Pull request #48: Feature/secure auth anf gcnv

sushma-m1 · mboglesby · commit a727ccccef74 · 2026-04-03T09:54:02.000-04:00
Merge in SIE-BB/netapp-dataops-toolkit from feature/secure-auth-anf-gcnv to release-v3.1.0

* commit '3da1488775aefe1e801ff7f88fc4dd6cc76a25c8':
  NSOL-6266: fixing path manipulation vulnerability from coverity scan
  NSOL-6228: updating documentation
  NSOL-6228: updating anf mcp server documentation
  NSOL-6228: updating authentication process in anf documentation
diff --git a/netapp_dataops_traditional/docs/anf_mcp_server_readme.md b/netapp_dataops_traditional/docs/anf_mcp_server_readme.md
@@ -47,45 +47,44 @@ After installation, the `netapp_dataops_anf_mcp.py` command will be available in
 
 ### Azure Authentication
 
-The MCP server uses **Azure CLI authentication** (`AzureCliCredential`) and automatically retrieves your subscription ID from the active Azure CLI session.
+The MCP server uses **`DefaultAzureCredential`** from `azure-identity`, which automatically selects the appropriate credential based on the environment — no configuration required. The active subscription is resolved via the Azure SDK's `SubscriptionClient`.
+
+> **No secrets or environment variables are required.** The credential resolves automatically based on the environment.
 
 #### Required Setup
 
-1. **Install Azure CLI**: Follow the [installation guide](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
+Authenticate once via Azure CLI:
 
-2. **Login to Azure**:
-   ```bash
-   az login
-   ```
+```bash
+# Install Azure CLI (if not already installed)
+# https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
 
-3. **If you have access to multiple tenants, specify the tenant ID**:
-   ```bash
-   az login --tenant <TENANT-ID>
-   ```
+# Login to Azure (opens browser)
+az login
 
-4. **If you have multiple subscriptions, set the active one**:
-   ```bash
-   az account set --subscription <SUBSCRIPTION_ID>
-   ```
+# If you have access to multiple tenants, specify the tenant ID
+az login --tenant <TENANT_ID>
 
-5. **Verify your active subscription**:
-   ```bash
-   az account show
-   ```
+# If you have multiple subscriptions, set the active one
+az account set --subscription <SUBSCRIPTION_ID>
+
+# Verify active session (optional – subscription is auto-detected via the SDK)
+az account show
+```
 
-#### How It Works
 
-- The MCP server automatically runs `az account show` to detect your active subscription
-- Subscription ID is retrieved dynamically on each operation
-- Respects your Azure CLI tenant and subscription context
-- No need to configure or store subscription ID in config files or environment variables
+**How It Works:**
+- `DefaultAzureCredential` is instantiated and passed to `SubscriptionClient`
+- The first available subscription is resolved via the Azure SDK
+- The resolved `subscription_id` is used to initialize `NetAppManagementClient`
+- The client is cached in a singleton (`ANFClientManager`) and reused across calls
 
-#### Benefits
+**Benefits:**
+- **Zero secrets** – No `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, or `AZURE_TENANT_ID` needed
+- **Portable** – Works in local dev, CI/CD, containers, and Azure-hosted environments
+- **Subscription auto-resolved** – No subscription ID in config files or function parameters
+- **Multi-tenant support** – Respects `az login --tenant`
 
-- **Simplified Setup**: No subscription ID in config files or function parameters
-- **Better Security**: Subscription ID not stored anywhere
-- **Multi-Tenant Support**: Easy switching between tenants/subscriptions with Azure CLI
-- **Automatic Detection**: Works seamlessly with your Azure CLI context
 
 ### ANF Configuration (Optional)
 
@@ -130,7 +129,7 @@ The configuration file is stored at `~/.netapp_dataops/anf_config.json` and cont
 }
 ```
 
-> **📝 Note:** The subscription ID is **not** stored in the configuration file. It is automatically retrieved from your active Azure CLI session using `az account show`.
+> **📝 Note:** The subscription ID is **not** stored in the configuration file. It is automatically resolved at runtime via `DefaultAzureCredential` and the Azure SDK's `SubscriptionClient`.
 
 #### Configuration Benefits and Usage
 
@@ -281,7 +280,9 @@ Set up disaster recovery:
 1. **Authentication Failed**:
    ```bash
    az login
-   # or check service principal credentials
+   # or for a specific tenant
+   az login --tenant <TENANT_ID>
+   # verify active session
    az account show
    ```
 
@@ -379,7 +380,6 @@ print('Config test - Account:', get_config_value('account_name'))
 - Regularly review and update Azure role assignments
 - Implement proper network security groups and access controls
 - Enable encryption at rest and in transit where required
-- Use Azure managed identities for production workloads where possible
 - Leverage Azure Active Directory for centralized authentication
 
 ## Support
diff --git a/netapp_dataops_traditional/docs/anf_readme.md b/netapp_dataops_traditional/docs/anf_readme.md
@@ -18,7 +18,7 @@ Built on the [Azure NetApp Files Python SDK](https://docs.microsoft.com/en-us/py
   - [Prerequisites](#prerequisites)
   - [Installation Instructions](#installation-instructions)
 - [Authentication](#authentication)
-  - [Azure CLI Authentication (Required)](#azure-cli-authentication-required)
+  - [Authentication Methods (DefaultAzureCredential)](#authentication-methods-defaultazurecredential)
 - [Configuration](#configuration)
   - [Option 1: Interactive Configuration (Recommended)](#option-1-interactive-configuration-recommended)
   - [Option 2: Manual Configuration](#option-2-manual-configuration)
@@ -104,44 +104,50 @@ python3 -m pip install 'netapp-dataops-traditional[azure]'
 
 ## Authentication
 
-The ANF module uses **Azure CLI authentication** (`AzureCliCredential`) and automatically retrieves your subscription ID from the active Azure CLI session.
+The ANF module uses **`DefaultAzureCredential`** from `azure-identity`, which automatically chains through multiple authentication methods without requiring any environment variables or secrets. The active subscription is resolved via the Azure SDK's `SubscriptionClient`.
 
-<a name="option-1-azure-cli-recommended"></a>
+<a name="authentication-methods-defaultazurecredential"></a>
 
-### Azure CLI Authentication (Required)
+### Authentication Methods (DefaultAzureCredential)
+
+`DefaultAzureCredential` automatically selects the appropriate credential based on the environment — no configuration required.
+
+> **No secrets or environment variables are required.** The credential resolves automatically based on the environment.
+
+#### Required Setup
+
+Authenticate once via Azure CLI:
 
-**Required Setup:**
 ```bash
 # Install Azure CLI (if not already installed)
 # https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
 
-# Login to Azure
+# Login to Azure (opens browser)
 az login
 
 # If you have access to multiple tenants, specify the tenant ID
-az login --tenant <TENANT-ID>
+az login --tenant <TENANT_ID>
 
 # If you have multiple subscriptions, set the active one
 az account set --subscription <SUBSCRIPTION_ID>
 
-# Verify your active subscription
+# Verify active session (optional – subscription is auto-detected via the SDK)
 az account show
 ```
 
+
 **How It Works:**
-- The toolkit automatically runs `az account show` to detect your active subscription
-- Subscription ID is retrieved dynamically on each operation
-- Respects your Azure CLI tenant and subscription context
-- No need to configure or store subscription ID in config files or environment variables
+- `DefaultAzureCredential` is instantiated and passed to `SubscriptionClient`
+- The first available subscription is resolved via the Azure SDK
+- The resolved `subscription_id` is used to initialize `NetAppManagementClient`
+- The client is cached in a singleton (`ANFClientManager`) and reused across calls
 
 **Benefits:**
-- ✅ **Simplified Setup**: No subscription ID in config files or function parameters
-- ✅ **Better Security**: Subscription ID not stored anywhere
-- ✅ **Multi-tenant Support**: Automatically respects `az login --tenant`
-- ✅ **Multi-subscription Support**: Honors `az account set --subscription`
-- ✅ **Consistent Authentication**: Uses same credentials as Azure CLI
-
-**Note:** Service Principal and environment variable authentication methods are no longer supported. The module now exclusively uses Azure CLI authentication for consistency and security.
+- **Zero secrets** – No `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, or `AZURE_TENANT_ID` needed
+- **Portable** – Works in local dev, CI/CD, containers, and Azure-hosted environments
+- **Subscription auto-resolved** – No subscription ID in config files or function parameters
+- **Multi-tenant support** – Respects `az login --tenant`
+- **Production-ready** – Managed Identity support means no credential rotation required
 
 ## Configuration
 
@@ -184,10 +190,10 @@ python3 -c "from netapp_dataops.traditional.anf.config import create_anf_config;
 **Note:** Subscription ID is NOT needed - it's automatically detected from your Azure CLI session.
 
 **Benefits:**
-- ⚡ **Simplified function calls** - Pass only unique parameters
-- 🎯 **Consistent defaults** - Reuse infrastructure settings across operations
-- 🛡️ **Reduced errors** - Pre-validated configuration values
-- 📝 **Version control friendly** - Config file can be shared across teams
+- **Simplified function calls** - Pass only unique parameters
+- **Consistent defaults** - Reuse infrastructure settings across operations
+- **Reduced errors** - Pre-validated configuration values
+- **Version control friendly** - Config file can be shared across teams
 
 ### Configuration File Location
 
@@ -209,7 +215,7 @@ The configuration is automatically saved to:
 }
 ```
 
-**Note:** Subscription ID is not stored in the config file. It's automatically retrieved from your Azure CLI session via `az account show`.
+**Note:** Subscription ID is not stored in the config file. It's automatically resolved at runtime via `DefaultAzureCredential` and the Azure SDK's `SubscriptionClient`.
 
 ### Usage with Configuration
 
@@ -1338,7 +1344,7 @@ czr_result = anf.create_replication(
 Report any issues via GitHub: https://github.com/NetApp/netapp-data-science-toolkit/issues.
 
 **Common Issues:**
-- **Authentication failures**: Ensure Azure CLI is logged in or service principal credentials are correct
+- **Authentication failures**: Ensure `az login` has been run for local development, or a Managed Identity is assigned in production
 - **Permission denied**: Verify NetApp Contributor role is assigned to your account/service principal
 - **Resource not found**: Check that NetApp Account, Capacity Pool, and delegated subnet exist
 - **Region limitations**: Verify Azure NetApp Files is available in your target region
diff --git a/netapp_dataops_traditional/netapp_dataops/traditional/gcnv/setup_gcnv_auth.py b/netapp_dataops_traditional/netapp_dataops/traditional/gcnv/setup_gcnv_auth.py
@@ -98,12 +98,13 @@ def setup_gcnv_auth() -> None:
 
     # Step 4: Application Default Credentials
     print("\nStep 4/8  Application Default Credentials (browser will open)...")
-    run(['gcloud', 'auth', 'application-default', 'login'], capture=True)
-    cloudsdk_config = os.environ.get("CLOUDSDK_CONFIG", os.path.expanduser("~/.config/gcloud"))
-    adc_file = os.path.join(cloudsdk_config, "application_default_credentials.json")
-    if os.path.exists(adc_file):
+    run(['gcloud', 'auth', 'application-default', 'login'])
+    adc_file = os.path.realpath(os.path.expanduser("~/.config/gcloud/application_default_credentials.json"))
+    if os.path.isfile(adc_file):
         os.chmod(adc_file, 0o600)
-    print("ADC configured and credentials secured (chmod 600)")
+        print("ADC configured and credentials secured (chmod 600)")
+    else:
+        print("ADC file not found; skipping chmod.")
 
     # Step 5: Create service account
     print("\nStep 5/8  Create service account...")
