Вы находитесь на странице: 1из 13

Technical Report

Storage Access Control Tool : User’s Guide

Sourav Chakraborty, NetApp


Dec 2009

STORAGE ACCESS CONTROL TOOL: USER’S GUIDE


This document describes the usage of Storage Access Control Tool (STORACL). STORACL is a tool that
needs to be used with SnapDrive 6.1 for Windows and above to implement file-based access control and
thin provisioning of LUNs. This tool is not a part of SnapDrive and needs to be downloaded separately.
TABLE OF CONTENTS

1OVERVIEW 3
2UNDERSTANDING HOW FILE-BASED ACCESS CONTROL WORKS.....................................3
2.1WHERE IS THE “ACCESSCONTROL.XML” FILE LOCATED ...........................................................................4

2.2COMPONENTS OF THE ACCESS CONTROL FILE............................................................................................4

2.3TYPES OF ROLES.................................................................................................................................................6

2.4TYPES OF OPERATIONS.....................................................................................................................................7

3HOW TO MANAGE ACCESS CONTROL....................................................................................8


3.1EXAMPLES OF COMMANDS RUN FROM THE STORACL TOOL ....................................................................9

3.1.1LAUNCHING STORACL TOOL .........................................................................................................................9

3.1.2DISABLING ACCESS CONTROL ON A STORAGE SYSTEM.......................................................................10

3.1.3CREATING NEW ROLES.................................................................................................................................10

3.1.4ADDING OPERATIONS TO AN EXISTING ROLE..........................................................................................10

3.1.5REMOVING OPERATIONS FROM AN EXISTING ROLE...............................................................................10

3.1.6ADDING ACCESS RIGHTS FOR A USER......................................................................................................10

3.1.7REMOVING ACCESS RIGHTS FOR A USER TO A RESOURCE..................................................................11

3.1.8REMOVING SOME OF THE ROLES ASSIGNED TO A USER FOR A RESOURCE.....................................11

3.1.9LIST RESOURCES THA A USER CAN ACCESS...........................................................................................11

3.1.10LIST ALL THE RESOURCES THAT ALL THE USERS CAN ACCESS.......................................................11

3.1.11COMPLETELY REMOVE ALL ACCESS RIGHTS FOR A USER.................................................................11

3.1.12LIST STORAGE SYSTEM RESOURCES ....................................................................................................11

3.1.13ADDING VOLUME ACCESS FOR A HOST ON A STORAGE SYSTEM......................................................11

3.1.14LIST HOST ENTRIES IN THE STORAGE SYSTEM.....................................................................................12

3.1.15LIST VOLUMES ON A STORAGE SYSTEM TO WHICH A HOST HAS ACCESS......................................12

3.1.16REMOVING VOLUME ACCESS FOR A HOST ON A STORAGE SYSTEM................................................12

3.1.17REMOVING A HOST ENTRY FROM A STORAGE SYSTEM.......................................................................12

3.2EXAMPLE SCENARIOS......................................................................................................................................12

3.2.1SCENARIO 1 – ACCESS ALL VOLUMES ON A STORAGE SYSTEM..........................................................12

3.2.2SCENARIO 2 – TAKE SNAPSHOTS OF VOLUMES ON A STORAGE SYSTEM.........................................13

4STORACL DOWNLOAD............................................................................................................13
5CONCLUSION............................................................................................................................13

2 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
1 OVERVIEW
This document provides details on how to use the STORACL tool to manage file-based access
control and thin-provisioning of LUNs for SDW 6.1 and above. It provides Storage Administrator
the ability to set access control for different users for different storage resources (aggregates,
volumes, qtrees, LUNs) on specific storage system. At the same time it also allows storage
administrators to create settings for thin-provisioning of LUNs.

2 UNDERSTANDING HOW FILE-BASED ACCESS CONTROL WORKS


SnapDrive uses a special file called AccessControl.xml that is present in the /etc folder of each
storage system to implement access control for volumes, qtrees etc. present on that storage
system. This file is responsible for storing the access rights defined by the storage admin for
resources present on the corresponding storage system. This file can be created and edited by
the STORACL tool.

Figure 1 shows the way in which SnapDrive uses the access control file.

Figure 1) How SnapDrive uses the access control file

3 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
In addition note the following: -

1. SnapDrive versions 6.0.1 and 6.0.2 use only the HOSTS section of the access control
file. The access control is limited to volume-level only. The HOSTS section is described
in more details in section 2.2.

2. SnapDrive versions prior to 6.0.1 do not have access control and hence these versions
are not affected by the presence of the access control file on a storage system.

3. An improperly formatted access control file will cause SnapDrive (6.1 and above) to
process without checking access control. Hence, it is strongly advised that the access
control file only be modified by using the STORACL tool.

2.1 WHERE IS THE “ACCESSCONTROL.XML” FILE LOCATED


The access control file must be named AccessControl.xml. It must be deployed in the ‘etc’ folder
of storage system’s root volume: StorageSystem:/rootvol/etc/AccessControl.xml.
Note that the AccessControl.xml file should always be located at the above path to ensure that
SnapDrive can use it to exercise access control.

2.2 COMPONENTS OF THE ACCESS CONTROL FILE


The following are the definitions of the various elements that form the access control file: -

1. Hosts: The hosts tag is used to define the volumes that can be accessed by a host
machine. This is meant for adding volume-level access for SnapDrive 6.0.1 and 6.0.2.
This section has no implication for SnapDrive 6.1 and above.

For Example)
<ssc:Hosts default="allow">
<ssc:Host name="HOST1">
<ssc:vols-provision>
<ssc:vol name="vol1"/>
<ssc:vol name="vol2"/>
</ssc:vols-provision>
</ssc:Host>
</ssc:Hosts>
This means that hostmachine HOST1 can access volumes vol1 and vol2

2. UserName: These are domain users that request access to various storage system
resources such as volumes, Qtrees, LUNs etc. The storage admin needs to explicitly
define the access rights for each user that requests access to various resources on the
storage system.

4 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
For example) The service logon account of a SnapManager application.

3. StorageSystem: This is the section in the XML file where access rights are defined on
three kinds of objects: -
i. Volumes
ii. Qtrees
iii. LUNs

In order to define an access right on any of the above objects, two pieces of information
are needed: -

i. Resource :: A volume, Qtree or LUN on the storage system.


ii. User Name :: A domain user who requests access to the storage system
resources. For example) The service logon account of a SnapManager
application.
iii. Role Name :: Defines the types of operations that the user can perform. Roles
are present in a different section in the file and are defined in details below.

For Example)
<ssc:StorageVolume name="volTest">
<ssc:AccessRights>
<ssc:AccessRight>
<ssc:User name="Estella"/>
<ssc:Role name="SDProvision"/>
<ssc:Role name="SDBackup"/>
</ssc:AccessRight>
<ssc:AccessRight>
<ssc:User name="Malcom"/>
<ssc:Role name="SDBackup"/>
<ssc:Role name="SDRestore"/>
</ssc:AccessRight>
</ssc:AccessRights>
</ssc:StorageVolume
In the above example, users “Estella” and “Malcolm” have been assigned multiple roles
on the volume “volTest”. Each of these roles has a set of corresponding actions that can
be performed on the storage system.

4. Roles: A role is defined as container for a group of operations. This implies that any user
that is assigned a particular role can perform only those operations that are defined for
that particular role.
By default, SnapDrive 6.1 and above comes with default roles, these are defined in
section 2.3. In addition, the storage admin can create custom roles also.

5 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
For Example)
<ssc:Role name="SDConfigAll">
<ssc:Operations>
<ssc:Operation name="SD.Config.Read "/>
<ssc:Operation name="SD.Config.Write "/>
<ssc:Operation name="SD.Config.Delete"/>
</ssc:Operations>
</ssc:Role>

5. Operations: These are exact functions that can be executed from SnapDrive on storage
system resources such as iGroups, Volumes, LUNs etc. The list of operations is fixed
and these are defined in section 2.4. No new operations can be added by the storage
admin.

2.3 TYPES OF ROLES


Table 1 lists the default roles that are defined by SnapDrive 6.1 and above. The table also lists the
default operations that each of those roles is authorized to perform. Note that each role has to be
applied in the context of a resource viz. Qtree, Volume or LUN.

ROLE OPERATIONS DESCRIPTION


SDAdmin SD.Config.Delete
SD.Config.Read -Can view the volume/Qtree/LUN.

SD.Config.Write -Can view/create/delete disk on the


volume/Qtree.
SD.SnapShot.Clone
-Can view/create/delete snapshots for a
SD.SnapShot.Delete resource.
SD.SnapShot.Read -Can mount/unmount/restore snapshots on a
resource.
SD.SnapShot.Restore
-Can view/create/delete iGroups.
SD.SnapShot.Write
SD.Storage.Delete
SD.Storage.Read
SD.Storage.Write
SDProvision SD.Config.Read -Can view/create iGroups.

SD.Config.Write -Can view the volume or Qtree.

SD.Storage.Read -Can view/create a disk on a volume/Qtree.

SD.Storage.Write
SDDiscovery SD.Config.Read -Can view iGroups.

SD.SnapShot.Read -Can view Snapshots.

SD.Storage.Read -Can view resources


(volumes/Qtrees/LUNs).

6 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
SDBackup SD.SnapShot.Read -Can view/create snapshots on a resource.
SD.SnapShot.Write

SDRestore SD.SnapShot.Restore -Can restore snapshots on a resource.

SDNoAccess SD.Access.None -Denies all access to the resource.

Table 1 : Default Roles in SnapDrive 6.1 and above

2.4 TYPES OF OPERATIONS


Table 2 lists the operations that are defined by SnapDrive 6.1 and above. Note that an operation is
applied to a role. New operations cannot be created.

Operations Related Snapdrive operations

SD.Storage.Read View the Volume/Qtree/LUN

SD.Storage.Write Create/Connect/Disconnect Disk (LUN)

SD.Storage.Delete Delete/unmount a Disk (LUN)

SD.SnapShot.Read View created Snapshots

SD.SnapShot.Write Snapshot Create

SD.SnapShot.Delete Snapshot Delete

SD.SnapShot.Clone Snapshot Mount

SD.SnapShot.Restore Snapshot Restore

SD.Config.Read View created Igroups

SD.Config.Write Create Igroups

SD.Config.Delete Delete Igroups

SD.Access.None Blocks all SDW operations

Table 2) SnapDrive Operations defined in AccessControl.xml

7 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
3 HOW TO MANAGE ACCESS CONTROL
As mentioned earlier, access rights for resources on storage system is managed via the
STORACL tool. There are 2 pre-requisites for configuring access rights on a storage system: -
i. The user of the tool should have administrative privileges on the storage
system.
ii. STORACL tool uses HTTPS protocol by default for communicating with the
storage system. Users can also input HTTP protocol type for use with vFiler
units when using the MultiStore feature of Data ONTAP software.

STORACL supports the following types of operations with respect to access control: -
1. Create
Creates the AccessControl.xml file with default operations, roles and places the file in the
Storagesystem:/etc/ path.

2. Delete
Deletes the AccessControl.xml file with confirmation from user. This disables access
control on the storage system.

3. Operation
Lists the SnapDrive operations.

4. Roles
Allows listing, adding, removing and modification of roles (default and user-created) on
the storage system.

5. User
Allows:
a. Listing of users for whom access rights have been set.
b. Adding, removing and modifying access rights for users.

NOTE: If the access control file does not exist on the storage system, the file with
default operations and roles are created on the fly and then the resource &
access right for user are added.

6. dfmrbac
Get, set DFM-RBAC value which says what RBAC mechanism (DFM or File based) to
enforce

7. Storage
Lists the storage system resources for which access rights have been configured.

8. spacereserve
Can be set to true or false to enable or disable thin provisioning of LUNs.

8 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
9. host
Allows listing, adding and removing host access to the storage system volumes. Please
note that this feature is purely for backward compatibility and does not have any bearing
on SnapDrive 6.1 and above.

10. hvol
Lists the volumes host can access. Add & remove volumes to the host is possible.

11. help
Help on any command or operations.

12. exit
Quit the STORACL tool.

3.1 EXAMPLES OF COMMANDS RUN FROM THE STORACL TOOL


In this section we present some example of how the above mentioned commands can be used to
perform various operations using the STORACL tool.
In the following example, we assume that the STORACL tool is located in a directory named
“C:\TOOLS”.

3.1.1 LAUNCHING STORACL TOOL


Navigate to the STORACL root directory in the command prompt and type “storacl”. This will
open the prompt for the STORACL tool from which further commands can be executed.
C:\Tools>storacl
STORACL>

In order to connect to a storage system while launching the STORACL tool, the following
command can be used.
C:\Tools>storacl –stor SYSTEM1
User:root
Password:******
STORACL>

NOTE: If authentication fails, tool prompts for credentials thrice and exits.
Storacl uses HTTPS protocol by default. Users can input HTTP protocol type for communicating
with the MultiStores (vFilers).
C:\Tools>storacl –stor SYSTEM1 –ptype HTTP
User:root
Password:******
STORACL>

ENABLING ACCESS CONTROL ON A STORAGE SYSTEM

9 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
STORACL> create
password:*******

NOTE: Stating the password in clear text is optional. If the password is not stated then
STORACL will prompt for the same. This is true for all commands.
NOTE: Once the username/password is provided for a storage system, it need not be
entered again for the duration of the current session.

NOTE: It is not mandatory to create the access control file prior to running any command.
Any add or set operation will actually create AccessControl.xml file with default content.

3.1.2 DISABLING ACCESS CONTROL ON A STORAGE SYSTEM


STORACL> delete -stor System1 –user root
password:*******
Delete AccessControl.xml from storage system System1? [y|n] y

3.1.3 CREATING NEW ROLES


STORACL>role add –rn TESTROLE –OPN SD.Storage.Read

3.1.4 ADDING OPERATIONS TO AN EXISTING ROLE


STORACL>role add –rn TESTROLE –OPN SD.Storage.Write

This adds the "SD.Storage.Write" operation to the role named "TESTROLE".

3.1.5 REMOVING OPERATIONS FROM AN EXISTING ROLE


STORACL>role remove –rn TESTROLE –OPN SD.Storage.Read

This removes the "SD.Storage.Write" operation from the role named "TESTROLE".

3.1.6 ADDING ACCESS RIGHTS FOR A USER


STORACL>user add –rsn System1:/vol/volTest -rtype vol –un mydomain\usr1 –RN
SDProvision SDBackup

This sets the access rights for a domain user “usr1” on the volume “volTest” on storage
system “System1” as defined by the roles “SDProvision” and “SDBackup”.

Note: If user is a domain user, user name has to be given as domainname\username.


If user is in workgroup, user name has to be given as hostname\username.

10 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
3.1.7 REMOVING ACCESS RIGHTS FOR A USER TO A RESOURCE
STORACL> user remove -rsn System1:/vol/volTest -rtype vol -un mydomain\usr1

This removes all access rights for the domain user “usr1” on the volume “volTest” on storage
system “System1”.

3.1.8 REMOVING SOME OF THE ROLES ASSIGNED TO A USER FOR A RESOURCE


STORACL> user remove -rsn System1:/vol/volvpn -rtype vol -un mydomain\usr1
-RN SDBackup

This removes only the “SDBackup” role for the domain user “usr1” on the volume “volTest” on
storage system “System1”.

3.1.9 LIST RESOURCES THA A USER CAN ACCESS


STORACL> user list -un mydomain\usr1

3.1.10 LIST ALL THE RESOURCES THAT ALL THE USERS CAN ACCESS
STORACL> user list

3.1.11 COMPLETELY REMOVE ALL ACCESS RIGHTS FOR A USER


STORACL> user remove -un mydomain\usr1

3.1.12 LIST STORAGE SYSTEM RESOURCES


STORACL> storage list -rtype vol

This will list all the volumes in the system.

STORACL> storage list -rtype aggr

This will list all the aggregates in the system.

3.1.13 ADDING VOLUME ACCESS FOR A HOST ON A STORAGE SYSTEM


STORACL> host add -h HOST1 -vol volTest

This will add full access to volume named “volTest” on storage system “System1” for a host
named “Host1”. This means that any user using a previous version of SnapDrive will be able
to work on this volume without any restriction.

11 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
3.1.14 LIST HOST ENTRIES IN THE STORAGE SYSTEM
STORACL> host list

3.1.15 LIST VOLUMES ON A STORAGE SYSTEM TO WHICH A HOST HAS ACCESS


STORACL> hvol list -h HOST1

3.1.16 REMOVING VOLUME ACCESS FOR A HOST ON A STORAGE SYSTEM


STORACL> hvol remove -h HOST1 -vol volTest

3.1.17 REMOVING A HOST ENTRY FROM A STORAGE SYSTEM


STORACL> host remove -h HOST1

3.2 EXAMPLE SCENARIOS

3.2.1 SCENARIO 1 – ACCESS ALL VOLUMES ON A STORAGE SYSTEM


You have been given a task to setup a Server Administrator access rights in such a way that he is
able to access all volumes on the storage system. You are required to provide him with complete
access to all volumes.
Below are the steps to follow to provide appropriate access.
1. Connect to the storage system using following command
C:\Tools>storacl –stor SYSTEM1
User:root
Password:******
STORACL>

2. Set access rights for a domain user “user1” on storage system “System1” as defined by
the role “SDAdmin”.
STORACL> user add -rsn System1 -rtype stor -un domain1/user1 -RN SDAdmin

To list all roles and their operations/capabilities use:


STORACL> role list

For SDBackup, the operations are as follows:


SDBackup
SD.SnapShot.Read

12 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only
SD.SnapShot.Write

In case you need additional operations, you can define roles using:
STORACL> role add –rn <role_name> -OPN <operation1, operation2, …>

3.2.2 SCENARIO 2 – TAKE SNAPSHOTS OF VOLUMES ON A STORAGE SYSTEM


Your second task is to setup an Application Admin’s access rights such that he is only able to
view and create snapshots for designated volumes.
Follow below steps:
1. Connect to the storage system using following command
C:\Tools>storacl –stor SYSTEM1
User:root
Password:******
STORACL>

2. Set access rights for a domain user “usr1” on the volume “volTest” on storage system
“System1” as defined by the role “SDBackup”.
STORACL>user add –rsn System1:/vol/volTest -rtype vol -un mydomain\usr1
–RN SDBackup

4 STORACL DOWNLOAD
STORACL tool is available for download on the NOW site. Follow this link to download the tool -
http://now.netapp.com/NOW/download/tools/storeacl/

5 CONCLUSION
The Storage Access Control (STORACL) tool is a command-line based utility that allows storage
admins to enable a highly granular level of access control on different resources in a storage system.

© 2009 NetApp. All rights reserved. Specifications are subject to change without notice. NetApp, the NetApp logo, Go further, faster,
and xxxxxxx are trademarks or registered trademarks of NetApp, Inc. in the United States and/or other countries. TR-XXXX-XXX
Contact dl-marcom to request a document number
www.netapp.com
13 Storage Access Control Tool: User’s Guide NetApp Confidential – Internal Use Only