This post is more than 5 years old
24 Posts
0
4261
User role for non-root for REST API access
Hi,
I've created a script to poll some data out of the Isilon (8.0) using the REST API, however, I want to set up a limit R/O account and not use the root/admin account. I followed RobChang-Isilon's tutorial OneFS API Tutorial & InsightIQ Performance Metrics and added Platform API and Statistics to the role for the user. That works for the calls to the FSA tables, however, no matter what I do, if I want to do a GET against e.g. /platform/3/zones I just get a 403 back. Any suggestions how I can tweak my non-root user to access this as well?
-John Fjeldberg
NoDecaf
24 Posts
1
November 30th, 2017 13:00
Just for closure to this, I opened a case and did a webex session with support. Turned out I had managed to get an extra "l" in my srm_billing (srm_billling instead) username in the script! thanks for all your suggestions anyway!
-John
Peter_Sero
1.2K Posts
1
November 10th, 2017 01:00
add ISI_PRIV_AUTH to the role.
NoDecaf
24 Posts
0
November 15th, 2017 17:00
Hi Peter,
thanks for the suggestion, however, I tried to do that but it seems to still not work, Here's my account setup:
isilon1-1# isi auth users view srm_billing
Name: srm_billing
DN: CN=srm_billing,CN=Users,DC=ISILON1
DNS Domain: -
Domain: ISILON1
Provider: lsa-local-provider:System
Sam Account Name: srm_billing
UID: 2002
SID: S-1-5-21-1163659532-810494347-3874808745-1002
Enabled: Yes
Expired: No
Expiry: -
Locked: No
Email: -
GECOS: -
Generated GID: No
Generated UID: No
Generated UPN: Yes
Primary Group
ID: GID:1800
Name: Isilon Users
Home Directory: /ifs/home/srm_billing
Max Password Age: 4W
Password Expired: No
Password Expiry: 2017-11-16T09:34:49
Password Last Set: 2017-11-10T08:03:10
Password Expires: No
Shell: /bin/zsh
UPN: srm_billing@ISILON1
User Can Change Password: Yes
isilon1-1# isi auth role view API_Stats_Role
Name: API_Stats_Role
Description: Used by SRM Billing
Members: -
Privileges
ID: ISI_PRIV_LOGIN_CONSOLE
Read Only: True
ID: ISI_PRIV_LOGIN_PAPI
Read Only: True
ID: ISI_PRIV_SYS_SUPPORT
Read Only: True
ID: ISI_PRIV_AUTH
Read Only: True
ID: ISI_PRIV_CLUSTER
Read Only: True
ID: ISI_PRIV_DEVICES
Read Only: True
ID: ISI_PRIV_JOB_ENGINE
Read Only: True
ID: ISI_PRIV_STATISTICS
Read Only: True
ID: ISI_PRIV_NS_TRAVERSE
Read Only: True
ID: ISI_PRIV_NS_IFS_ACCESS
Read Only: True
isilon1-1# isi auth roles members list API_Stats_Role
Type Name
-----------------
user srm_billing
-----------------
Total: 1
Any suggestions what might be going on here?
Thanks,
John Fjeldberg
Peter_Sero
1.2K Posts
2
November 16th, 2017 12:00
Looks reasonable to me, but at second sight I wonder why
the user srm_billing is not also listed here under "Members"
(which should be the case according to some testing I did):
isilon1-1# isi auth role view API_Stats_Role
Name: API_Stats_Role
Description: Used by SRM Billing
Members: -
Privileges
[...]
That doesn't really explain why the other statistics are working,
but might be a clue that something got messed up.
You could try removing and re-addig the role for the user,
or create another user, or ask Isilon support for help to resolve this inconsistency first.
-- Peter
NoDecaf
24 Posts
0
November 16th, 2017 20:00
Thanks Peter,
I noticed I copied and pasted the wrong section out of the console. There was a section later on where I had the member field updated, as you can see from the last command I pasted. I'll open a case next week, but again, thanks for your suggestions!
-John Fjeldberg