2eac-45eb-85e0-0e11035b62a5/public_url>[image:
> NetApp Certified Support Engineer - ONTAP Specialist]
> <https://www.youracclaim.com/badges/7d45598f-c302-4e28-a16c-dd5c9c66e83d/public_url>[image:
> SME Badge]
> <https://www.youracclaim.com/badges/6eb5d0cd-acf4-40ac-a50c-73f1c0c009e9/public_url>[image:
> NCDA Badge]
> <https://www.youracclaim.com/badges/b41a5941-6885-4181-b984-21df36bc27a8/public_url>[image:
> NCIE Data Protection Badge]
> <https://www.youracclaim.com/badges/51e81930-cad0-4e1f-b54d-dde7f181516c/public_url>[image:
> FlexPod Impl & Admin Badge]
> <https://www.youracclaim.com/badges/53a73b2a-ca83-43b8-895e-3299735dd406/public_url>
>
>
> On Fri, May 4, 2018 at 11:50 AM Chris Hague <Chris_Hague@ajg.com> wrote:
>
>> You can create a LIF inside your SVM with the mgmt firewall policy.
>>
>> It will still be able to provision storage from any aggregate though. I
>> don't believe you can lock that down.
>>
>>
>> -----Original Message-----
>> From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On
>> Behalf Of Philbert Rupkins
>> Sent: 04 May 2018 16:04
>> To: toasters@teaparty.net
>> Subject: Restrict VSC to a Subset of SVM's
>>
>> Hello Toasters,
>>
>> Our ontap clusters contain a number of SVM's. For purposes of this post
>> I'll classify our SVM's into two broad categories:
>>
>> * SVM's that host storage resources for our ESXi clusters
>> * SVM's that do NOT host storage resources for our ESXi clusters
>>
>> We initially direct connected VSC to the SVM's hosting VMware resources.
>> As documented by NetApp, this resulted in VSC provisioning volumes (NFS
>> datastores) then mounting them via indirect paths (our SVMs have multiple
>> lifs). We dont want datastores mounted via indirect paths, nor do we want
>> to deal with the other limitations associated with direct connecting VSC to
>> SVM's.
>>
>> Now, AFAIK, the only option we're left with is connecting VSC to the
>> cluster management LIF. The catch is we only want to allow VSC privileges
>> to manage the SVM's hosting VMware resources. VSC should not have
>> privileges to the non-Vmware related SVMs.
>>
>> Is there a way to connect VSC to the cluster management LIF while only
>> allowing VSC the ability to provision storage to and manage a subset of
>> SVM's on the cluster?
>>
>> We're currently running VSC 6.2.1 and ONTAP 9.2P2.
>>
>> -Phil
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> http://www.teaparty.net/mailman/listinfo/toasters
>>
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> http://www.teaparty.net/mailman/listinfo/toasters
>>
>
Re: Restrict VSC to a Subset of SVM's [ In reply to ]
Hi Phil,

Two things just crossed my mind:

* the "RBAC user creator" tool, downloadable in the community, can create a
role and a user that can get you probably 95% where you want to go.

* then modify the role(s) with the "-query" parameter to restrict access to
only certain "vservers". Don't know if you can use wildcards here (your
naming convention...), but you can assign the VSC-user multiple roles...


Greetings from Munich

Sebastian Goetze
NCI


On Tue, May 22, 2018, 05:34 Philbert Rupkins <philbertrupkins@gmail.com>
wrote:

> Thanks for the suggestions. After a bit of RBAC research and consulting
> with folks with more experience, we begrudgingly gave VSC the access it
> needs to the cluster and all SVMs on said cluster, including the SVMs that
> are not hosting storage for our VMware environment.
>
> It looks like the only way to restrict VSC access to particular group of
> SVMs is to slap an admin interface (lif) on the SVMs and add the SVMs
> directly to VSC. Of course adding SVMs directly to VSC comes with some
> well documented limitations. We ultimately decided the risk of our VMware
> admins provisioning storage to a non-VMware related SVM via VSC is pretty
> low so we added the cluster to VSC directly to allow for full VSC
> functionality.
>
>
> On Fri, May 4, 2018 at 11:30 AM, tmac <tmacmd@gmail.com> wrote:
>
>> You *might* be able to design your own role and assign that role to a
>> user that is not admin and then use the cluster admin LIF.
>> I am not entirely sure what details are needed for the role to work
>> entirely. There might be something in the VSC docs about the roles needed
>> to work properly.
>>
>> just a suggestion to look at.
>>
>> --tmac
>>
>> *Tim McCarthy, **Principal Consultant*
>>
>> *Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*
>>
>> *I Blog at TMACsRack <https://tmacsrack.wordpress.com/>*
>> 443-228-TMAC (*Google Voice*)
>> 214-279-3926 (*eFAX*)
>>
>> [image: FlexPod Design Badge]
>> <https://www.youracclaim.com/badges/58cf082d-acd8-4529-821a-bb7eb93a296c/public_url>[image:
>> NCIE SAN Badge]
>> <https://www.youracclaim.com/badges/162b629e-b4f1-48af-a8f9-d2a9517ec100/public_url>[image:
>> NCSIE Badge]
>> <https://www.youracclaim.com/badges/367c462d-d58b-4cbf-9e8d-a5068b247cd6/public_url>[image:
>> NCSE Badge]
>> <https://www.youracclaim.com/badges/618b30bf-7acc-473d-8b06-827062653565/public_url>[image:
>> NAHSE Badge]
>> <https://www.youracclaim.com/badges/aa9be0e4-2eac-45eb-85e0-0e11035b62a5/public_url>[image:
>> NetApp Certified Support Engineer - ONTAP Specialist]
>> <https://www.youracclaim.com/badges/7d45598f-c302-4e28-a16c-dd5c9c66e83d/public_url>[image:
>> SME Badge]
>> <https://www.youracclaim.com/badges/6eb5d0cd-acf4-40ac-a50c-73f1c0c009e9/public_url>[image:
>> NCDA Badge]
>> <https://www.youracclaim.com/badges/b41a5941-6885-4181-b984-21df36bc27a8/public_url>[image:
>> NCIE Data Protection Badge]
>> <https://www.youracclaim.com/badges/51e81930-cad0-4e1f-b54d-dde7f181516c/public_url>[image:
>> FlexPod Impl & Admin Badge]
>> <https://www.youracclaim.com/badges/53a73b2a-ca83-43b8-895e-3299735dd406/public_url>
>>
>>
>> On Fri, May 4, 2018 at 11:50 AM Chris Hague <Chris_Hague@ajg.com> wrote:
>>
>>> You can create a LIF inside your SVM with the mgmt firewall policy.
>>>
>>> It will still be able to provision storage from any aggregate though. I
>>> don't believe you can lock that down.
>>>
>>>
>>> -----Original Message-----
>>> From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On
>>> Behalf Of Philbert Rupkins
>>> Sent: 04 May 2018 16:04
>>> To: toasters@teaparty.net
>>> Subject: Restrict VSC to a Subset of SVM's
>>>
>>> Hello Toasters,
>>>
>>> Our ontap clusters contain a number of SVM's. For purposes of this post
>>> I'll classify our SVM's into two broad categories:
>>>
>>> * SVM's that host storage resources for our ESXi clusters
>>> * SVM's that do NOT host storage resources for our ESXi clusters
>>>
>>> We initially direct connected VSC to the SVM's hosting VMware resources.
>>> As documented by NetApp, this resulted in VSC provisioning volumes (NFS
>>> datastores) then mounting them via indirect paths (our SVMs have multiple
>>> lifs). We dont want datastores mounted via indirect paths, nor do we want
>>> to deal with the other limitations associated with direct connecting VSC to
>>> SVM's.
>>>
>>> Now, AFAIK, the only option we're left with is connecting VSC to the
>>> cluster management LIF. The catch is we only want to allow VSC privileges
>>> to manage the SVM's hosting VMware resources. VSC should not have
>>> privileges to the non-Vmware related SVMs.
>>>
>>> Is there a way to connect VSC to the cluster management LIF while only
>>> allowing VSC the ability to provision storage to and manage a subset of
>>> SVM's on the cluster?
>>>
>>> We're currently running VSC 6.2.1 and ONTAP 9.2P2.
>>>
>>> -Phil
>>> _______________________________________________
>>> Toasters mailing list
>>> Toasters@teaparty.net
>>> http://www.teaparty.net/mailman/listinfo/toasters
>>>
>>> _______________________________________________
>>> Toasters mailing list
>>> Toasters@teaparty.net
>>> http://www.teaparty.net/mailman/listinfo/toasters
>>>
>>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
--

sent from my mobile, spellcheck might have messed up...