Problem
You have one or more NetApp storage systems (F960 or later series), running Data ONTAP® 7G (or later). You would like to take advantage of the snapshot capabilities, to facilitate the database backup process. However, you don’t want to use the default root login for the automated logins, nor do you want to use the unsecure rsh, as these options would violate corporate security policies (especially if you have a compliance commitment to ISO 27002, PCI or HIPAA).
Solution
Create a restricted users that has only login access and the ability to manage snapshots:
- Setup
sshon the filer:secureadmin setup ssh(it is recommended that you select long keys when you are asked 1024 and 768 for ssh v1 – ssh1 shouldn’t be enabled anyway – 2048 for ssh2). - Start
sshon the filer:secureadmin enable ssh2(at this point you should be able to log in to the filer with ssh as root with your admin password) - Create group / role / user:
useradmin user add snapuser -g Users
useradmin role add snaps -c "Snapshot Manager" -a cli-snap*,login-ssh,login-telnet
useradmin group add cli-snapshot-group -r snaps
useradmin user modify snapuser -f -g cli-snapshot-group
useradmin user list snapuser
The last command allows you to check your work, and the output should like:
Name: snapuser
Info:
Rid: 131075
Groups: cli-snapshot-group
Full Name:
Allowed Capabilities: cli-snap*,login-ssh,login-telnet
Password min/max age in days: 0/4294967295
Status: enabled - Put your public keys in the authorized keys file on the filer:
/etc/sshd/snapuser/.ssh/authorized_keys(typically you do that by mounting the filer root volume on one of your AIX boxes – any OS that can mount the root volume should work). - At this point you are ready to test by logging in via ssh to the
snapuseraccount. Keep in mind that before you can successfully log in, you have to log out from the NetApp.
