There are multiple ways to do authentication to NetApp systems when using the PowerShell Toolkit. This ranges from the simple and obvious one-time connection, to securely storing credentials for future use. Saving credentials can be useful when executing scripts from a host non-interactively, such as with scheduled tasks or triggered through another script.
Connecting to a Single Controller
The Connect-NcController is the standard method of connecting to a clustered Data ONTAP controller. Connect-NaController is the 7-mode equivalent and works identically. Additionally, the same credential rules apply for the Invoke-NcSsh and Invoke-NaSsh cmdlets as well.
Arguably the most common method of connecting to a controller is by simply providing the hostname:
# this will attempt to connect to the specified controller using stored credentials, or if none # are found, will prompt for credentials. it will also default to HTTPS, with a fallback to HTTP Connect-NcController $myController
If you are connecting to an SVM’s management interface this will work as expected, though some cmdlets won’t work because of the limited scope. If you want to connect to an SVM by tunneling through the cluster management interface, use the -Vserver parameter.
Connect-NcController $clusterMgmtLif -Vserver $SvmName
However, there are a number of parameters which change the default behavior.
# force prompt for credentials Connect-NcController $myController -Credential (Get-Credential) # use HTTPS or fail to connect Connect-NcController $myController -HTTPS # use HTTP or fail Connect-NcController $myController -HTTP
Connecting to Multiple Controllers
After connecting to a cluster using the Connect-NcController cmdlet, the connection is stored in the variable $global:CurrentNcController and is the default used for all connections. However, we can modify this behavior in several useful ways if desired.
- Don’t save the connection to
$global:CurrentNcControllerThis is useful when you will be connecting to multiple clusters/SVMs and want to specify which one to execute each command against.
# connect to the first cluster/SVM $favoriteSvm = Connect-NcController $clusterMgmtIP -Vserver Favorite -Credential $credential -Transient # connect to the second cluster/SVM $hatedSvm = Connect-NcController $clusterMgmtIP -Vserver Hated -Credential $credential -Transient # execute cmdlets against one or the other Get-NcVol -Controller $favoriteSvm | Set-NcVolSize -NewSize +20% -Controller $favoriteSvm Get-NcVol -Controller $hatedSvm | Set-NcVol -Offline -Controller $hatedSvm | Remove-NcVol -Confirm:$false -Controller $hatedSvm
- Multiple values in
$global:CurrentNcControllerSometimes it’s helpful to connect to multiple clusters or SVMs simultaneously. This will cause each cmdlet to be executed against all values in the
$global:CurrentNcControllerarray in succession.# connect to the first cluster/SVM Connect-NcController $clusterMgmtIP -Vserver Favorite -Credential $credential # connect to the second (or more) cluster/SVM Connect-NcController $clusterMgmtIP -Vserver SecondFavorite -Credential $credential -Add # execute tasks against both clusters/SVMs Get-NcVol # execute a task against one or the other Get-NcVol -Controller $global:CurrentNcController[0] Get-NcSnapshot -Controller $global:CurrentNcController[1]
Providing Credentials
By default the Connect-NcController cmdlet will check for stored credentials and, if none are found, fallback to prompting for them. We can work around this a few different ways.
- Use a variable in your script
# # store the credential in a variable for re-use # $credential = Get-Credential Connect-NcController $myFavoriteController -Credential $credential # do something using this controller Connect-NcController $myHatedController -Credential $credential # the first controller will automatically be disconnected. now do something # with the second controller.
- Using the
Add-NcCredentialcmdlet
# # store the credential using the PowerShell Toolkit # Add-NcCredential -Controller $myController -Credential (Get-Credential) # at this point, $myController can be connected to now and in the future, by the current system # user, without having to provide credentials again. they are stored securely on the system, # and, by default, are only accessible to the user who executed the Add-NcCredential cmdlet. # to make the stored credentials available to anyone on the system, use the -SystemScope # parameter. note that any user on the system would be able to connect to the system with the # stored credential, so be careful when using this parameter. Add-NcCredential -Controller $myController -SystemScope -Credential (Get-Credential)
- Using the
Export-Clixmlcmdlet
# # store the creds in a secure manner, then retrieve them. note that only the user # who created the credential object will be able to read it # $credential | Export-Clixml ./credential.xml # retrieve them for use Connect-NcController $controller -Credential (Import-Clixml ./credential.xml)
- Using Plain Text
# # note that this is by far the least secure method # $username = 'admin' $password = 'P@s$w0rd' $ssPassword = ConvertTo-SecureString -String $password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential $username,$ssPassword Connect-NcController $myController -Credential $credential
The post NetApp PowerShell Toolkit: Authentication appeared first on The Practical Administrator.