netapp.ontap.na_ontap_user allow for split roles for user

[cordelster]

Summary

netapp.ontap.na_ontap_user being item potent, does not allow for split roles of user. Where as user requires a custom role and service-processor access is not possible to accomplish. The service-processor application type only allows "admin" role because of device limitation where the device can not cope with implementing another role.

The only workaround is to create a user with all applications under the role 'admin' then modify all applications except 'service-processor' in the cluster shell to use the intended role on each storage cluster.

The module needs to allow for modifying a users role per application at least.

Component Name

netapp.ontap.na_ontap_user

Additional Information

      - hostname:                     "{{ cluster_name }}"
        name:                         'netapp-support'
        applications:                 service-processor
        authentication_method:        password
        lock_user:                    yes
        role_name:                    'admin'
        vserver:                      "{{ cluster_name }}"

      - hostname:                     "{{ cluster_name }}"
        name:                         'netapp-support'
        applications:                 ontapi,ssh,console,http
        authentication_method:        password
        lock_user:                    yes
        role_name:                    'netapp-service'
        vserver:                      "{{ cluster_name }}"

[mohanrajb9]

I created an user with different role name.

ontap_cluster_1::*> security login show -vserver ontap_cluster_1 -user-or-group-name user1

Vserver: ontap_cluster_1
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
user1          http        cert          role2            -      none
user1          service-processor
                           password      admin            no     none
user1          ssh         password      role2            no     none

REST API /security/accounts returns a single role value for all of the applications. if you check below, its the records returned for the user1, here only one role value returned back for all application, I thought it will return role specific to each application.

{'_links': {'self': {'href': '/api/security/accounts?name=user1&role.name=role2&fields=%2A&scope=cluster'}},
 'num_records': 1,
 'records': [{
              'applications': [{'application': 'http',
                                'authentication_methods': ['certificate'],
                                'is_ldap_fastbind': False,
                                'second_authentication_method': 'none'},
                               {'application': 'service_processor',
                                'authentication_methods': ['password'],
                                'is_ldap_fastbind': False,
                                'second_authentication_method': 'none'}],
              'locked': False,
              'name': 'user1',
              'owner': {
                        'name': 'ontap_cluster_1',
                        'uuid': '02c64e71-9311-11ed-926e-005056b34578'},
              'password_hash_algorithm': 'sha512',
              'role': {
                       'name': 'role2'},
              'scope': 'cluster'}]}

but I do get a warning when I try to add an application with different role in cli

ontap_cluster_1::*> security login create -user-or-group-name user1 -application http -authentication-method cert -role role2

Warning: User account ontap_cluster_1:user1 has 1 role(s) {"admin"} that use
different application(s) and authentication method(s). One role for all
applications and authentication methods is recommended for a user account.

checking this with REST team, we need to get role specific to each application in user to determine the modify.