video on demand(Thanks to Sander, Kees, Maarten and other students in some class in the Netherlands)
We want a user to be able to perform a particular task in an SVM.
We can use RBAC to configure this.
Example: We want to limit a user to qtree management in an SVM.
1. Create the SVM.
cluster91::*> vserver create -vserver nfs_2 -subtype default -rootvolume rv -aggregate n1_aggr1 -rootvolume-security-style unix
2. Create an interface to access the SVM.
cluster91::*> net int create -vserver nfs_2 -lif lif1 -role data -data-protocol nfs -home-node cluster91-01 -home-port e0d -address 192.168.4.205 -netmask 255.255.255.0 -status-admin up
3. Allow ssh access.
cluster91::*> net int modify -vserver nfs_2 -lif lif1 -firewall-policy mgmt
4. Create a role that gives access to all qtree actions.
cluster91::*> security login role create -role qtree_only -cmddirname "volume qtree" -access all -vserver nfs_2
5. Create a user
cluster91::*> security login create -user-or-group-name q_creator -application ssh -authentication-method password -role qtree_only -vserver nfs_2
6. Finally create the volume.
cluster91::*> vol create -vserver nfs_2 -volume q_vol -aggregate n1_aggr1 -size 100m
Now we log in and try some commands. We can only do qtree stuff.
[root@puck .ssh]# ssh q_creator@192.168.4.205
Password:*******
nfs_2::> vol show
Error: "show" is not a recognized command
nfs_2::> qtree create -volume q_vol -qtree q2
nfs_2::> qtree delete -volume q_vol -qtree q2
Warning: Are you sure you want to delete qtree "q2" in volume "q_vol" Vserver
"nfs_2"? {y|n}: y
[Job 48] Job is queued: Delete qtree q2 in volume q_vol Vserver nfs_2.