search

PureStorage-Connect / PowerShellSDK2

Pure Storage FlashArray PowerShell Software Development Kit (SDK) version 2.
https://support.purestorage.com/Solutions/Microsoft_Platform_Guide
Apache License 2.0
8 stars 7 forks source link

Update-Pfa2Support requires 'array_admin' role to enable Remote Assist #3

Closed cadayton closed 2 years ago

cadayton commented 2 years ago

Update-Pfa2Support requires 'array_admin' role to enable Remote Assist where as the current array management interface and the CLI allow the 'storage_admin' role to enable Remote Assist.

To my knowledge only the local 'pureuser' account can be assigned the 'array_admin' role. For Update-Pfa2Support to be useful in our automation work this cmdlet needs to allow the 'storage_admin' role to perform this function too.

mikenelson-io commented 2 years ago

Hi Craig, Actually, you can have any user with the role of "array_admin" as long as that user is defined with that role on creation (local user) or if that user is placed in the proper LDAP group (see documentation reference below). The limitation of the permissions required for this cmdlet to function are set by the REST API, not by the PowerShell cmdlet. As stated in the referenced doc below, Remote Assist functionality is considered by the API to be considered as "array-wide changes dealing with global and system configurations." The Storage Admin role only deals with storage of the array, such as administering volumes, hosts, and host groups. For this particular cmdlet, as well as all others that deal with global or system modifications, then the Array Admin role is required.

As per the FlashArray User Guide --> Settings --> User Panel -

All users in the array, whether created locally or added to the array through LDAP integration, are assigned one of the following roles in the array:

Read-Only. Users with the Read-Only (readonly) role can perform operations that convey the state of the array. Read Only users cannot alter the state of the array.

Ops Admin. Users with the Ops Admin (ops_admin) role can perform the same operations as Read Only users plus enable and disable remote assistance sessions. Ops Admin users cannot alter the state of the array.

Storage Admin. Users with the Storage Admin (storage_admin) role can perform the same operations as Read Only users plus storage related operations, such as administering volumes, hosts, and host groups. Storage Admin users cannot perform operations that deal with global and system configurations.

Array Admin. Users with the Array Admin (array_admin) role can perform the same operations as Storage Admin users plus array-wide changes dealing with global and system configurations. In other words, Array Admin users can perform all operations.

For local users, the role is set during user creation. For LDAP users, the role is set by configuring groups in the directory that correspond to the FlashArray user roles.

I hope that clears things up.

cadayton commented 2 years ago

Hi Mike,

I understand fully what you are saying, but that is only true when calling the Update-Pfa2Support cmdlet.

From the CLI or the GUI management interface as a 'storage_admin' account, I can enable Remote Assist. Shouldn't the CLI and the GUI be using the same rules? Anyway, this what I'm wondering.

Thanks, Craig

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, December 20th, 2021 at 12:34 PM, Mike Nelson @.***> wrote:

Hi Craig, Actually, you can have any user with the role of "array_admin" as long as that user is defined with that role on creation (local user) or if that user is placed in the proper LDAP group (see documentation reference below). The limitation of the permissions required for this cmdlet to function are set by the REST API, not by the PowerShell cmdlet. As stated in the referenced doc below, Remote Assist functionality is considered by the API to be considered as "array-wide changes dealing with global and system configurations." The Storage Admin role only deals with storage of the array, such as administering volumes, hosts, and host groups. For this particular cmdlet, as well as all others that deal with global or system modifications, then the Array Admin role is required.

As per the FlashArray User Guide --> Settings --> User Panel -

All users in the array, whether created locally or added to the array through LDAP integration, are assigned one of the following roles in the array:

Read-Only. Users with the Read-Only (readonly) role can perform operations that convey the state of the array. Read Only users cannot alter the state of the array.

Ops Admin. Users with the Ops Admin (ops_admin) role can perform the same operations as Read Only users plus enable and disable remote assistance sessions. Ops Admin users cannot alter the state of the array.

Storage Admin. Users with the Storage Admin (storage_admin) role can perform the same operations as Read Only users plus storage related operations, such as administering volumes, hosts, and host groups. Storage Admin users cannot perform operations that deal with global and system configurations.

Array Admin. Users with the Array Admin (array_admin) role can perform the same operations as Storage Admin users plus array-wide changes dealing with global and system configurations. In other words, Array Admin users can perform all operations.

For local users, the role is set during user creation. For LDAP users, the role is set by configuring groups in the directory that correspond to the FlashArray user roles.

I hope that clears things up.

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you authored the thread.Message ID: @.***>

mikenelson-io commented 2 years ago

Craig, I'm confused. I just created a user that has the Storage Admin role and logged in to the UI with that user ID. The Remote Assist and Phone Home options are greyed-out for that user ID (screenshot attached) I then tried to run the CLI command to enable Remote Assist with that user ID. It failed as it only allows that user to do a 'purearray remoteassist --status'. 2021-12-20_15-13-58

cadayton commented 2 years ago

Well, I wonder why our environment is different.

We can do a WebEx/Zoom together to prove that a storage_admin role can do it on any of our arrays regardless of Purity/FA version.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, December 20th, 2021 at 1:23 PM, Mike Nelson @.***> wrote:

Craig, I'm confused. I just created a user that has the Storage Admin role and logged in to the UI with that user ID. The Remote Assist and Phone Home options are greyed-out for that user ID (screenshot attached) I then tried to run the CLI command to enable Remote Assist with that user ID. It failed as it only allows that user to do a 'purearray remoteassist --status'. 2021-12-20_15-13-58

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you authored the thread.Message ID: @.***>

mikenelson-io commented 2 years ago

Craig, If you could email me directly with your SE's or AE's name and we can set something up. My email is mnelson-at-purestorage.com. Thanks.

mikenelson-io commented 2 years ago

Resolved & closed.