SVMスコープのMAV機能
環境
- ONTAP 9
- マルチ管理者検証
問題
- クエリルールが存在する場合、data vserver connectionからコマンドを実行すると、MAV承認のプロンプトが表示されます。
- クエリルールが存在する場合、admin vserverからコマンドを実行しても、ユーザにMAV承認のプロンプトは表示されません。
- 例:
Stormbreaker::*> multi-admin-verify rule show
(security multi-admin-verify rule show)
Required Approval
Vserver Operation Approvers Groups
----------- ------------------------------------------ --------- -------------
Stormbreaker
security login password - -
Query: -multi-admin-approver true -different-user true
security login unlock - -
Query: -username diag
security multi-admin-verify approval-group create - -
security multi-admin-verify approval-group delete - -
security multi-admin-verify approval-group modify - -
security multi-admin-verify approval-group replace - -
security multi-admin-verify modify - -
security multi-admin-verify rule create - -
security multi-admin-verify rule delete - -
security multi-admin-verify rule modify - -
set - -
Query: -privilege diagnostic
volume snapshot delete - MAV_group1
Query: -vserver cifs
12 entries were displayed.
上記の出力では、「cifs」SVMでのSnapshot削除のMAV承認のみが必要であることが示されています。
- 管理SVMから実行した場合の動作:
Stormbreaker::> snapshot delete -vserver aws_kms -volume aws_kms_root -snapshot hourly.2024-04-24_0805
Warning: Deleting a Snapshot copy permanently removes data that is stored only in that Snapshot copy. Are you sure you want to delete Snapshot copy "hourly.2024-04-24_0805" for
volume "aws_kms_root" in Vserver "aws_kms" ? {y|n}: y
Stormbreaker::> snapshot delete -vserver cifs -volume audit_log -snapshot hourly.2024-04-24_0905
Warning: This operation requires multi-admin verification. To create a verification request use "security multi-admin-verify request create".
Would you like to create a request for this operation? {y|n}: y
Error: command failed: The security multi-admin-verify request (index 1) is auto-generated and requires approval.
- data SVMから実行した場合のnot-working動作:
cifs::> snapshot delete -volume gregg -snapshot hourly.2024-05-08_0805
Warning: This operation requires multi-admin verification. To create a verification request use "security multi-admin-verify request create".
Would you like to create a request for this operation? {y|n}: y
Error: command failed: The security multi-admin-verify request (index 4) is auto-generated and requires approval.
cifs::> snapshot delete -volume gregg -snapshot hourly.2024-05-08_0805
Warning: Deleting a Snapshot copy permanently removes data that is stored only in that Snapshot copy. Are you sure you want to delete Snapshot copy "hourly.2024-05-08_0805" for
volume "gregg" in Vserver "cifs" ? {y|n}: y
aws_kms::> snapshot delete -volume aws_kms_root -snapshot hourly.2024-05-08_0805
Warning: This operation requires multi-admin verification. To create a verification request use "security multi-admin-verify request create".
Would you like to create a request for this operation? {y|n}: y
Error: command failed: The security multi-admin-verify request (index 5) is auto-generated and requires approval.