The prerequisites for ONTAP are:
When using the NetApp Manila driver in the mode where it does not manage share servers, it is important to pay attention to the following considerations:
netapp_vserver
option must be created
(and associated with aggregates) before it can be utilized as a
provisioning target for Manila. If cluster-level credentials have
not been specified in the configuration file, ensure that no root
aggregates are associated with the SVM, since the driver will not
be able to guarantee that automatically.v4.0, v4.1-pnfs
) on the SVM.replication_domain
are
peered, have intercluster LIFs configured, and are of equal ONTAP
versions.replication_domain
are peered
and have unique names.vserver
show -vserver <vserver> -fields aggr-list
to see which aggregates
are all ready assigned. You can use vserver add-aggregates
-vserver <vserver> -aggregates <first aggr,second aggr>
to add
aggregates to your SVM that Manila will be able to use.When configuring NetApp’s Manila drivers to interact with an ONTAP instance, it is important to choose the correct administrative credentials to use.
While an account with cluster-level administrative permissions is normally utilized, it is possible to use an account with reduced scope that has the appropriate privileges granted to it. In order to use an SVM-scoped account with the Manila driver and ONTAP and have access to the full set of features (including Manila Share Type Extra Specs support) availed by the Manila driver, be sure to add the access levels for the commands shown in Table 6.17, “Common Access Level Permissions Required with Any Manila Driver”, Table 6.18, “Access Level Permissions Required For Manila Driver for ONTAP with share server management - with Cluster-wide Administrative Account”, and Table 6.19, “Access Level Permissions Required For Manila Driver for ONTAP without share server management - with Cluster-wide Administrative Account”.
Note
The commands listed in the tables below are for ONTAP 9 releases.
Command | Access Level |
---|---|
vserver cifs share |
all |
event |
all |
network interface |
readonly |
vserver export-policy |
all |
volume snapshot |
all |
version |
readonly |
system node |
readonly |
volume |
all |
vserver |
readonly |
security |
readonly |
statistics |
all |
Table 6.17. Common Access Level Permissions Required with Any Manila Driver
Command | Access Level |
---|---|
vserver cifs create |
all |
vserver cifs delete |
all |
vserver nfs kerberos interface |
all |
vserver nfs kerberos realm |
all |
vserver services name-service ldap client |
all |
vserver services name-service ldap create |
all |
license |
readonly |
vserver services name-service dns create |
all |
network interface |
all |
network port |
readonly |
network port vlan |
all |
vserver |
all |
qos policy-group |
all |
Table 6.18. Access Level Permissions Required For Manila Driver for ONTAP with share server management - with Cluster-wide Administrative Account
Command | Access Level |
---|---|
license |
readonly |
storage aggregate |
readonly |
storage disk |
readonly |
qos policy-group |
all |
Table 6.19. Access Level Permissions Required For Manila Driver for ONTAP without share server management - with Cluster-wide Administrative Account
To create a role with the necessary privileges required, with access via ONTAP API only, use the following command syntax to create the role and the ONTAP user:
Create role with appropriate command directory permissions (note you will need to execute this command for each of the required access levels as described in the earlier tables).
security login role create –role openstack –cmddirname [required command from earlier tables] -access [Required Access Level]
Command to create user with appropriate role
security login create –username openstack –application ontapi –authmethod password –role openstack
To create a role with the necessary privileges required, with access via ONTAP API only, use the following command syntax to create the role and the ONTAP user:
Create role with appropriate command directory permissions (note you will need to execute this command for each of the required access levels as described in the earlier tables).
security login role create –role openstack -vserver [vserver_name] –cmddirname [required command from earlier tables] -access [Required Access Level]
Command to create user with appropriate role
security login create –username openstack –application ontapi –authmethod password –role openstack -vserver [vserver_name]
Tip
For more information on how to grant access level permissions to a role, and then assign the role to an administrative account, please refer to the System Administration Guide for Cluster Administrators document in the ONTAP documentation.
Note
SVM-Scoped user accounts do not support the configuration of the
reserved_share_percentage
config option. SVM-Scoped user
accounts can only work if the option is set to 0
.
This document is licensed under Apache 2.0 license.