We have recently published how to enable role based access (RBAC) with the VSC for customers who want to use accounts other than root as the VSC’s ‘service account’. This is the account used to communicate with the Data ONTAP APIs.
I would suggest that RBAC be implemented in environments that have separate administration teams for storage and the Virtual Infrastructure.
In today’s post I’ll cover how to implement RBAC with the VSC. This content is also being added (along with a number of updates) to the next release of TR-3749: vSphere on NetApp storage best practices. The goal of version 1.1 is to be to reduce the size of the document from its current size of 94 to around 60. We believe the release of the VSC, RCU, and NSM demonstrates the simplicity of deploying VMware on any array powered by Data ONTAP with any storage protocol. Maybe page count is a poor metric; maybe I should list the reduction in word count (as I may replace a large amounts of text with images).
There’s no need to wait for TR-3749 v1.1 to be released because we’re going to cover this process below. If you’d like additional details around implementing RBAC head over to NOW and check out knowledge base article kb54084.
Array Side Configuration
The first part of enabling RBAC is to create a new user, group, and role where the group contains the user and has the role assigned to it. In order to complete this process you will need to execute the following steps via the ONTAP command line interface (SSH, Console connection, or telnet).
Step 1: Create the new role defining the rights required for the VSC
Enter the following command on each the storage controller. You will need to create a name for this role.
useradmin role add “role_name” -a login-http-admin,api-aggr-list-info,api-cf-get-partner,api-cf-status,api-disk-list-info,api-ems-autosupport-log,api-fcp-adapter-list-info,api-fcp-get-cfmode,api-license-list-info,api-lun-get-vdisk-attributes,api-lun-list-info,api-lun-map-list-info,api-nfs-exportfs-list-rules,api-qtree-list,api-snmp-get,api-snmp-get-next,api-system-get-info,api-system-get-version,api-volume-autosize-get,api-volume-list-info,api-volume-options-list-info
Step 2: Create a user group and assign the role to the group
Enter the following command on each the storage controller. You will need to create a name for this group and reference the role name created in the previous step.
useradmin group add “group_name” -r “role_name”
Step 3: Create a user account in the group that will be used by the VSC
Enter the following command on each the storage controller. You will need to create a name and password for this user account and reference the group name created in the previous step.
useradmin user add “user_name” -g “group_name”
(note you will be prompted to create the account password)
Step 4: Verify your work
Enter the following command on each the storage controller. You will need to reference the user account created in the previous step.
useradmin user list “user_name”
The user and group information will be displayed and should match the entries in the previous three steps.
That’s it, you now have a restricted ‘service account’ to use with the VSC. Cheers!