-
Notifications
You must be signed in to change notification settings - Fork 36
Known issues
This is an ONTAP issue, with 9.11.1 or earlier versions. When creating a custom vsadmin role, it is not possible to give readonly access to /api/cluster. This prevents some of our modules to fetch the ONTAP version and the module fails with not authorized for that command.
You can see that the default vsadmin role has readonly access to /api/cluster. But this option in not available for custom roles.
laurentn-test-create-1::> rest-role show -vserver ansibleSVM -role vsadmin -api /api/cluster
(security login rest-role show)
Vserver: ansibleSVM
Role Name: vsadmin
api path: /api/cluster
Access Level: readonly
laurentn-test-create-1::> rest-role create -vserver ansibleSVM -role vsadmin_ln -api /api/cluster -access readonly
(security login rest-role create)
Error: command failed: A Vserver admin cannot use command directory "cluster"
with access level "readonly". Use a different access level.
This can be bypassed for some modules by forcing REST with use_rest: always. But other modules are using the ONTAP version to decide which options are supported, eg na_ontap_volume, na_ontap_rest_info.
A work-around is too use the builtin vsadmin role.
We are adding a new option in 21.23.0 to allow to force the version and accept customized REST roles.
User is not authorized. indicates an authentication issue, wrong username or password, or for a vsadmin type user, not accessing the SVM on the correct IP interface.
not authorized for that command indicates a permission issue when using a REST role.
Need Help? Join Netapp.Io Discord Channel #ansible