-
Notifications
You must be signed in to change notification settings - Fork 222
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Publishing zapi commands and rest endpoints which trident uses of ONT…
…AP to contrib/ontap folder.
- Loading branch information
1 parent
60db03b
commit f6425de
Showing
9 changed files
with
691 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
|
|
||
| # Trident custom-role generator | ||
|
|
||
| There are three primary methods for users to consume the list of commands/APIs required to create a role on ONTAP specific to Trident. | ||
|
|
||
|
|
||
|
|
||
| ## Options | ||
|
|
||
| - Raw | ||
| - ONTAP CLI Pastable | ||
| - Python script | ||
|
|
||
|
|
||
| ## Raw | ||
|
|
||
| In the [**raw**](raw) folder, users can access a list of ZAPI commands and REST paths in JSON format, which can be consumed as needed. | ||
|
|
||
| ## ONTAP CLI Pastable | ||
|
|
||
| In the [**cli_pastable**](cli_pastable) folder, users can access a list of ONTAP CLI commands that can be copy-pasted into the ONTAP CLI to create a custom role. | ||
| - In order to create a zapi-based role, users can copy-paste the commands in the [**zapi_custom_role_output.txt**](cli_pastable/zapi_custom_role_output.txt) file. | ||
| - In order to create a rest-based role, users can copy-paste the commands in the [**rest_custom_role_output.txt**](cli_pastable/rest_custom_role_output.txt) file. | ||
|
|
||
| Both ZAPI and REST roles are currently designed to create a role named **trident** at the cluster level. If users need to create a role at the SVM level or change the role name from trident to a different name, you can utilize the role-generator bash script provided alongside the output files. | ||
|
|
||
| Before proceeding, ensure you copy the commands/APIs from the [**raw**](raw) folder to the location where you will run the script, or provide the path to the script accordingly. | ||
|
|
||
| How to use the script: | ||
|
|
||
| ```bash | ||
| ./role-generator.sh -r <role-name> -v <vserver-name> --zapi/--rest | ||
| ```` | ||
|
|
||
| To view detailed usage instructions, execute the script with the -h or --help option. | ||
|
|
||
| ## Python script | ||
|
|
||
| In the [**script**](script) folder, users can access a Python script that can be used to create a custom role on ONTAP | ||
|
|
||
| How to use the script: | ||
|
|
||
| ```bash | ||
| pip install -r requirements.txt | ||
| python role-creator.py -i <host-ip> -u <username> -p <password> --zapi/--rest | ||
| ``` | ||
| Same as above, here too you need to copy the commands/APIs from the [**raw**](raw) folder to the location where you will run the script, or provide the path to the script accordingly. | ||
|
|
||
| By default, the script will create a role named **trident** at the cluster level. If you need to create a role at the SVM level or change the role name from trident to a different name, you can use **--role-name** and **--vserver-name** options. | ||
|
|
||
|
|
||
| To view detailed usage instructions, execute the script with the -h or --help option. | ||
|
|
||
|
|
||
|
|
31 changes: 31 additions & 0 deletions
31
contrib/ontap/trident_role/cli_pastable/rest_custom_role_output.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| security login rest-role create -role "trident" -api "/api/private/cli/vserver/nvme/subsystem/delete" -access all | ||
| security login rest-role create -role "trident" -api "/api/protocols/san/igroups/initiators" -access all | ||
| security login rest-role create -role "trident" -api "/api/protocols/nvme/subsystems/hosts" -access all | ||
| security login rest-role create -role "trident" -api "/api/protocols/san/igroups" -access all | ||
| security login rest-role create -role "trident" -api "/api/protocols/san/iscsi/credentials" -access read_modify | ||
| security login rest-role create -role "trident" -api "/api/network/ip/interfaces" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/storage/namespaces" -access read_create_modify | ||
| security login rest-role create -role "trident" -api "/api/protocols/san/iscsi/services" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/storage/luns" -access all | ||
| security login rest-role create -role "trident" -api "/api/cluster/jobs" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/storage/qtrees" -access all | ||
| security login rest-role create -role "trident" -api "/api/cluster" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/snapmirror/relationships" -access all | ||
| security login rest-role create -role "trident" -api "/api/protocols/nvme/subsystems" -access all | ||
| security login rest-role create -role "trident" -api "/api/storage/volumes" -access all | ||
| security login rest-role create -role "trident" -api "/api/storage/quota/rules" -access read_create_modify | ||
| security login rest-role create -role "trident" -api "/api/storage/volumes/snapshots" -access all | ||
| security login rest-role create -role "trident" -api "/api/svm/svms" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/protocols/nfs/export-policies/rules" -access all | ||
| security login rest-role create -role "trident" -api "/api/cluster/schedules" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/protocols/cifs/shares" -access all | ||
| security login rest-role create -role "trident" -api "/api/support/ems/application-logs" -access read_create | ||
| security login rest-role create -role "trident" -api "/api/protocols/nfs/export-policies" -access all | ||
| security login rest-role create -role "trident" -api "/api/protocols/nvme/subsystem-maps" -access all | ||
| security login rest-role create -role "trident" -api "/api/snapmirror/relationships/transfers" -access read_create | ||
| security login rest-role create -role "trident" -api "/api/protocols/san/lun-maps" -access all | ||
| security login rest-role create -role "trident" -api "/api/snapmirror/policies" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/storage/aggregates" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/storage/luns/attributes" -access read_create_modify | ||
| security login rest-role create -role "trident" -api "/api/protocols/san/lun-maps/reporting-nodes" -access readonly | ||
| security login rest-role create -role "trident" -api "/api/svm/peers" -access readonly |
110 changes: 110 additions & 0 deletions
110
contrib/ontap/trident_role/cli_pastable/role-generator.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,110 @@ | ||
| #!/bin/bash | ||
|
|
||
|
|
||
| # ONTAP Role Generator Bash Sample Scripts | ||
| # This script was developed by NetApp to help demonstrate | ||
| # NetApp technologies. This script is not officially | ||
| # supported as a standard NetApp product. | ||
|
|
||
| # Purpose: THE FOLLOWING SCRIPT SHOWS HOW TO GENERATE ROLE FOR ONTAP. | ||
|
|
||
| # usage: ./role-generator.sh [-h] [-v VSERVER_NAME] [-r ROLE_NAME] [--zapi] [--rest] [-j JSON] [-o OUTPUT] | ||
|
|
||
| # Copyright (c) 2024 NetApp, Inc. All Rights Reserved. | ||
| # Licensed under the BSD 3-Clause "New or Revised" License (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # https://opensource.org/licenses/BSD-3-Clause | ||
|
|
||
| # Default values | ||
| DEFAULT_ZAPI_JSON_FILE="./zapi_custom_role.json" | ||
| DEFAULT_ZAPI_OUTPUT_FILE="./zapi_custom_role_output.txt" | ||
| DEFAULT_REST_JSON_FILE="./rest_custom_role.json" | ||
| DEFAULT_REST_OUTPUT_FILE="./rest_custom_role_output.txt" | ||
| ZAPI=false | ||
| REST=false | ||
|
|
||
| # Function to display usage information | ||
| usage() { | ||
| echo "Usage: $0 [options]" | ||
| echo "Options:" | ||
| echo " -j, --json-file <file> Path to the JSON file (default: ZAPI=$DEFAULT_ZAPI_JSON_FILE, REST=$DEFAULT_REST_JSON_FILE)" | ||
| echo " -o, --output-file <file> Path to the output file (default: ZAPI=$DEFAULT_REST_OUTPUT_FILE, REST=$DEFAULT_REST_OUTPUT_FILE)" | ||
| echo " -r, --role-name <string> Name of the role (default: trident)" | ||
| echo " -v, --vserver-name <string> Name of the vserver (default: None)" | ||
| echo " --zapi Generate custom role for ZAPI" | ||
| echo " --rest Generate custom role for REST" | ||
| echo " -h, --help Display this help message" | ||
| exit 1 | ||
| } | ||
|
|
||
| # Parse command-line arguments | ||
| while [[ "$#" -gt 0 ]]; do | ||
| case $1 in | ||
| -j|--json-file) JSON_FILE="$2"; shift 2 ;; | ||
| -o|--output-file) OUTPUT_FILE="$2"; shift 2 ;; | ||
| -r|--role-name) ROLE_NAME="$2"; shift 2 ;; | ||
| -v|--vserver-name) VSERVER_NAME="$2"; shift 2 ;; | ||
| --zapi) ZAPI=true; shift ;; | ||
| --rest) REST=true; shift ;; | ||
| -h|--help) usage ;; | ||
| *) echo "Unknown parameter passed: $1"; usage ;; | ||
| esac | ||
| done | ||
|
|
||
| if [ "$ZAPI" = true ] && [ "$REST" = true ]; then | ||
| echo "Please specify either -z or -r option" | ||
| usage | ||
| fi | ||
|
|
||
| if [ "$ZAPI" = false ] && [ "$REST" = false ]; then | ||
| echo "Please specify either -z or -r option" | ||
| usage | ||
| fi | ||
|
|
||
| # Set default values if not provided | ||
| if [ "$ZAPI" = true ]; then | ||
| JSON_FILE="${JSON_FILE:-$DEFAULT_ZAPI_JSON_FILE}" | ||
| OUTPUT_FILE="${OUTPUT_FILE:-$DEFAULT_ZAPI_OUTPUT_FILE}" | ||
| else | ||
| JSON_FILE="${JSON_FILE:-$DEFAULT_REST_JSON_FILE}" | ||
| OUTPUT_FILE="${OUTPUT_FILE:-$DEFAULT_REST_OUTPUT_FILE}" | ||
| fi | ||
|
|
||
| ROLE_NAME="${ROLE_NAME:-trident}" | ||
| VSERVER_NAME="${VSERVER_NAME:-None}" | ||
|
|
||
| # Clear the output file if it exists | ||
| > "$OUTPUT_FILE" | ||
|
|
||
|
|
||
| # Read and process the JSON file using jq | ||
| if [ "$ZAPI" = true ]; then | ||
| jq -c '.[]' "$JSON_FILE" | while read -r item; do | ||
| command=$(echo "$item" | jq -r '.command') | ||
| access_level=$(echo "$item" | jq -r '.access_level') | ||
|
|
||
| if [ "$VSERVER_NAME" = "None" ]; then | ||
| formatted_line="security login role create -role \"$ROLE_NAME\" -cmddirname \"$command\" -access $access_level" | ||
| else | ||
| formatted_line="security login role create -role \"$ROLE_NAME\" -vserver \"$VSERVER_NAME\" -cmddirname \"$command\" -access $access_level" | ||
| fi | ||
|
|
||
| echo "$formatted_line" >> "$OUTPUT_FILE" | ||
| done | ||
| echo "Commands have been written to $OUTPUT_FILE" | ||
| else | ||
| jq -c '.[]' "$JSON_FILE" | while read -r item; do | ||
| path=$(echo "$item" | jq -r '.path') | ||
| access=$(echo "$item" | jq -r '.access') | ||
|
|
||
| if [ "$VSERVER_NAME" = "None" ]; then | ||
| formatted_line="security login rest-role create -role \"$ROLE_NAME\" -api \"$path\" -access $access" | ||
| else | ||
| formatted_line="security login rest-role create -role \"$ROLE_NAME\" -vserver \"$VSERVER_NAME\" -api \"$path\" -access $access" | ||
| fi | ||
|
|
||
| echo "$formatted_line" >> "$OUTPUT_FILE" | ||
| done | ||
| echo "Paths have been written to $OUTPUT_FILE" | ||
| fi |
113 changes: 113 additions & 0 deletions
113
contrib/ontap/trident_role/cli_pastable/zapi_custom_role_output.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| security login role create -role "trident" -cmddirname "job" -access readonly | ||
| security login role create -role "trident" -cmddirname "job schedule" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun" -access all | ||
| security login role create -role "trident" -cmddirname "lun igroup" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun mapping" -access readonly | ||
| security login role create -role "trident" -cmddirname "network interface" -access readonly | ||
| security login role create -role "trident" -cmddirname "snapmirror" -access readonly | ||
| security login role create -role "trident" -cmddirname "snapmirror policy" -access readonly | ||
| security login role create -role "trident" -cmddirname "snapshot" -access readonly | ||
| security login role create -role "trident" -cmddirname "system node" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume quota policy rule" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume snapshot" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver export-policy rule" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver iscsi security" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver peer" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun resize" -access all | ||
| security login role create -role "trident" -cmddirname "volume destroy" -access all | ||
| security login role create -role "trident" -cmddirname "volume quota policy rule modify" -access all | ||
| security login role create -role "trident" -cmddirname "volume snapshot" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver iscsi security modify" -access all | ||
| security login role create -role "trident" -cmddirname "volume" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver export-policy delete" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror release" -access all | ||
| security login role create -role "trident" -cmddirname "job schedule" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver cifs share" -access readonly | ||
| security login role create -role "trident" -cmddirname "snapmirror" -access readonly | ||
| security login role create -role "trident" -cmddirname "snapmirror initialize" -access all | ||
| security login role create -role "trident" -cmddirname "lun igroup add" -access all | ||
| security login role create -role "trident" -cmddirname "lun igroup remove" -access all | ||
| security login role create -role "trident" -cmddirname "lun offline" -access all | ||
| security login role create -role "trident" -cmddirname "volume modify" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror list-destinations" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror create" -access all | ||
| security login role create -role "trident" -cmddirname "network interface" -access readonly | ||
| security login role create -role "trident" -cmddirname "storage aggregate show-space" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun modify" -access all | ||
| security login role create -role "trident" -cmddirname "lun" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume mount" -access all | ||
| security login role create -role "trident" -cmddirname "volume snapshot restore" -access all | ||
| security login role create -role "trident" -cmddirname "volume snapshot delete" -access all | ||
| security login role create -role "trident" -cmddirname "volume qtree modify" -access all | ||
| security login role create -role "trident" -cmddirname "lun create" -access all | ||
| security login role create -role "trident" -cmddirname "volume offline" -access all | ||
| security login role create -role "trident" -cmddirname "version" -access all | ||
| security login role create -role "trident" -cmddirname "vserver iscsi security delete" -access all | ||
| security login role create -role "trident" -cmddirname "lun" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume qtree" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume snapshot create" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver iscsi security" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun delete" -access all | ||
| security login role create -role "trident" -cmddirname "volume size" -access all | ||
| security login role create -role "trident" -cmddirname "vserver export-policy rule delete" -access all | ||
| security login role create -role "trident" -cmddirname "vserver export-policy" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver iscsi security create" -access all | ||
| security login role create -role "trident" -cmddirname "vserver iscsi security" -access readonly | ||
| security login role create -role "trident" -cmddirname "snapmirror resync" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror break" -access all | ||
| security login role create -role "trident" -cmddirname "lun igroup" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun mapping delete" -access all | ||
| security login role create -role "trident" -cmddirname "volume modify" -access all | ||
| security login role create -role "trident" -cmddirname "volume unmount" -access all | ||
| security login role create -role "trident" -cmddirname "vserver iscsi" -access readonly | ||
| security login role create -role "trident" -cmddirname "snapmirror quiesce" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror release" -access all | ||
| security login role create -role "trident" -cmddirname "volume file clone create" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror policy" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver iscsi initiator" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver cifs share create" -access all | ||
| security login role create -role "trident" -cmddirname "lun move-in-volume" -access all | ||
| security login role create -role "trident" -cmddirname "volume quota" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume rename" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror update" -access all | ||
| security login role create -role "trident" -cmddirname "vserver iscsi" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume create" -access all | ||
| security login role create -role "trident" -cmddirname "volume quota off" -access all | ||
| security login role create -role "trident" -cmddirname "vserver cifs share delete" -access all | ||
| security login role create -role "trident" -cmddirname "event generate-autosupport-log" -access all | ||
| security login role create -role "trident" -cmddirname "lun mapping" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun modify" -access all | ||
| security login role create -role "trident" -cmddirname "volume clone split start" -access all | ||
| security login role create -role "trident" -cmddirname "volume clone create" -access all | ||
| security login role create -role "trident" -cmddirname "volume qtree rename" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror delete" -access all | ||
| security login role create -role "trident" -cmddirname "volume quota policy rule" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver iscsi nodename" -access all | ||
| security login role create -role "trident" -cmddirname "lun online" -access all | ||
| security login role create -role "trident" -cmddirname "job" -access readonly | ||
| security login role create -role "trident" -cmddirname "volume qtree create" -access all | ||
| security login role create -role "trident" -cmddirname "vserver export-policy rule create" -access all | ||
| security login role create -role "trident" -cmddirname "snapmirror abort" -access all | ||
| security login role create -role "trident" -cmddirname "volume quota on" -access all | ||
| security login role create -role "trident" -cmddirname "vserver export-policy rule" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun igroup create" -access all | ||
| security login role create -role "trident" -cmddirname "lun igroup delete" -access all | ||
| security login role create -role "trident" -cmddirname "volume size" -access all | ||
| security login role create -role "trident" -cmddirname "volume qtree delete" -access all | ||
| security login role create -role "trident" -cmddirname "vserver iscsi interface" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver peer" -access readonly | ||
| security login role create -role "trident" -cmddirname "lun serial" -access all | ||
| security login role create -role "trident" -cmddirname "lun mapping create" -access all | ||
| security login role create -role "trident" -cmddirname "volume destroy" -access all | ||
| security login role create -role "trident" -cmddirname "volume create" -access all | ||
| security login role create -role "trident" -cmddirname "volume clone create" -access all | ||
| security login role create -role "trident" -cmddirname "volume quota resize" -access all | ||
| security login role create -role "trident" -cmddirname "vserver iscsi security default" -access all | ||
| security login role create -role "trident" -cmddirname "lun mapping" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver export-policy create" -access all | ||
| security login role create -role "trident" -cmddirname "vserver" -access readonly | ||
| security login role create -role "trident" -cmddirname "vserver show-aggregates" -access all | ||
| security login role create -role "trident" -cmddirname "version" -access all |
Oops, something went wrong.