WFA 3.0
ONTAP 8.2 ClusterMode
I am just starting to test WFA 3.0, and am trying to figure out authentication. I can get the basics working, e.g. assigning an AD group to a role, and have users of that AD group successfully login to WFA, and get the assigned role. The authentication part I am working on is the execution of WFA operations.
I am interested in having commands executed on the controller/cluster as the person who is logged into WFA. The WFA documentation suggests this is possible; From the OnCommand Workflow Automation 3.0 Installation and Setup Guide, page 24:
With credentials
WFA tries to establish a connection using HTTPS and then tries using HTTP. You can also use Microsoft Active Directory LDAP authentication to connect to arrays without defining credentials in WFA. To use Active Directory LDAP, you must configure the array to perform authentication with the same Active Directory LDAP server.
So in theory if an account on the controller (ONTAP 8.2.x cluster-mode) is setup as nsswitch, the WFA logged in credentials should pass to the controller. Is that correct?
I run into a snag however when looking to create a cluster account as nsswitch. The 8.2 SysAdmin Guide, page 139 says:
Cluster user accounts cannot use nsswitch as an authentication method.
I am not certain if that is just a ONTAP 8.2 limitation, and is perhaps lifted in 8.3?
My goal is to have have WFA use the credentials of the user logged into WFA to execute the workflow, without having to maintain a separate user database on both WFA and the cluster? (i.e. if possible I don't want to have to create accounts on the cluster, and matching accounts within WFA).
Ultimately I would love it if WFA could authenticate to a Vserver (aka VSM) and use a Vserver account. We have Vserver admins, and appropriate roles with a defined set of commands permitted setup for those persons. Vserver admins currently ssh to the vserver management address and use the CLI to perform tasks. My desire is to have WFA use those same accounts. Can WFA do that?