Sign in to my dashboard Create an account
Menu

Yes, now you can administer S3 users with Active Directory

person sitting in front of desktop and writing on notebook
Table Of Contents

Share this page

Atul Pandit
Atul Pandit

In data management, flexibility and ease of access are paramount. NetApp® ONTAP® data management software has long been a reliable solution for organizations looking to manage their files and objects efficiently on a single platform. However, administrators often face the challenge of managing two identities for data access. This complexity has been a substantial hurdle in seamless data management. NetApp ONTAP 9.14.1 brings good news: ONTAP has solved this challenge by introducing support for Active Directory for S3 access, streamlining the process and simplifying identity management.

The challenge of managing dual identities

Active Directory (AD) is foundational for organizations for centralized identity and access management because it provides enhanced security, simplified administration, and scalability. ONTAP administrators have long relied on Active Directory for managing access to files. However, introducing object stores created a fork in this established centralized identity management approach, because the S3 protocol does not have inherent support for Active Directory.

Administrators must manage an independent database for S3 identities and policies. They often raise this as the key challenge in managing hybrid file and object environments. This dual identity management has posed several challenges:

  • Managing two sets of identities increases administrative overhead and can be error prone, potentially leading to security risks.
  • The need for separate identities can lead to inefficiencies in user provisioning and deprovisioning, making it a challenge to maintain data security and access control.
  • User experience. For end users, navigating these separate identities can be confusing and hinder productivity.

ONTAP 9.14.1 Active Directory integration solves this admin headache by simplifying user management and enforcing consistent file and object access policies.

ONTAP simplifies S3 access with Active Directory support

ONTAP has long been a trusted data management platform, offering organizations flexible multiprotocol access and simplified data management. ONTAP extends the simplicity premise by integrating S3 user authentication and permissions with AD-based users and groups, a powerful way to enhance data security and access control.

  • Authenticating S3 users with Active Directory

The S3 REST APIs use the standard HTTP authorization to pass authentication information. Today, when the administrator creates a local S3 user on ONTAP, ONTAP issues an Access Key ID and a Secret Access Key. The application uses these access keys when making a request. The authorization header has Access Key ID and Signature. For request for authentication, the Access Key ID identifies the S3 user making a request and the key used to compute the signature.

With ONTAP 9.14.1, there’s no need to create and manage local S3 users; they can use existing AD credentials, username and password, for authentication. The application can present encoded AD credentials as Access Key ID in the prescribed format. ONTAP uses the provided credentials to authenticate a user with Active Directory using LDAP fast bind mode. With fast bind functionality, ONTAP sends user credentials to the LDAP server through a secure connection. The LDAP server then validates these credentials and tells ONTAP whether the request is from a valid user.

flow diagram of active directory ontap and s3
  • Authorization with Active Directory groups

To enhance access control and manage permissions effectively, you can now specify an Active Directory group in the bucket policy. This integration allows you to leverage the existing AD infrastructure to grant or deny access to S3 resources based on group membership. By associating AD groups with S3 bucket policies, you can streamline user management, simplify access control, and make sure that users have the appropriate level of control, while maintaining a centralized and organized approach to permission management.

ontap system manager buckets dashboard
  • Self-service APIs for S3 credentials

Organizations can choose separate S3 credentials for end users and still benefit from AD integration. For large organizations, the storage administrator can become a bottleneck in the provisioning of S3 credentials. ONTAP 9.14.1 enables end users to generate their own S3 credentials without requiring help from the storage administrator. The end user requests S3 credentials by calling the self-service REST API. ONTAP authenticates the credentials of the requesting user with Active Directory before creating a local S3 user and granting S3 credentials.

Conclusion

In conclusion, integrating ONTAP with Active Directory for S3 access offers a robust approach to data storage and access management. By bridging these technologies, organizations can benefit from a seamless, unified environment that simplifies user authentication while making sure that data is accessible only to authorized users. ONTAP and Active Directory integration is a powerful solution for organizations' evolving needs for secure data access and simplified data management. Streamline your data access management with ONTAP 9.14.1. To learn more about the ONTAP 9.14.1 release; see the release notes and documentation.

Atul Pandit

Atul is a technical director with over 20 years of experience building enterprise-class technology products. At NetApp, he has led the initiatives in developing innovative solutions in file systems, object, data replication, and compliance technologies while focusing on customer experience. He is an avid sports fan and plays badminton and volleyball on weekends.

View all Posts by Atul Pandit

Next Steps

Drift chat loading