Mailing List Archive

Security Roles...
Hi

I’m trying to create a local user role that allows login via the web GUI, and update the snapmirror relations, but not be able to delete them or any volumes for that matter…

I thought this was a walk in the park, but somehow I run into the same issue…

I start by creating a simple role:

security login role ad -role ro -cmddirname DEFAULT -access all
security login role create -role ro -cmddirname volume -access readonly

I create a new user and assign the role:

security login create -user-or-group-name rotest -application http -authentication-method password -role ro

When trying to login, it fails like the password is wrong…. But why?

I even tried to create a role identical to the admin role (basically just the first of the two lines above), and even twith that, it is not possible to login to the web GUI…

I’m beginning to fear that you need to have the admin role in order to login to the web GUI…

Can someone please confirm that this is true… I almost cannot believe it ????

/Heino
Re: Security Roles... [ In reply to ]
We ran into this same issue, trying to create RO user for GUI and found
that custom roles are not supported for login to sysmgr. That same user
could ssh with the same role defined, but no GUI.

On Mon, Nov 30, 2020 at 11:23 AM Heino Walther <hw@beardmann.dk> wrote:

> Hi
>
>
>
> I’m trying to create a local user role that allows login via the web GUI,
> and update the snapmirror relations, but not be able to delete them or any
> volumes for that matter…
>
>
>
> I thought this was a walk in the park, but somehow I run into the same
> issue…
>
>
>
> I start by creating a simple role:
>
>
>
> security login role ad -role ro -cmddirname DEFAULT -access all
>
> security login role create -role ro -cmddirname volume -access readonly
>
>
>
> I create a new user and assign the role:
>
>
>
> security login create -user-or-group-name rotest -application http
> -authentication-method password -role ro
>
>
>
> When trying to login, it fails like the password is wrong…. But why?
>
>
>
> I even tried to create a role identical to the admin role (basically just
> the first of the two lines above), and even twith that, it is not possible
> to login to the web GUI…
>
>
>
> I’m beginning to fear that you need to have the admin role in order to
> login to the web GUI…
>
>
>
> Can someone please confirm that this is true… I almost cannot believe it
> ????
>
>
>
> /Heino
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters
SV: Security Roles... [ In reply to ]
OK thanks.. make sense (sadly).
Would have been great to allow users to login and perform certain tasks.
Guess they will all just have to learn command-line or REST ????

/Heino

Fra: mE <notsoworried@gmail.com>
Dato: mandag, 30. november 2020 kl. 19.44
Til: Heino Walther <hw@beardmann.dk>
Cc: toasters@teaparty.net <toasters@teaparty.net>
Emne: Re: Security Roles...
We ran into this same issue, trying to create RO user for GUI and found that custom roles are not supported for login to sysmgr. That same user could ssh with the same role defined, but no GUI.
Aw: SV: Security Roles... [ In reply to ]
Have you tried this KB ?: https://kb.netapp.com/Advice_and_Troubleshooting/Data_Infrastructure_Management/OnCommand_Suite/How_to_create_a_custom_role_and_user_for_OnCommand_System_Manager_in_ONTAP_9x"]https://kb.netapp.com/Advice_and_Troubleshooting/Data_Infrastructure_Management/OnCommand_Suite/How_to_create_a_custom_role_and_user_for_OnCommand_System_Manager_in_ONTAP_9x Works fine with a SIM Gesendet: Montag, 30. November 2020 um 19:47 Uhr
Von: "Heino Walther" <hw@beardmann.dk>
An: "mE" <notsoworried@gmail.com>
Cc: "toasters@teaparty.net" <toasters@teaparty.net>
Betreff: SV: Security Roles...

OK thanks.. make sense (sadly).

Would have been great to allow users to login and perform certain tasks.

Guess they will all just have to learn command-line or REST &#128521;



/Heino





Fra: mE <notsoworried@gmail.com>
Dato: mandag, 30. november 2020 kl. 19.44
Til: Heino Walther <hw@beardmann.dk>
Cc: toasters@teaparty.net <toasters@teaparty.net>
Emne: Re: Security Roles...

We ran into this same issue, trying to create RO user for GUI and found that custom roles are not supported for login to sysmgr. That same user could ssh with the same role defined, but no GUI.



_______________________________________________ Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters"]https://www.teaparty.net/mailman/listinfo/toasters
SV: SV: Security Roles... [ In reply to ]
Well yes and no, I tried the same technique… I even tried just to create my own role with “DEFAULT / ALL” defined just like the admin role… but once I assigned this to a user he was no longer able to login to the web GUI…

BTW. The link you send it for OCUM and as far as I know that uses the API to talk to the cluster… ????

/Heino

Fra: vwpolo1234@gmx.de <vwpolo1234@gmx.de>
Dato: tirsdag, 1. december 2020 kl. 08.56
Til: Heino Walther <hw@beardmann.dk>
Cc: mE <notsoworried@gmail.com>, toasters@teaparty.net <toasters@teaparty.net>
Emne: Aw: SV: Security Roles...

Have you tried this KB ?:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Infrastructure_Management/OnCommand_Suite/How_to_create_a_custom_role_and_user_for_OnCommand_System_Manager_in_ONTAP_9x


Works fine with a SIM
Gesendet: Montag, 30. November 2020 um 19:47 Uhr
Von: "Heino Walther" <hw@beardmann.dk>
An: "mE" <notsoworried@gmail.com>
Cc: "toasters@teaparty.net" <toasters@teaparty.net>
Betreff: SV: Security Roles...
OK thanks.. make sense (sadly).
Would have been great to allow users to login and perform certain tasks.
Guess they will all just have to learn command-line or REST ????

/Heino


Fra: mE <notsoworried@gmail.com>
Dato: mandag, 30. november 2020 kl. 19.44
Til: Heino Walther <hw@beardmann.dk>
Cc: toasters@teaparty.net <toasters@teaparty.net>
Emne: Re: Security Roles...
We ran into this same issue, trying to create RO user for GUI and found that custom roles are not supported for login to sysmgr. That same user could ssh with the same role defined, but no GUI.


_______________________________________________ Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters
Re: SV: SV: Security Roles... [ In reply to ]
>>>>> "Heino" == Heino Walther <hw@beardmann.dk> writes:

Heino> Well yes and no, I tried the same technique… I even tried just
Heino> to create my own role with “DEFAULT / ALL” defined just like
Heino> the admin role… but once I assigned this to a user he was no
Heino> longer able to login to the web GUI…

Heino> BTW. The link you send it for OCUM and as far as I know that
Heino> uses the API to talk to the cluster… ????

As I recall, but I haven't looked into this recently for newer
versions, the roles in cDOT are either crazy limited, or crazy wide
open. You can't create a role to do anything such as create a new
volume in an aggregate, that you also give them *delete* privs as
well.

So I think now the goal is to use the API and Ansible to create more
locked down setups for end users, which you then secure to your
liking.

Especially so since the Work Flow Automation tool is going away too.

John

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters