NoDecaf
2 Bronze

User role for non-root for REST API access

Jump to solution

Hi,

I've created a script to poll some data out of the Isilon (8.0) using the REST API, however, I want to set up a limit R/O account and not use the root/admin account. I followed RobChang-Isilon's tutorial OneFS API Tutorial & InsightIQ Performance Metrics and added Platform API and Statistics to the role for the user. That works for the calls to the FSA tables, however, no matter what I do, if I want to do a GET against e.g. /platform/3/zones I just get a 403 back. Any suggestions how I can tweak my non-root user to access this as well?

-John Fjeldberg

Labels (1)
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
NoDecaf
2 Bronze

Re: User role for non-root for REST API access

Jump to solution

Just for closure to this, I opened a case and did a webex session with support. Turned out I had managed to get an extra "l" in my srm_billing (srm_billling instead) username in the script! thanks for all your suggestions anyway!

-John

5 Replies
Peter_Sero
4 Tellurium

Re: User role for non-root for REST API access

Jump to solution

add ISI_PRIV_AUTH to the role.

NoDecaf
2 Bronze

Re: Re: User role for non-root for REST API access

Jump to solution

Peter Serocka wrote:

add ISI_PRIV_AUTH to the role.

Hi Peter,

thanks for the suggestion, however, I tried to do that but it seems to still not work, Here's my account setup:

isilon1-1# isi auth users view srm_billing

                    Name: srm_billing

                      DN: CN=srm_billing,CN=Users,DC=ISILON1

              DNS Domain: -

                  Domain: ISILON1

                Provider: lsa-local-provider:System

        Sam Account Name: srm_billing

                    UID: 2002

                    SID: S-1-5-21-1163659532-810494347-3874808745-1002

                Enabled: Yes

                Expired: No

                  Expiry: -

                  Locked: No

                  Email: -

                  GECOS: -

          Generated GID: No

          Generated UID: No

          Generated UPN: Yes

          Primary Group

                          ID: GID:1800

                        Name: Isilon Users

          Home Directory: /ifs/home/srm_billing

        Max Password Age: 4W

        Password Expired: No

        Password Expiry: 2017-11-16T09:34:49

      Password Last Set: 2017-11-10T08:03:10

        Password Expires: No

                  Shell: /bin/zsh

                    UPN: srm_billing@ISILON1

User Can Change Password: Yes

isilon1-1# isi auth role view API_Stats_Role

      Name: API_Stats_Role

Description: Used by SRM Billing

    Members: -

Privileges

            ID: ISI_PRIV_LOGIN_CONSOLE

      Read Only: True

            ID: ISI_PRIV_LOGIN_PAPI

      Read Only: True

            ID: ISI_PRIV_SYS_SUPPORT

      Read Only: True

           ID: ISI_PRIV_AUTH

      Read Only: True

            ID: ISI_PRIV_CLUSTER

      Read Only: True

            ID: ISI_PRIV_DEVICES

      Read Only: True

            ID: ISI_PRIV_JOB_ENGINE

      Read Only: True

            ID: ISI_PRIV_STATISTICS

      Read Only: True

            ID: ISI_PRIV_NS_TRAVERSE

      Read Only: True

            ID: ISI_PRIV_NS_IFS_ACCESS

      Read Only: True

isilon1-1# isi auth roles members list  API_Stats_Role

Type  Name

-----------------

user  srm_billing

-----------------

Total: 1

Any suggestions what might be going on here?

Thanks,

John Fjeldberg

0 Kudos
Highlighted
Peter_Sero
4 Tellurium

Re: User role for non-root for REST API access

Jump to solution

Looks reasonable to me, but at second sight I wonder why

the user srm_billing is not also listed here under "Members"

(which should be the case according to some testing I did):

isilon1-1# isi auth role view API_Stats_Role

      Name: API_Stats_Role

Description: Used by SRM Billing

    Members: -

Privileges

[...]

That doesn't really explain why the other statistics are working,

but might be a clue that something got messed up.

You could try removing and re-addig the role for the user,

or create another user, or ask Isilon support for help to resolve this inconsistency first.

-- Peter

NoDecaf
2 Bronze

Re: User role for non-root for REST API access

Jump to solution

Thanks Peter,

I noticed I copied and pasted the wrong section out of the console. There was a section later on where I had the member field updated, as you can see from the last command I pasted. I'll open a case next week, but again, thanks for your suggestions!

-John Fjeldberg

0 Kudos
NoDecaf
2 Bronze

Re: User role for non-root for REST API access

Jump to solution

Just for closure to this, I opened a case and did a webex session with support. Turned out I had managed to get an extra "l" in my srm_billing (srm_billling instead) username in the script! thanks for all your suggestions anyway!

-John