Creating a Restricted Administrator for ONTAP Cluster Mode
When adding ONTAP cluster mode, an admin role is required soDataCore vFilO has access to the required ONTAP APIs. The default cluster mode admin role can be used, however in some situations this may present a security concern.
The following steps will create an ONTAP cluster admin role that provides read-only access to only the APIs DataCore vFilO needs.
- Log in to your ONTAP cluster as a cluster admin user
- Run the following commands from the ONTAP command line (copy/paste friendly):
security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access none -cmddirname DEFAULTsecurity login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "vserver show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "cluster show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "volume show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "cluster identity show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "network interface show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "system license show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "storage aggregate show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "version"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "system node show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "volume qtree show"security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "system node autosupport show”security login role create -role DataCore vFilO -vserver C-Mode-PM1 -access readonly -cmddirname "security login role show-ontapi"These commands will create warning messages that they are automatically setting up additional permissions, this is expected.
- To verify the role is created correctly run:
security login role show -role DataCore vFilO -vserver C-Mode-PM1cluster identity modify readonlycluster identity show readonlycluster modify readonlycluster show readonlynetwork interface create readonlynetwork interface delete readonlynetwork interface modify readonlynetwork interface show readonlysecurity login role show-ontapi readonlystorage aggregate create readonlystorage aggregate modify readonlystorage aggregate show readonlysystem license delete readonlysystem license show readonlysystem node autosupport modify readonlysystem node autosupport show readonlysystem node modify readonlysystem node show readonlyversion readonlyvolume create readonlyvolume modify readonlyvolume qtree create readonlyvolume qtree show readonlyvolume show readonlyvserver create readonlyvserver modify readonlyvserver show readonly28 entries were displayed. - Create a new user with the DataCore vFilO role:
security login create -user-or-group-name DataCore vFilO_admin -application ontapi -authentication-method password -role DataCore vFilOEnter a password when prompted
- You can now add the ONTAP cluster as a storage node to DataCore vFilO using the restricted cluster admin user credentials.