Vaughn recently posted on setting up VSC access to the NetApp using RBAC (Role Based Access Control) permissions. This procedure is not currently in the VSC manual.
Quick tangent: Creating RBAC for every product appears to be an ongoing trend within NetApp. Documentation exists for RBAC installation on SMVI (it's in the manual), VSC (link above), Snap Drive in a virtual machine, and I think there is a RCU writeup around but I can't find it right now. This is great from a security perspective but gets a little tedious if you are loading multiple products on the same NetApp controller, and double the pain if it is an HA unit! (HINT to NetApp, figure out a way to consolidate this please!!)
Let's say you were an early adopter to VSC and installed it per the manual. You probably used root as the user id and you never enabled SSL on the filer. If this is the case, you are sending the root password in clear text (Yikes!). Based on Vaughn's article we can easily go back and fix this.
- Configure and Enable SSH on each NetApp Controller if not already enabled
- From the command line you can use the secureadmin setup ssl and secureadmin status command as shown below. This can also be configured from FilerView -> Secure Admin
- Create the role, group, and user on each NetApp controller. Enter each line from the command line
- useradmin role add vsc-role -a login-http-admin,api-aggr-list-info,api-cf-get-partner,api-cf-status,api-disk-list-info,api-ems-autosupport-log,api-fcp-adapter-list-info,api-fcp-get-cfmode,api-license-list-info,api-lun-get-vdisk-attributes,api-lun-list-info,api-lun-map-list-info,api-nfs-exportfs-list-rules,api-qtree-list,api-snmp-get,api-snmp-get-next,api-system-get-info,api-system-get-version,api-volume-autosize-get,api-volume-list-info,api-volume-options-list-info
- useradmin group add vsc-group -r vsc-role
- useradmin user add vsc-user -g vsc-group
- From the vSphere Client, go to the NetApp tab, Repeat the following for each controller
- Right Click on the controller and click Modify Credentials
- Enter the newly created vsc-user id and password, check Use SSL and click OK
Congratulations, you have just configured your vCenter Server to communicate with the NetApp systems in safe and secure way!
3 comments:
Absolute agreement on "(HINT to NetApp, figure out a way to consolidate this please!!)"...I'll even add my own exclamation points!
Especially with the success of the Complete Bundle, we end up setting up more of this stuff than we used to (especially SMVI and VSC) and it gets a bit tedious.
Just a note that if you add the role in ONTap 7.2.x you have to remove the api-lun-get-vdisk-attributes capability or else you get this message.
Invalid capabilities: api-lun-get-vdisk-attributes
Could not add role . Error: Invalid capability
Andrew - Thank you for the information!!!
Post a Comment