Release notes
Enable LDAP or domain users to generate their own S3 access keys
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
Beginning with ONTAP 9.14.1, as an ONTAP administrator, you can create custom roles and grant them to local or domain groups or Lightweight Directory Access Protocol (LDAP) groups, so that the users belonging to those groups can generate their own access and secret keys for S3 client access.
You have to perform a few configuration steps on your storage VM, so that the custom role can be created and assigned to the user that invokes the API for access key generation.
Ensure the following:
-
An S3-enabled storage VM containing an S3 server has been created. See Create an SVM for S3.
-
A bucket has been created in that storage VM. See Create a bucket.
-
DNS is configured on the storage VM. See Configure DNS services.
-
A self-signed root certification authority (CA) certificate of the LDAP server is installed on the storage VM. See Install the self-signed root CA certificate on the SVM.
-
An LDAP client is configured with TLS enabled on the storage VM. See Create an LDAP client configuration and .
-
Associate the client configuration with the Vserver. See Associate the LDAP client configuration with SVMs and vserver services name-service ldap create.
-
If you are using a data storage VM, create a management network interface (LIF) and on the VM, and also a service policy for the LIF. See the network interface create and network interface service-policy create commands.
Configure users for access key generation
-
Specify LDAP as the name service database of the storage VM for the group and password to LDAP:
ns-switch modify -vserver <vserver-name> -database group -sources files,ldap ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap
For more information about this command, see the vserver services name-service ns-switch modify command.
-
Create a custom role with access to S3 user REST API endpoint:
security login rest-role create -vserver <vserver-name> -role <custom-role-name> -api "/api/protocols/s3/services/*/users" -access <access-type>
In this example, thes3-rolerole is generated for users on the storage VMsvm-1, to which all access rights, read, create, and update are granted.security login rest-role create -vserver svm-1 -role s3role -api "/api/protocols/s3/services/*/users" -access all
For more information about this command, see the security login rest-role create command.
-
Create an LDAP user group with the security login command and add the new custom role for accessing the S3 user REST API endpoint. For more information about this command, see the security login create command.
security login create -user-or-group-name <ldap-group-name> -application http -authentication-method nsswitch -role <custom-role-name> -is-ns-switch-group yes
In this example, the LDAP group
ldap-group-1is created insvm-1, and the custom roles3roleis added to it for accessing the API endpoint, along with enabling LDAP access in the fast bind mode.security login create -user-or-group-name ldap-group-1 -application http -authentication-method nsswitch -role s3role -is-ns-switch-group yes -second-authentication-method none -vserver svm-1 -is-ldap-fastbind yes
For more information, see Use LDAP fast bind for nsswitch authentication.
Adding the custom role to the domain or LDAP group allows users in that group a limited access to the ONTAP /api/protocols/s3/services/{svm.uuid}/users endpoint. By invoking the API, the domain or LDAP group users can generate their own access and secret keys to access the S3 client. They can generate the keys for only themselves and not for other users.
As an S3 or LDAP user, generate your own access keys
Beginning with ONTAP 9.14.1, you can generate your own access and secret keys for accessing S3 clients, if your administrator has granted you the role to generate your own keys. You can generate keys for only yourself by using the following ONTAP REST API endpoint.
This REST API call uses the following method and endpoint. For information about the other methods of this endpoint, see the reference API documentation.
| HTTP method | Path |
|---|---|
POST |
/api/protocols/s3/services/{svm.uuid}/users |
curl
--request POST \
--location "https://$FQDN_IP /api/protocols/s3/services/{svm.uuid}/users " \
--include \
--header "Accept: */*" \
--header "Authorization: Basic $BASIC_AUTH"
--data '{"name":"_name_"}'{
"records": [
{
"access_key": "Pz3SB54G2B_6dsXQPrA5HrTPcf478qoAW6_Xx6qyqZ948AgZ_7YfCf_9nO87YoZmskxx3cq41U2JAH2M3_fs321B4rkzS3a_oC5_8u7D8j_45N8OsBCBPWGD_1d_ccfq",
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"name": "user-1",
"secret_key": "A20_tDhC_cux2C2BmtL45bXB_a_Q65c_96FsAcOdo14Az8V31jBKDTc0uCL62Bh559gPB8s9rrn0868QrF38_1dsV2u1_9H2tSf3qQ5xp9NT259C6z_GiZQ883Qn63X1"
}
],
"num_records": "1"
}