Summary
Starting with NetApp DATA Ontap 8.2.1, there are two new features supported with DPX 4.2 and later: Use of non-root accounts for all backup and restore operations Support for MultiStore vFiler instances These two topics are interrelated, as the new MultiStore vFiler support depends on the Data ONTAP fixes introduced to support non-root account access.
Resolution
DATA Ontap 8.2.1 7-Mode and later introduces a new NDMP authentication type called plaintext_sso. This new authentication type enables a Data ONTAP instance to use a single username and password to authenticate both NDMP and login/API sessions.
In prior versions of Data ONTAP, all user accounts required the generation of a separate NDMP hash password; root was the only exception to this rule.This requirement on NDMP was why the DPX Deployment Guide and the DPX Best Practice Guide have indicated to use the root account when scanning in a NetApp 7-Mode controller as a destination for Block backup.The NDMP password requirement was also why vFiler could not be used.
For a new deployment, it is generally recommended to verify DPX access to the base controller (vFiler0 if you use MultiStore) using the system's root account. This access verification is not a requirement; however, taking the time to test and verify your Data ONTAP settings with full access permissions helps avoid confusion later if non-root or vFiler setup is not working as expected. The minimal testing required to validate generally used DPX functionality is to perform a Block backup, an individual file restore, and an IA map.
Note that in the following descriptions, the terms base controller and vFiler0 are used interchangeably. These terms refer to the Data ONTAP instance that has visibility, access, and control for all resources on a NetApp controller. vFiler0 is visible when the MultiStore license is installed. vFiler0 represents the context that has administrative access and control over all other vFilers. When MultiStore is not installed, the keyword vFiler0 is not visible to the NetApp administrator, thus the term base controller in this case refers to the hardware and its basic install of Data ONTAP.
If you do not have a MultiStore license for vFiler but still wish to use non-root accounts for DPX data protection activities, skip to the section titled "Scanning in a NDMP Node Using Non-Root Account".
vFiler setup
This section is not intended to be a comprehensive review of MultiStore vFiler creation and management. For comprehensive information, see the Data ONTAP MultiStore Management Guide for 7-Mode, which is included with your Data ONTAP software installation and can be downloaded directly from the NetApp technical support web site.
In most cases, it is convenient for the NetApp administrator to log in as root to the base controller (vFiler0) to perform setup for vFiler0 and to switch context to the new vFiler for additional setup.
Note that newly created vFiler instances automatically inherit an administrative account called root. From a Data ONTAP perspective these vFiler root accounts are not equivalent to the root account found within the vFiler0 context. Thus, the vFiler root accounts are treated the same as non-root accounts, and there is no security risk to the vFiler0 instance if the new vFiler root account is used for DPX node scan-in. However, within the new vFiler context, you may want to create a new user account to divide responsibilities and to modify security settings to conform to your local security policy.
After the vFiler is set up and storage is provisioned to hold Block backups, you must set and check various system settings that are necessary for the vFiler to work properly.
From vFiler0 (base controller) context:
Ensure you have the following licenses:
- iSCSI
- SnapVault
- FlexClone
- SnapMirror (if replication is desired)
Set the following options to enable vFiler's programmatic creation of FlexClone volumes:
options vfiler.vol_clone_zapi_allow on
Use vfiler status -a to check the setting on your new vFiler.
The following vFiler protocols are required:
- HTTP
- ISCSI
The following vFiler protocols are recommended:
- SSH, for CLI access and troubleshooting
- FTP, for NetApp error log collection
- NFS/CIFS, for NetApp error log collection
From the new vFiler context:
For additional setup requirements, see to the "Set Up NetApp Storage System" chapter in the DPX Deployment Guide and refer to the section "Enable Options and Services for the NetApp Storage System."
Check the following options and settings, as indicated in the deployment guide:
ndmpd on
options ndmpd.access all
options ndmpd.authtype plaintext,challenge
options snapvault.access all
options snapvault.enable on
options httpd.admin.enable on
options httpd.enable on
options iscsi.enable on
Note that the setting for options ndmpd.authtype plaintext,challenge above is important; this will be used in the following section for scanning non-root user accounts into DPX.
The options for httpd.admin.ssl.enable and tape.reservations scsi are not available to vFilers. Option settings for FTP and SSH are recommended but might be limited by the administrator based on local security policy.
Scanning in a NDMP Node Using Non-root Account
The user in this case is either a non-root user account on the base controller (vFiler0) or any account visible within a new vFiler context, including the root user automatically created when the new vFiler was instantiated.
Use the following procedure to enable the NDMP plaintext_sso authentication method and scan the NDMP node into the DPX Enterprise using the desired user account. With a MultiStore license, change context to the desired vFiler instance, or else use telnet/SSH to log into the vFiler using the vFiler's root administrative account. Without MultiStore, you perform the procedure on the base controller using the system's root account via the usual telnet/SSH access or the serial console:
- Set
options ndmpd.authtype plaintext,challenge - Generate an NDMP password using the
ndmpd password <user>command. Substitute <user> with the desired user account. This generates an NDMP hash, which you use when scanning the node into the Enterprise. - In the Configure Enterprise window, scan the node into the Enterprise. Use the desired user account and NDMP password generated in the previous step. Click OK. If the user name and password are valid, the scan-in succeeds.
- If the scan-in succeeds, a dialog box appears asking for authentication type (NDMP_AUTH_TEXT / NDMP_AUTH_MD5) and backup type (dump/smtape). Select NDMP_AUTH_TEXT authentication and either preferred backup type and then click OK. When the scan-in is completed, verify that the desired DPX Block Data Protection features were detected (primary and/or secondary). Leave the Configure Enterprise window active to change the password in the upcoming step.
- Set
options ndmpd.authtype plaintext_sso - In the Configure Enterprise window, change the password field to correspond to the user account password used to log into the new vFiler, and then click Apply to save the configuration again
- Click Backup > NDMP and try to browse the new node. Then click Backup > Block, open the Block Backup Wizard and try to browse the volumes on the destination. This tests that the master server and NDMP client node (proxy) can communicate with the NetApp storage system using the provided credentials.
At this point, the NDMP node should be available in the Enterprise and is configured to perform any data protection action, including Block backup and restore, agentless backup and restore, BMR, Instant Access, and virtualization.
Note that properly configured iSCSI access is essential to most recovery operations and for agentless backup. It is prudent to comprehensively test all desired backup and restore operations to assure that routing and iSCSI access is available to the hosts that will need to make use of these features.
Non-root user account permissions
For vFiler's, it is generally convenient to create a new user account for data protection access using the default Administrators group.
The same is true for non-root accounts on the base controller or vFiler0; creating a non-root account in the group Administrators is most convenient.
For environments where you need tighter control of NetApp storage roles, the following roles will be required for the desired user account:
- login-ndmp
- login-http-admin
- api-*