doc: rest endpoint permissions (#3359)

* doc: rest endpoint permissions

docs/prepare-cdot-clusters.md

@@ -93,8 +93,12 @@ Warnings are fine.
 security login role create -role harvest2-role -access readonly -cmddirname "cluster"
 security login role create -role harvest2-role -access readonly -cmddirname "event notification destination show"
 security login role create -role harvest2-role -access readonly -cmddirname "event notification destination"
+security login role create -role harvest2-role -access readonly -cmddirname "event log"
+security login role create -role harvest2-role -access readonly -cmddirname "event catalog show"
 security login role create -role harvest2-role -access readonly -cmddirname "lun"
 security login role create -role harvest2-role -access readonly -cmddirname "metrocluster configuration-settings mediator add"
+security login role create -role harvest2-role -access readonly -cmddirname "metrocluster"
+security login role create -role harvest2-role -access readonly -cmddirname "network connections active show"
 security login role create -role harvest2-role -access readonly -cmddirname "network fcp adapter show"
 security login role create -role harvest2-role -access readonly -cmddirname "network interface"
 security login role create -role harvest2-role -access readonly -cmddirname "network port show"
@@ -119,6 +123,7 @@ security login role create -role harvest2-role -access readonly -cmddirname "sys
 security login role create -role harvest2-role -access readonly -cmddirname "system health subsystem show"
 security login role create -role harvest2-role -access readonly -cmddirname "system license show"
 security login role create -role harvest2-role -access readonly -cmddirname "system node"
+security login role create -role harvest2-role -access readonly -cmddirname "system node environment sensors show"
 security login role create -role harvest2-role -access readonly -cmddirname "system service-processor show"
 security login role create -role harvest2-role -access readonly -cmddirname "version"
 security login role create -role harvest2-role -access readonly -cmddirname "volume"
@@ -174,8 +179,6 @@ security login rest-role create -role harvest2-rest-role -access readonly -api /
     security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/interfaces
     security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/ports
     security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/routes
-    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli
-    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/support/alerts
     security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/services
     security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/sessions
     security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/shares
@@ -214,24 +217,32 @@ security login rest-role create -role harvest2-rest-role -access readonly -api /
     security login rest-role create -role harvest-rest-role -access readonly -api /api/svm/svms
 
     # Private CLI endpoints
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/support/alerts
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/aggr
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/cluster/date
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/disk
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/security/certificate
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/security/ssl
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/connections/active
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/interface
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/port
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/port/ifgrp
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/node
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/adaptive-policy-group
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/policy-group
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/workload
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qtree
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/snapmirror
-    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/snapshot/policy
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/storage/failover
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/storage/shelf
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/chassis/fru
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/controller/fru
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/health/subsystem
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/node/environment/sensors
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/volume
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver
+    security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/cifs/share
     security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/object-store-server/bucket/policy
     ```
 

integration/test/copy_logs_test.go

@@ -93,5 +93,5 @@ func checkLogs(t *testing.T, container docker.Container, info containerInfo) {
 
 // pollerIgnore returns a list of regex patterns that will be ignored
 func pollerIgnore() string {
-	return `RPC: Remote system error|connection error|Code: 2426405`
+	return `RPC: Remote system error|connection error|Code: 2426405|failed to fetch data: error making request StatusCode: 403, Error: Permission denied, Message: not authorized for that command, API: (/api/private/cli/snapshot/policy|/api/support/autosupport)`
 }

integration/test/counter_test.go

@@ -35,6 +35,12 @@ var skipTemplates = map[string]bool{
 	"9.12.0/metrocluster_check.yaml": true,
 }
 
+var skipEndpoints = []string{
+	"api/private/cli/snapshot/policy",
+	"api/support/autosupport",
+	"api/private/cli/export-policy/rule",
+}
+
 // TestCounters extracts non-hidden counters from all of the rest and restperf templates and then invokes an HTTP GET for each api path + counters.
 // Valid responses are status code = 200. Objects do not need to exist on the cluster, only the api path and counter names are checked.
 func TestCounters(t *testing.T) {
@@ -86,6 +92,10 @@ func TestCounters(t *testing.T) {
 func invokeRestCall(client *rest2.Client, counters map[string][]counterData) error {
 	for _, countersDetail := range counters {
 		for _, counterDetail := range countersDetail {
+			// Skip the endpoints that are failing due to permission issues
+			if shouldSkipEndpoint(counterDetail.api, skipEndpoints) {
+				continue
+			}
 			href := rest2.NewHrefBuilder().
 				APIPath(counterDetail.api).
 				Fields(counterDetail.restCounters).
@@ -100,6 +110,15 @@ func invokeRestCall(client *rest2.Client, counters map[string][]counterData) err
 	return nil
 }
 
+func shouldSkipEndpoint(api string, skipEndpoints []string) bool {
+	for _, endpoint := range skipEndpoints {
+		if strings.Contains(api, endpoint) {
+			return true
+		}
+	}
+	return false
+}
+
 func processRestCounters(client *rest2.Client) map[string][]counterData {
 	restPerfCounters := visitRestTemplates("../../conf/restperf", client, func(path string, currentVersion string, _ *rest2.Client) map[string][]counterData {
 		return processRestConfigCounters(path, currentVersion, "perf")

integration/test/dashboard_json_test.go

@@ -57,6 +57,8 @@ var restCounterMap = map[string]struct{}{
 	"aggr_snapshot_inode_used_percent": {},
 	"flexcache_":                       {},
 	"rw_ctx_":                          {},
+	"snapshot_policy_total_schedules":  {},
+	"support_labels":                   {},
 }
 
 // excludeCounters consists of counters which should be excluded from both Zapi/Rest in CI test