Skip to main content
AI Data Engine

Authentication and authorization for the AIDE REST API

Contributors dmp-netapp
PDFs

Before using the ONTAP REST API with AIDE extensions, you should understand the options for authentication and authorization.

ONTAP REST API authentication options

The ONTAP REST API supports two primary authentication techniques.

Basic authentication

Basic authentication is a simple technique defined as part of the HTTP protocol. With basic authentication, you provide a username and password (combined and encoded in base64) in the Authorization header of your API calls. It's not recommended for use with the AIDE REST API but can still be used with existing ONTAP API calls.

OAuth 2.0 authentication

Beginning with 9.14.1, ONTAP also supports OAuth 2.0. This is a more secure and flexible authentication framework. When using OAuth 2.0, you need to request an access token from an external identity provider (IdP) and include it with each HTTP request.

AI Data Engine and OpenID Connect

OpenID Connect (OIDC) is built on OAuth 2.0 and provides a secure and standardized option when authenticating users and applications. OIDC is required to access DCN and AIDE functionality. After you Configure OpenID Connect for AIDE in ONTAP, access to ONTAP System Manager and the on-box Swagger page are protected by OIDC authentication.

As part of configuring OIDC in ONTAP System Manager, OAuth 2.0 is automatically enabled and an OAuth 2.0 client is created. You can then acquire an access token through the token_endpoint of your IdP, which can typically be determined from the IdP metadata URI. The access tokens need to be included in the Authorization header of your API calls to authenticate and authorize access to AIDE resources.

Enhancements to the ONTAP RBAC implementation

Access to the AIDE REST API is protected using ONTAP's Role-Based Access Control (RBAC) framework. Users must have the appropriate roles and privileges assigned in ONTAP to access AIDE resources and perform operations through the REST API.

There are two additional ONTAP roles supporting AIDE. The equivalent external roles defined at your IdP need to map to these ONTAP roles to provide the necessary access to AIDE resources.

Note In addition to the two new ONTAP roles, you also need to map the external storage administrator role to the existing ONTAP admin role. Refer to AI Data Engine components and role-based interactions and Configure OpenID Connect for AIDE in ONTAP for more information.
data-engineer

This is a pre-defined ONTAP administrative role for the AIDE Data Engineer. It restricts access to only the endpoints, as well as the corresponding CLI command directories, needed to perform AIDE data engineering tasks. Tasks include working with workspaces and data collections, viewing jobs, and using file preview where permitted.

data-scientist

This is a second pre-defined ONTAP administrative role for the AIDE Data Scientist. It similarly restricts access to only the REST APIs and corresponding CLI command directories needed for AIDE data scientist workflows.

Acquire an access token

You need to acquire an access token to use with the REST API call. The token request is performed outside of ONTAP and the exact procedure depends on the authorization server and its configuration. You might request the token through a web browser, with a curl command, or using a programming language. For illustration purposes, an example of how an access token can be requested from Microsoft Entra ID using curl is presented.

Before you begin

Note the following:

  • You must Configure OpenID Connect for AIDE in ONTAP for an AIDE-enabled cluster.

  • Determine the token_endpoint of your IdP, typically available through the OIDC metadata URI.

  • Locate the appropriate values for the configuration, such as CLIENT_ID, based on your IdP.

  • Configuration parameters such as TENANT_ID, CLIENT_ID, and CLIENT_SECRET are in UUID format. USERNAME and PASSWORD are plain text credentials.

  • You can optionally define the variable values in the Bash shell for use with the curl command.

Steps

  1. Issue the following command at the CLI of your local workstation, providing values for the variables based on your environment:

    curl --location "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode "grant_type=password" \
--data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "client_secret=$CLIENT_SECRET" \
--data-urlencode "scope=$SCOPE/.default" \
--data-urlencode "username=$USERNAME" \
--data-urlencode "password=$PASSWORD"

  2. Review the response and extract the access token for use in a REST API call.