Updating custom role api's list

shashank-netapp · web-flow · commit 79510e1b18b3 · 2025-07-02T20:47:02.000+05:30
diff --git a/contrib/ontap/trident_role/cli_pastable/rest_custom_role_output.txt b/contrib/ontap/trident_role/cli_pastable/rest_custom_role_output.txt
@@ -0,0 +1,42 @@
+security login rest-role create -role "trident" -api "/api/private/cli/vserver/nvme/subsystem/delete" -access all
+security login rest-role create -role "trident" -api "/api/protocols/san/igroups/initiators" -access all
+security login rest-role create -role "trident" -api "/api/protocols/nvme/subsystems/hosts" -access all
+security login rest-role create -role "trident" -api "/api/protocols/san/igroups" -access all
+security login rest-role create -role "trident" -api "/api/protocols/san/iscsi/credentials" -access read_modify
+security login rest-role create -role "trident" -api "/api/network/ip/interfaces" -access readonly
+security login rest-role create -role "trident" -api "/api/protocols/san/iscsi/services" -access readonly
+security login rest-role create -role "trident" -api "/api/storage/luns" -access all
+security login rest-role create -role "trident" -api "/api/cluster/jobs" -access readonly
+security login rest-role create -role "trident" -api "/api/storage/qtrees" -access all
+security login rest-role create -role "trident" -api "/api/cluster" -access readonly
+security login rest-role create -role "trident" -api "/api/snapmirror/relationships" -access all
+security login rest-role create -role "trident" -api "/api/protocols/nvme/subsystems" -access all
+security login rest-role create -role "trident" -api "/api/storage/volumes" -access all
+security login rest-role create -role "trident" -api "/api/storage/quota/rules" -access read_create_modify
+security login rest-role create -role "trident" -api "/api/storage/volumes/snapshots" -access all
+security login rest-role create -role "trident" -api "/api/svm/svms" -access readonly
+security login rest-role create -role "trident" -api "/api/protocols/nfs/export-policies/rules" -access all
+security login rest-role create -role "trident" -api "/api/cluster/schedules" -access readonly
+security login rest-role create -role "trident" -api "/api/protocols/cifs/shares" -access all
+security login rest-role create -role "trident" -api "/api/support/ems/application-logs" -access read_create
+security login rest-role create -role "trident" -api "/api/protocols/nfs/export-policies" -access all
+security login rest-role create -role "trident" -api "/api/protocols/nvme/subsystem-maps" -access all
+security login rest-role create -role "trident" -api "/api/protocols/san/lun-maps" -access all
+security login rest-role create -role "trident" -api "/api/snapmirror/policies" -access readonly
+security login rest-role create -role "trident" -api "/api/storage/aggregates" -access readonly
+security login rest-role create -role "trident" -api "/api/storage/luns/attributes" -access read_create_modify
+security login rest-role create -role "trident" -api "/api/protocols/san/lun-maps/reporting-nodes" -access readonly
+security login rest-role create -role "trident" -api "/api/svm/peers" -access readonly
+security login rest-role create -role "trident" -api "/api/network/fc/interfaces" -access readonly
+security login rest-role create -role "trident" -api "/api/protocols/san/fcp/services" -access readonly
+security login rest-role create -role "trident" -api "/api/storage/storage-units/snapshots" -access all
+security login rest-role create -role "trident" -api "/api/cluster/nodes" -access readonly
+security login rest-role create -role "trident" -api "/api/private/cli/volume/recovery-queue" -access readonly
+security login rest-role create -role "trident" -api "/api/private/cli/volume/recovery-queue/purge" -access read_create
+security login rest-role create -role "trident" -api "/api/private/cli/lun" -access all
+security login rest-role create -role "trident" -api "/api/storage/namespaces" -access read_create_modify
+security login rest-role create -role "trident" -api "/api/snapmirror/relationships/transfers" -access read_create_modify
+security login rest-role create -role "trident" -api "/api/storage/storage-units" -access all
+security login rest-role create -role "trident" -api "/api/application/consistency-groups" -access all
+security login rest-role create -role "trident" -api "/api/protocols/cifs/shares/acls" -access all
+security login rest-role create -role "trident" -api "/api/application/consistency-groups/snapshots" -access read_create
diff --git a/contrib/ontap/trident_role/cli_pastable/role-generator.sh b/contrib/ontap/trident_role/cli_pastable/role-generator.sh
@@ -10,7 +10,7 @@
 
 # usage: ./role-generator.sh [-h] [-v VSERVER_NAME] [-r ROLE_NAME] [--zapi] [--rest] [-j JSON] [-o OUTPUT]
 
-# Copyright (c) 2024 NetApp, Inc. All Rights Reserved.
+# Copyright (c) 2025 NetApp, Inc. All Rights Reserved.
 # Licensed under the BSD 3-Clause "New or Revised" License (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
diff --git a/contrib/ontap/trident_role/cli_pastable/zapi_custom_role_output.txt b/contrib/ontap/trident_role/cli_pastable/zapi_custom_role_output.txt
@@ -2,26 +2,16 @@ security login role create -role "trident" -cmddirname "snapmirror resync" -acce
 security login role create -role "trident" -cmddirname "snapmirror policy" -access readonly
 security login role create -role "trident" -cmddirname "vserver cifs share" -access readonly
 security login role create -role "trident" -cmddirname "vserver export-policy rule delete" -access all
-security login role create -role "trident" -cmddirname "volume modify" -access all
-security login role create -role "trident" -cmddirname "vserver iscsi security" -access readonly
-security login role create -role "trident" -cmddirname "vserver" -access readonly
 security login role create -role "trident" -cmddirname "vserver iscsi initiator" -access readonly
 security login role create -role "trident" -cmddirname "storage aggregate show-space" -access all
-security login role create -role "trident" -cmddirname "vserver iscsi" -access readonly
-security login role create -role "trident" -cmddirname "lun" -access all
 security login role create -role "trident" -cmddirname "vserver iscsi security delete" -access all
-security login role create -role "trident" -cmddirname "lun mapping" -access readonly
 security login role create -role "trident" -cmddirname "snapmirror initialize" -access all
 security login role create -role "trident" -cmddirname "volume quota policy rule" -access readonly
 security login role create -role "trident" -cmddirname "volume unmount" -access all
-security login role create -role "trident" -cmddirname "volume snapshot create" -access all
 security login role create -role "trident" -cmddirname "vserver iscsi interface" -access readonly
 security login role create -role "trident" -cmddirname "lun igroup add" -access all
 security login role create -role "trident" -cmddirname "lun create" -access all
-security login role create -role "trident" -cmddirname "lun modify" -access all
 security login role create -role "trident" -cmddirname "lun move-in-volume" -access all
-security login role create -role "trident" -cmddirname "volume create" -access all
-security login role create -role "trident" -cmddirname "volume destroy" -access all
 security login role create -role "trident" -cmddirname "vserver export-policy create" -access all
 security login role create -role "trident" -cmddirname "vserver iscsi security create" -access all
 security login role create -role "trident" -cmddirname "vserver fcp nodename" -access all
@@ -30,7 +20,6 @@ security login role create -role "trident" -cmddirname "snapmirror update" -acce
 security login role create -role "trident" -cmddirname "volume quota" -access readonly
 security login role create -role "trident" -cmddirname "lun igroup delete" -access all
 security login role create -role "trident" -cmddirname "lun serial" -access all
-security login role create -role "trident" -cmddirname "volume file clone create" -access all
 security login role create -role "trident" -cmddirname "lun mapping delete" -access all
 security login role create -role "trident" -cmddirname "volume qtree delete" -access all
 security login role create -role "trident" -cmddirname "snapmirror delete" -access all
@@ -40,12 +29,8 @@ security login role create -role "trident" -cmddirname "snapmirror break" -acces
 security login role create -role "trident" -cmddirname "vserver export-policy delete" -access all
 security login role create -role "trident" -cmddirname "vserver export-policy rule" -access readonly
 security login role create -role "trident" -cmddirname "vserver iscsi security default" -access all
-security login role create -role "trident" -cmddirname "volume size" -access all
 security login role create -role "trident" -cmddirname "lun igroup" -access readonly
-security login role create -role "trident" -cmddirname "volume destroy" -access all
-security login role create -role "trident" -cmddirname "volume clone create" -access all
 security login role create -role "trident" -cmddirname "volume rename" -access all
-security login role create -role "trident" -cmddirname "snapmirror release" -access all
 security login role create -role "trident" -cmddirname "volume quota policy rule modify" -access all
 security login role create -role "trident" -cmddirname "volume snapshot restore" -access all
 security login role create -role "trident" -cmddirname "vserver export-policy rule create" -access all
@@ -73,11 +58,8 @@ security login role create -role "trident" -cmddirname "volume create" -access a
 security login role create -role "trident" -cmddirname "vserver" -access readonly
 security login role create -role "trident" -cmddirname "volume qtree modify" -access all
 security login role create -role "trident" -cmddirname "vserver iscsi nodename" -access all
-security login role create -role "trident" -cmddirname "snapmirror" -access readonly
-security login role create -role "trident" -cmddirname "snapmirror release" -access all
 security login role create -role "trident" -cmddirname "volume offline" -access all
 security login role create -role "trident" -cmddirname "job" -access readonly
-security login role create -role "trident" -cmddirname "version" -access all
 security login role create -role "trident" -cmddirname "event generate-autosupport-log" -access all
 security login role create -role "trident" -cmddirname "volume qtree rename" -access all
 security login role create -role "trident" -cmddirname "vserver show-aggregates" -access all
@@ -97,6 +79,12 @@ security login role create -role "trident" -cmddirname "vserver cifs share creat
 security login role create -role "trident" -cmddirname "lun online" -access all
 security login role create -role "trident" -cmddirname "lun mapping" -access readonly
 security login role create -role "trident" -cmddirname "lun modify" -access all
-security login role create -role "trident" -cmddirname "volume recovery-queue" -access all
+security login role create -role "trident" -cmddirname "volume recovery-queue show" -access readonly
 security login role create -role "trident" -cmddirname "version" -access all
 security login role create -role "trident" -cmddirname "vserver peer" -access readonly
+security login role create -role "trident" -cmddirname "volume destroy" -access all
+security login role create -role "trident" -cmddirname "volume file clone create" -access all
+security login role create -role "trident" -cmddirname "snapmirror release" -access all
+security login role create -role "trident" -cmddirname "vserver cifs share access-control create" -access all
+security login role create -role "trident" -cmddirname "vserver cifs share access-control delete" -access all
+security login role create -role "trident" -cmddirname "volume snapshot create" -access all
diff --git a/contrib/ontap/trident_role/raw/rest_custom_role.json b/contrib/ontap/trident_role/raw/rest_custom_role.json
@@ -5,7 +5,6 @@
 	{"access": "all", "path": "/api/protocols/san/igroups"},
 	{"access": "read_modify", "path": "/api/protocols/san/iscsi/credentials"},
 	{"access": "readonly", "path": "/api/network/ip/interfaces"},
-	{"access": "read_create_modify", "path": "/api/storage/namespaces"},
 	{"access": "readonly", "path": "/api/protocols/san/iscsi/services"},
 	{"access": "all", "path": "/api/storage/luns"},
 	{"access": "readonly", "path": "/api/cluster/jobs"},
@@ -23,22 +22,23 @@
 	{"access": "read_create", "path": "/api/support/ems/application-logs"},
 	{"access": "all", "path": "/api/protocols/nfs/export-policies"},
 	{"access": "all", "path": "/api/protocols/nvme/subsystem-maps"},
-	{"access": "read_create", "path": "/api/snapmirror/relationships/transfers"},
 	{"access": "all", "path": "/api/protocols/san/lun-maps"},
 	{"access": "readonly", "path": "/api/snapmirror/policies"},
 	{"access": "readonly", "path": "/api/storage/aggregates"},
 	{"access": "read_create_modify", "path": "/api/storage/luns/attributes"},
 	{"access": "readonly", "path": "/api/protocols/san/lun-maps/reporting-nodes"},
 	{"access": "readonly", "path": "/api/svm/peers"},
 	{"access": "readonly", "path": "/api/network/fc/interfaces"},
-	{"access": "read_modify", "path": "/api/storage/quota/rules"},
-	{"access": "read_modify", "path": "/api/storage/namespaces"},
 	{"access": "readonly", "path": "/api/protocols/san/fcp/services"},
 	{"access": "all", "path": "/api/storage/storage-units/snapshots"},
 	{"access": "readonly", "path": "/api/cluster/nodes"},
-	{"access": "read_modify", "path": "/api/storage/luns/attributes"},
-	{"access": "read_modify", "path": "/api/storage/storage-units"},
-	{"access": "all", "path": "/api/private/cli/volume/recovery-queue"},
-	{"access": "all", "path": "/api/private/cli/volume/recovery-queue/purge"},
-	{"access": "all", "path": "/api/private/cli/lun"}
-]
+	{"access": "readonly", "path": "/api/private/cli/volume/recovery-queue"},
+	{"access": "read_create", "path": "/api/private/cli/volume/recovery-queue/purge"},
+	{"access": "all", "path": "/api/private/cli/lun"},
+	{"access": "read_create_modify", "path": "/api/storage/namespaces"},
+	{"access": "read_create_modify", "path": "/api/snapmirror/relationships/transfers"},
+	{"access": "all", "path": "/api/storage/storage-units"},
+	{"access": "all", "path": "/api/application/consistency-groups"},
+	{"access": "all", "path": "/api/protocols/cifs/shares/acls"},
+	{"access": "read_create", "path": "/api/application/consistency-groups/snapshots"}
+]
diff --git a/contrib/ontap/trident_role/raw/zapi_custom_role.json b/contrib/ontap/trident_role/raw/zapi_custom_role.json
@@ -22,7 +22,6 @@
 	{"command": "lun modify", "access_level": "all", "zapi": "lun-set-qos-policy-group"},
 	{"command": "lun move-in-volume", "access_level": "all", "zapi": "lun-move"},
 	{"command": "volume create", "access_level": "all", "zapi": "volume-create-async"},
-	{"command": "volume destroy", "access_level": "all", "zapi": "volume-destroy"},
 	{"command": "vserver export-policy create", "access_level": "all", "zapi": "export-policy-create"},
 	{"command": "vserver iscsi security create", "access_level": "all", "zapi": "iscsi-initiator-add-auth"},
 	{"command": "vserver fcp nodename", "access_level": "all", "zapi": "fcp-node-get-name"},
@@ -31,7 +30,6 @@
 	{"command": "volume quota", "access_level": "readonly", "zapi": "quota-status"},
 	{"command": "lun igroup delete", "access_level": "all", "zapi": "igroup-destroy"},
 	{"command": "lun serial", "access_level": "all", "zapi": "lun-get-serial-number"},
-	{"command": "volume file clone create", "access_level": "all", "zapi": "clone-create"},
 	{"command": "lun mapping delete", "access_level": "all", "zapi": "lun-unmap"},
 	{"command": "volume qtree delete", "access_level": "all", "zapi": "qtree-delete-async"},
 	{"command": "snapmirror delete", "access_level": "all", "zapi": "snapmirror-destroy"},
@@ -46,7 +44,6 @@
 	{"command": "volume destroy", "access_level": "all", "zapi": "volume-destroy-async"},
 	{"command": "volume clone create", "access_level": "all", "zapi": "volume-clone-create"},
 	{"command": "volume rename", "access_level": "all", "zapi": "volume-rename"},
-	{"command": "snapmirror release", "access_level": "all", "zapi": "snapmirror-release"},
 	{"command": "volume quota policy rule modify", "access_level": "all", "zapi": "quota-set-entry"},
 	{"command": "volume snapshot restore", "access_level": "all", "zapi": "snapshot-restore-volume"},
 	{"command": "vserver export-policy rule create", "access_level": "all", "zapi": "export-rule-create"},
@@ -98,7 +95,14 @@
 	{"command": "lun online", "access_level": "all", "zapi": "lun-online"},
 	{"command": "lun mapping", "access_level": "readonly", "zapi": "lun-map-list-info"},
 	{"command": "lun modify", "access_level": "all", "zapi": "lun-set-attribute"},
-	{"command": "volume recovery-queue", "access_level": "all", "zapi": "volume-recovery-queue-get-iter"},
+	{"command": "volume recovery-queue show", "access_level": "readonly", "zapi": "volume-recovery-queue-get-iter"},
 	{"command": "version", "access_level": "all", "zapi": "system-get-version"},
-	{"command": "vserver peer", "access_level": "readonly", "zapi": "vserver-peer-get-iter"}
-]
+	{"command": "vserver peer", "access_level": "readonly", "zapi": "vserver-peer-get-iter"},
+	{"command": "volume destroy", "access_level": "all", "zapi": "volume-destroy"},
+	{"command": "volume file clone create", "access_level": "all", "zapi": "clone-create"},
+	{"command": "snapmirror release", "access_level": "all", "zapi": "snapmirror-release"},
+	{"command": "vserver cifs share access-control create", "access_level": "all", "zapi": "cifs-share-access-control-create"},
+	{"command": "vserver cifs share access-control delete", "access_level": "all", "zapi": "cifs-share-access-control-delete"},
+	{"command": "volume snapshot create", "access_level": "all", "zapi": "cg-commit"},
+	{"command": "volume snapshot create", "access_level": "all", "zapi": "cg-start"}
+]
diff --git a/contrib/ontap/trident_role/script/role-creator.py b/contrib/ontap/trident_role/script/role-creator.py
@@ -9,7 +9,7 @@
 usage: role-creator.py [-h] [-v VSERVER_NAME] [-r ROLE_NAME] [--zapi] [--rest] [-i HOST_IP] [-u USERNAME] [-p PASSWORD] [-j JSON]
                        [--log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}]
 
-Copyright (c) 2024 NetApp, Inc. All Rights Reserved.
+Copyright (c) 2025 NetApp, Inc. All Rights Reserved.
 Licensed under the BSD 3-Clause "New or Revised" License (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
diff --git a/core/concurrent_core_test.go b/core/concurrent_core_test.go
@@ -5,6 +5,7 @@ package core
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"sync"
 	"testing"
 
