Enable LDAP or domain users to generate their own ONTAP S3 access keys
Beginning with ONTAP 9.14.1, as an ONTAP administrator, you can create custom roles and grant them to local or domain groups or Lightweight Directory Access Protocol (LDAP) groups, so that the users belonging to those groups can generate their own access and secret keys for S3 client access.
You have to perform a few configuration steps on your storage VM, so that the custom role can be created and assigned to the user that invokes the API for access key generation.
Ensure the following:
-
An S3-enabled storage VM containing an S3 server has been created. See Create an SVM for S3.
-
A bucket has been created in that storage VM. See Create a bucket.
-
DNS is configured on the storage VM. See Configure DNS services.
-
A self-signed root certification authority (CA) certificate of the LDAP server is installed on the storage VM. See Install the self-signed root CA certificate on the SVM.
-
An LDAP client is configured with TLS enabled on the storage VM. See Create an LDAP client configuration.
-
Associate the client configuration with the Vserver. See Associate the LDAP client configuration with SVMs. Learn more about the
vserver services name-service ldap create
command in the ONTAP command reference. -
If you are using a data storage VM, create a management network interface (LIF) and on the VM, and also a service policy for the LIF. Learn more about the
network interface create
andnetwork interface service-policy create
commands in the ONTAP command reference.
Configure users for access key generation
-
Specify LDAP as the name service database of the storage VM for the group and password to LDAP:
ns-switch modify -vserver <vserver-name> -database group -sources files,ldap ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap
Learn more about the
vserver services name-service ns-switch modify
command in the ONTAP command reference. -
Create a custom role with access to S3 user REST API endpoint:
security login rest-role create -vserver <vserver-name> -role <custom-role-name> -api "/api/protocols/s3/services/*/users" -access <access-type>
In this example, thes3-role
role is generated for users on the storage VMsvm-1
, to which all access rights, read, create, and update are granted.security login rest-role create -vserver svm-1 -role s3role -api "/api/protocols/s3/services/*/users" -access all
Learn more about the
security login rest-role create
command in the ONTAP command reference. -
Create an LDAP user group with the security login command and add the new custom role for accessing the S3 user REST API endpoint. Learn more about the
security login create
command in the ONTAP command reference.security login create -user-or-group-name <ldap-group-name> -application http -authentication-method nsswitch -role <custom-role-name> -is-ns-switch-group yes
In this example, the LDAP group
ldap-group-1
is created insvm-1
, and the custom roles3role
is added to it for accessing the API endpoint, along with enabling LDAP access in the fast bind mode.security login create -user-or-group-name ldap-group-1 -application http -authentication-method nsswitch -role s3role -is-ns-switch-group yes -second-authentication-method none -vserver svm-1 -is-ldap-fastbind yes
For more information, see Use LDAP fast bind for nsswitch authentication.
Adding the custom role to the domain or LDAP group allows users in that group a limited access to the ONTAP /api/protocols/s3/services/{svm.uuid}/users
endpoint. By invoking the API, the domain or LDAP group users can generate their own access and secret keys to access the S3 client. They can generate the keys for only themselves and not for other users.
As an S3 or LDAP user, generate your own access keys
Beginning with ONTAP 9.14.1, you can generate your own access and secret keys for accessing S3 clients, if your administrator has granted you the role to generate your own keys. You can generate keys for only yourself by using the following ONTAP REST API endpoint.
This REST API call uses the following method and endpoint. For information about the other methods of this endpoint, see the reference API documentation.
HTTP method | Path |
---|---|
POST |
/api/protocols/s3/services/{svm.uuid}/users |
curl
--request POST \
--location "https://$FQDN_IP /api/protocols/s3/services/{svm.uuid}/users " \
--include \
--header "Accept: */*" \
--header "Authorization: Basic $BASIC_AUTH"
--data '{"name":"_name_"}'
{ "records": [ { "access_key": "Pz3SB54G2B_6dsXQPrA5HrTPcf478qoAW6_Xx6qyqZ948AgZ_7YfCf_9nO87YoZmskxx3cq41U2JAH2M3_fs321B4rkzS3a_oC5_8u7D8j_45N8OsBCBPWGD_1d_ccfq", "_links": { "next": { "href": "/api/resourcelink" }, "self": { "href": "/api/resourcelink" } }, "name": "user-1", "secret_key": "A20_tDhC_cux2C2BmtL45bXB_a_Q65c_96FsAcOdo14Az8V31jBKDTc0uCL62Bh559gPB8s9rrn0868QrF38_1dsV2u1_9H2tSf3qQ5xp9NT259C6z_GiZQ883Qn63X1" } ], "num_records": "1" }