Skip to main content
NetApp Knowledge Base

FAQ: Custom roles for administration of ONTAP

Views:
4,449
Visibility:
Public
Votes:
4
Category:
ontap-9
Specialty:
core
Last Updated:

 

Applies to

  • ONTAP 9
  • role-based access control (RBAC)

Answer

This article describes various aspects involved when creating custom roles in ONTAP 9 for cluster and Vserver administrators, which in turn helps create customized roles.

Pre-requisites:
  • Familiarity with the ONTAP Command Line Interface (CLI).
  • Administrative privileges of a cluster administrator.
Terminology: 

Command directory

Refers to a directory in the CLI.

For example:
volume

Command subdirectory

 Refers to a directory inside a directory.

For example:
volume snapshot

Command

 Refers to a specific executable command.

For example: volume show -or- volume offline.

Intrinsic Commands

For all directories, the following are defined as intrinsic commands:

  • create
  • modify
  • delete
  • show

Non-Intrinsic Commands

 

custrole

 Refers to a custom role in all the examples mentioned in this article.

Role

A role is a collection of capabilities or privileges. A role contains multiple rules; each rule specifies one or more capabilities. The capability is specified as an ‘access control’ on a ‘command directory’ or a ‘command’. 

Syntax of role definition

A rule consists of the following parameters:

  • Vserver name: The name of the Data/ Admin Vserver to which the custom role belongs.
  • Role name: The name of the new custom role. For example, storage_admin_role.
  • Command directory (or) command: The command directory (or) command.
  • Access control: There are three options: allreadonly, and none

Consider an example with the following role definition:

(vs1.example.com, custrole, "volume", all)
(vs1.example.com, custrole, "volume snapshot", readonly)
(vs1.example.com, custrole, "volume clone", none) 

In the above example, the role ‘custrole’ belongs to a Vserver vs1.example.com and it contains three rules. 

Semantics of the role definition:

There are six combinations of directory/command and access control. The following table summarizes the semantics of each combination. 

Capability

Access

Description

Directory

all

Permits access to the specified directory, its subdirectories, and commands

Directory

readonly

Permits read-only access to the specified directory and all its subdirectories. Among the intrinsic commands, only show is available and non-intrinsic commands are not available.

Directory

None

Denies access to the specified directory, its subdirectories, and commands.

Command

all

Permits execution of the specified command.

Command

readonly

Invalid. Recommended not to use this combination. For example, volume offline with access as readonly is invalid.

Command

none

Denies execution of the specified command

How access control works
  1. Behavior of access control is hierarchical:
  2. When a rule uses a directory, it applies to all the subdirectories. For example, this tuple (vs1, custrole, "volume", all) permits access to the volume directory and all its subdirectories.
  3. Subdirectory access overrides parent directory access:
  4. If the parent directory has a specific access control and its subdirectory is specified with a different access control, the subdirectory access control overrides the parent directory access control.

Example: Consider the following two rules:

(vs1, custrole, "volume", all)
(vs1, custrole, "volume snapshot", readonly)

The first rule enables full access to the volume directory and all its subdirectories. However, the second rule restricts the access for the volume snapshot directory to readonly. In this case, volume snapshot with the readonly access overrides the volume with full access control. Hence, the volume snapshot directory and all its subdirectories have readonly access and not all access.

Example: Consider the following two rules:

(vs1, custrole, "vserver", readonly)
(vs1, custrole, "vserver nfs", all)

The first rule restricts the vserver directory and all its subdirectories to readonly. However, the second rule specifies the access of vserver nfs to all. In this case, vserver nfs with full access overrides the parent directories' readonly access control. Hence, the vserver nfs directory and all it subdirectories have all access and not readonly access.

Limitations on using intrinsic commands

The createmodifydelete, and show commands are intrinsic commands and these commands cannot be individually specified for access control. For example, the following rule is invalid: (vs1, custrole, "volume snapshot create", all).  This command gives out a warning, but enables modifydelete, and show as well. 

Example

cluster1::> security login role create -vserver svm1 -role snap_create -cmddirname "volume snapshot create" -access all

Warning: This operation will also affect the following commands:
    "volume snapshot modify"
    "volume snapshot show"

cluster1::> security login role show -vserver svm1 -role snap_create
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
svm1       snap_create   DEFAULT                                       none
                         volume snapshot create                        all
                         volume snapshot modify                        all
                         volume snapshot show                          all

What is this DEFAULT rule and why is it getting created?

The DEFAULT rule specifies the base on which rest of the rules are built. For data/admin Vserver custom roles, the DEFAULT rule access is set to none. The DEFAULT rule is automatically created. 

How to specify the individual commands in the custom RBAC role?

Intrinsic commands like create / modify / delete cannot be specified. For example, you cannot specify only the modify option to a role. 

If you want to use the intrinsic commands in the custom RBAC role, you specify any of the following options on the directory:

  • all -   Permits all the create / modify / delete / show commands
  • readonly - Permits only the show command
  • none - Denies access to the entire directory 

Non-intrinsic commands can be allowed or denied for a role. For example, volume online is a non-intrinsic command. In the case of commands, the access can be either permitted (or) denied. The command permission can be enabled by using access all, the command denial can be enabled by using access none. The access readonly is not applicable for individual commands and is not recommended to be used.

How to enable a specific ZAPI to a role?

If you want to specify a specific ZAPI for a custom role, specify the equivalent CLI command in the role specification. For example, if you want to enable volume-offline ZAPI for a custom role, add the equivalent CLI volume offline rule to the role specification.

For example, run the following command: security login role create –vserver vs1.example.com –role custrole –command "volume offline" –access all

How to list all the permissible commands of a custom role for verification purposes? 
  • Use the security login create command to create a user account ‘fred’
  • Log in using SSH for admin Vserver or run the vserver context command to switch to the specific user for a data Vserver.

Example: vserver context –vserver vs1.example.com –username fred

  • Use the security login role show-ontapi command to enumerate all the CLI and equivalent ZAPIs for the custom role.

Note: Ensure that the security login role show-ontapi command is enabled for the custom role.

How to verify whether a specific command (or) ZAPI is enabled for a custom role?

Use the show-ontapi -command  <command-name>  command to verify whether the given command is permitted for a custom role. The output will display the equivalent ZAPI, as well.

Given the CLI command how to get the equivalent ZAPI (or) given ZAPI, how to get the equivalent CLI? 

Use the show-ontapi -ontapi  "<ZAPI-name>" command to verify whether the given ZAPI is permitted for the custom role. The output will display the equivalent CLI, as well.

Is there a role copy (or) role clone command that helps to copy or clone a role?

No, this feature is not supported in ONTAP 9.

Can any command be assigned to the data Vserver custom role?

No, not all commands cannot be assigned to data Vserver custom role. Only commands with –vserver as an option can be assigned to a Vserver custom role.  For example, the system node reboot command cannot be assigned to a data Vserver custom role because this command does not have –vserver as an option. 

Custom role examples

Example: Create a custom role that permits Admin to view all the login accounts in the system. 

For example, name this role as login_accts_ro

The command to be permitted is security login show. The command directory is security login.

The security login directory with readonly access will be required.

The following is the rule tuple:

(clus1, login_accts_ro, "security login", readonly). 

This tuple enables the readonly permission not only to the security login directory, but other sub-directories as well, and the directories with readonly permission will be similar to the following:

security login domain-tunnelsecurity login publickey, and security login role.

These three directories should be prevented access. Hence, the following rules are required to be added:

(clus1, login_accts_ro, "security login domain-tunnel", none)
(clus1, login_accts_ro, "security login publickey", none)
(clus1, login_accts_ro, "security login role", none) 

The login_accts_ro should have access to change the current user's password.

The following is the rule:

(clus1, login_accts_ro, "security login password", all) 

The CLI security login role show-ontapi can be used to display the current user's capabilities; this command can be added to verify the capabilities.

(clus1, login_accts_ro, "security login role show-ontapi", all) 

The following is a summary of the rules:

(clus1, login_accts_ro, "security login", readonly)
(clus1, login_accts_ro, "security login domain-tunnel", none)
(clus1, login_accts_ro, "security login publickey", none)
(clus1, login_accts_ro, "security login role", none)
(clus1, login_accts_ro, "security login password", all)
(clus1, login_accts_ro, "security login role show-ontapi", all) 

The following command set can be used to create the login_accts_ro role: 

role create -vserver clus1 -role login_accts_ro -cmddirname "security login" -access readonly
role create -vserver clus1 -role login_accts_ro -cmddirname "security login domain-tunnel" -access none
role create -vserver clus1 -role login_accts_ro -cmddirname "security login publickey" -access none
role create -vserver clus1 -role login_accts_ro -cmddirname "security login role" -access none
role create -vserver clus1 -role login_accts_ro -cmddirname "security login password" -access all

Example: Create a custom role that allows only license management 

For example, name this as role license_role 

The command directory to be permitted is system license.

system license directory with all access will be required.

The following is the tuple:

(clus1, license_role, "system license", all). 

The license_role should have access to change the current user's password.

The rule will be similar to the following:

(clus1, license_role, "security login password", all) 

The security login role show-ontapi command can be used to display the current user's capabilities. This command can be added to verify the capabilities.

(clus1, license_role, "security login role show-ontapi", all) 

The following is a summary of the rules:

(clus1, license_role, "system license", all)
(clus1, license_role, "security login password", all)

(clus1, license_role, "security login role show-ontapi", all) 

Run the following command set to create the license_role

role create -vserver clus1 -role license_role  -cmddirname "system license" -access all
role create -vserver clus1 -role license_role  -cmddirname "security login password" -access all
role create -vserver clus1 -role license_role  -cmddirname "security login role show-ontapi" -access all
 

Example: Create a data Vserver custom role that allows only file system management 

For example, call this role  filesys_admin_role

The following command directories are to be permitted:

"vserver nfs"
"vserver cifs"
"vserver export-policy"
"vserver locks"
"vserver services ldap"
"vserver services nis-domain"
"vserver services unix-group"
"vserver services unix-user"

The following are the tuples:

(vs1.example.com, filesys_admin_role, "vserver nfs", all)
(vs1.example.com, filesys_admin_role, "vserver cifs", all)
(vs1.example.com, filesys_admin_role, "vserver export-policy", all)
(vs1.example.com, filesys_admin_role, "vserver locks", all)
(vs1.example.com, filesys_admin_role, "vserver services ldap", all)
(vs1.example.com, filesys_admin_role, "vserver services nis-domain", all)
(vs1.example.com, filesys_admin_role, "vserver services unix-group", all)
(vs1.example.com, filesys_admin_role, "vserver services unix-user", all) 

The filesys_admin_role  should have access to change the current user's password.

The rule will be as follows:

(vs1.example.com, filesys_admin_role, "security login password", all) 

The CLI security login role show-ontapi can be used to display the current user's capabilities. This command can be added to verify the capabilities.

(vs1.example.com, filesys_admin_role, "security login role show-ontapi", all) 

The following is a summary of the rules:

(vs1.example.com, filesys_admin_role, "vserver nfs", all)
(vs1.example.com, filesys_admin_role, "vserver cifs", all)
(vs1.example.com, filesys_admin_role, "vserver export-policy", all)
(vs1.example.com, filesys_admin_role, "vserver locks", all)
(vs1.example.com, filesys_admin_role, "vserver services ldap", all)
(vs1.example.com, filesys_admin_role, "vserver services nis-domain", all)
(vs1.example.com, filesys_admin_role, "vserver services unix-group", all)
(vs1.example.com, filesys_admin_role, "vserver services unix-user", all)
(vs1.example.com, filesys_admin_role, "security login password", all)
(vs1.example.com, filesys_admin_role, "security login role show-ontapi", all) 

The following is the command set to create the filesys_admin_role:

role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "vserver nfs" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "vserver cifs" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "vserver export-policy" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "vserver locks" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "vserver services ldap" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "vserver services nis-domain" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "vserver services unix-group" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "vserver services unix-user" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "security login password" -access all
role create -vserver vs1.example.com -role filesys_admin_role  -cmddirname "security login role show-ontapi" -access all

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.