From 083cccd66fb899b8cb43320c86c4d6394e698ad6 Mon Sep 17 00:00:00 2001 From: Rahul Date: Fri, 6 Dec 2024 20:58:45 +0530 Subject: [PATCH] doc: rest endpoint permissions (#3359) * doc: rest endpoint permissions --- docs/prepare-cdot-clusters.md | 17 ++++++++++++++--- integration/test/copy_logs_test.go | 2 +- integration/test/counter_test.go | 19 +++++++++++++++++++ integration/test/dashboard_json_test.go | 2 ++ 4 files changed, 36 insertions(+), 4 deletions(-) diff --git a/docs/prepare-cdot-clusters.md b/docs/prepare-cdot-clusters.md index 6fb96a79d..98e0590ee 100644 --- a/docs/prepare-cdot-clusters.md +++ b/docs/prepare-cdot-clusters.md @@ -93,8 +93,12 @@ Warnings are fine. security login role create -role harvest2-role -access readonly -cmddirname "cluster" security login role create -role harvest2-role -access readonly -cmddirname "event notification destination show" security login role create -role harvest2-role -access readonly -cmddirname "event notification destination" +security login role create -role harvest2-role -access readonly -cmddirname "event log" +security login role create -role harvest2-role -access readonly -cmddirname "event catalog show" security login role create -role harvest2-role -access readonly -cmddirname "lun" security login role create -role harvest2-role -access readonly -cmddirname "metrocluster configuration-settings mediator add" +security login role create -role harvest2-role -access readonly -cmddirname "metrocluster" +security login role create -role harvest2-role -access readonly -cmddirname "network connections active show" security login role create -role harvest2-role -access readonly -cmddirname "network fcp adapter show" security login role create -role harvest2-role -access readonly -cmddirname "network interface" security login role create -role harvest2-role -access readonly -cmddirname "network port show" @@ -119,6 +123,7 @@ security login role create -role harvest2-role -access readonly -cmddirname "sys security login role create -role harvest2-role -access readonly -cmddirname "system health subsystem show" security login role create -role harvest2-role -access readonly -cmddirname "system license show" security login role create -role harvest2-role -access readonly -cmddirname "system node" +security login role create -role harvest2-role -access readonly -cmddirname "system node environment sensors show" security login role create -role harvest2-role -access readonly -cmddirname "system service-processor show" security login role create -role harvest2-role -access readonly -cmddirname "version" security login role create -role harvest2-role -access readonly -cmddirname "volume" @@ -174,8 +179,6 @@ security login rest-role create -role harvest2-rest-role -access readonly -api / security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/interfaces security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/ports security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/routes - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/support/alerts security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/services security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/sessions security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/shares @@ -214,24 +217,32 @@ security login rest-role create -role harvest2-rest-role -access readonly -api / security login rest-role create -role harvest-rest-role -access readonly -api /api/svm/svms # Private CLI endpoints + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/support/alerts security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/aggr security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/cluster/date security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/disk + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/security/certificate + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/security/ssl + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/connections/active security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/interface + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/port security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/port/ifgrp security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/node security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/adaptive-policy-group security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/policy-group security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/workload + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qtree security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/snapmirror - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/snapshot/policy security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/storage/failover security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/storage/shelf security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/chassis/fru security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/controller/fru security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/health/subsystem + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/node/environment/sensors security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/volume security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver + security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/cifs/share security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/object-store-server/bucket/policy ``` diff --git a/integration/test/copy_logs_test.go b/integration/test/copy_logs_test.go index 7f9b165f7..0fd161953 100644 --- a/integration/test/copy_logs_test.go +++ b/integration/test/copy_logs_test.go @@ -93,5 +93,5 @@ func checkLogs(t *testing.T, container docker.Container, info containerInfo) { // pollerIgnore returns a list of regex patterns that will be ignored func pollerIgnore() string { - return `RPC: Remote system error|connection error|Code: 2426405` + return `RPC: Remote system error|connection error|Code: 2426405|failed to fetch data: error making request StatusCode: 403, Error: Permission denied, Message: not authorized for that command, API: (/api/private/cli/snapshot/policy|/api/support/autosupport)` } diff --git a/integration/test/counter_test.go b/integration/test/counter_test.go index b415ac323..d9ba8dec6 100644 --- a/integration/test/counter_test.go +++ b/integration/test/counter_test.go @@ -35,6 +35,12 @@ var skipTemplates = map[string]bool{ "9.12.0/metrocluster_check.yaml": true, } +var skipEndpoints = []string{ + "api/private/cli/snapshot/policy", + "api/support/autosupport", + "api/private/cli/export-policy/rule", +} + // TestCounters extracts non-hidden counters from all of the rest and restperf templates and then invokes an HTTP GET for each api path + counters. // Valid responses are status code = 200. Objects do not need to exist on the cluster, only the api path and counter names are checked. func TestCounters(t *testing.T) { @@ -86,6 +92,10 @@ func TestCounters(t *testing.T) { func invokeRestCall(client *rest2.Client, counters map[string][]counterData) error { for _, countersDetail := range counters { for _, counterDetail := range countersDetail { + // Skip the endpoints that are failing due to permission issues + if shouldSkipEndpoint(counterDetail.api, skipEndpoints) { + continue + } href := rest2.NewHrefBuilder(). APIPath(counterDetail.api). Fields(counterDetail.restCounters). @@ -100,6 +110,15 @@ func invokeRestCall(client *rest2.Client, counters map[string][]counterData) err return nil } +func shouldSkipEndpoint(api string, skipEndpoints []string) bool { + for _, endpoint := range skipEndpoints { + if strings.Contains(api, endpoint) { + return true + } + } + return false +} + func processRestCounters(client *rest2.Client) map[string][]counterData { restPerfCounters := visitRestTemplates("../../conf/restperf", client, func(path string, currentVersion string, _ *rest2.Client) map[string][]counterData { return processRestConfigCounters(path, currentVersion, "perf") diff --git a/integration/test/dashboard_json_test.go b/integration/test/dashboard_json_test.go index 88e0ffb61..fe23a2237 100644 --- a/integration/test/dashboard_json_test.go +++ b/integration/test/dashboard_json_test.go @@ -57,6 +57,8 @@ var restCounterMap = map[string]struct{}{ "aggr_snapshot_inode_used_percent": {}, "flexcache_": {}, "rw_ctx_": {}, + "snapshot_policy_total_schedules": {}, + "support_labels": {}, } // excludeCounters consists of counters which should be excluded from both Zapi/Rest in CI test