The NetApp unified driver talks to ONTAP via ONTAP API and HTTP(S). At a minimum, the ONTAP SVM administrator (vsadmin) role is required. The cinder driver requires cluster level rights to support scheduling based on some of the more advanced features. Such rights cannot be granted to even the SVM administrators. The following limitations apply when using a SVM admin role:
Please see “Account Permission Considerations before creating security permissions in your environment.
Assign the following permissions which are exclusive of DR, replication, and protocols, each of which will be added next:
security login role create -role cl-limited -cmddirname vserver -access readonly security login role create -role cl-limited -cmddirname "system node" -access readonly security login role create -role cl-limited -cmddirname security -access readonly security login role create -role cl-limited -cmddirname "security login role" -access readonly security login role create -role cl-limited -cmddirname statistics -access readonly security login role create -role cl-limited -cmddirname "statistics catalog counter" -access readonly security login role create -role cl-limited -cmddirname "statistics catalog instance" -access readonly security login role create -role cl-limited -cmddirname "statistics catalog" -access readonly security login role create -role cl-limited -cmddirname "storage disk" -access readonly security login role create -role cl-limited -cmddirname "storage aggregate" -access readonly security login role create -role cl-limited -cmddirname "network interface" -access readonly security login role create -role cl-limited -cmddirname "volume efficiency" -access all security login role create -role cl-limited -cmddirname "qos policy-group" -access all security login role create -role cl-limited -cmddirname version -access all security login role create -role cl-limited -cmddirname event -access all security login role create -role cl-limited -cmddirname "volume file clone" -access readonly security login role create -role cl-limited -cmddirname "volume file clone split" -access readonly security login role create -role cl-limited -cmddirname "volume snapshot" -access all
Assign the following permissions if NetApp cinder driver is to support NFS:
security login role create -role cl-limited -cmddirname "volume file" -access all
Assign the following permissions if NetApp cinder driver is to support iSCSI and or FC:
security login role create -role cl-limited -cmddirname "lun" -access all security login role create -role cl-limited -cmddirname "lun mapping" -access all security login role create -role cl-limited -cmddirname "lun igroup" -access all
Assign the following permissions if NetApp cinder driver is to support iSCSI:
security login role create -role cl-limited -cmddirname "vserver iscsi interface" -access all security login role create -role cl-limited -cmddirname "vserver iscsi security" -access all security login role create -role cl-limited -cmddirname "vserver iscsi" -access readonly
Assign the following permissions if NetApp cinder driver is to support FC:
security login role create -role cl-limited -cmddirname "vserver fcp portname" -access all security login role create -role cl-limited -cmddirname "vserver fcp interface" -access readonly security login role create -role cl-limited -cmddirname "vserver fcp" -access readonly
Assign the following permissions if NetApp cinder driver is to support replication but not cheesecake DR:
security login role create -role cl-limited -cmddirname snapmirror -access readonly security login role create -role cl-limited -cmddirname volume -access readonly
Assign the following permissions if NetApp cinder driver is to support replication along with cheesecake DR:
security login role create -role cl-limited -cmddirname "cluster peer" -access all security login role create -role cl-limited -cmddirname "cluster peer policy" -access all security login role create -role cl-limited -cmddirname "vserver peer" -access all security login role create -role cl-limited -cmddirname snapmirror -access all security login role create -role cl-limited -cmddirname volume -access all
Command to create user with appropriate role for api access:
security login create -user-or-group-name openstack –application ontapi -authentication-method password –role cl-limitedCommand to create user with appropriate role for ssh access:
security login create -user-or-group-name openstack –application ssh -authentication-method password –role cl-limited
Note
Granting ssh access is required for iSCSI CHAP authentication. Access via ssh is optional otherwise.
This document is licensed under Apache 2.0 license.