This section focuses on the steps to enable GSLB configuration changes from a follower site.

The following are the configuration changes that can be performed from a follower site:

  • Enable/disable GSLB Service Groups

  • Enable/disable GSLB Service Group members

This is useful in the maintenance or change window or for a specific purpose when the user does not have access to the leader site and needs to avoid traffic to some sites. Using this feature, you can enable or disable a GSLB group or GSLB group members from a follower site. The following configuration changes or prerequisites are required to enable a user at a follower site:

  • Configuring Per-field Authorization

  • Configuring JWT Profile at the Leader Site

Configuring Per-field Authorization

  • Configuring Roles for Gslb_Group_Enabled and Gslb_Group_Member-Enabled.

Configuring Roles for GSLB_Group_Enabled and GSLB_Group_Member-Enabled

To perform changes from a follower site, the users must have the following roles associated with them:

  • Gslb_Group_Member-Enabled - This role must have write access to the GSLB service.

  • Gslb_Group-Enabled - This role must have write access to the GSLB service.

For more information on configuring per-field authorization, see Granular Role-Based Access Controls Per Field in the VMware Avi Load Balancer Administration Guide.

[admin:10-10-10-2]: > configure role  Gslb_Group_Member_Enabled  
[admin:10.10.10.2]: role> privileges
New object being created
[admin:10.10.10.2]: role:privileges> type write_access
[admin:10.10.10.2]: role:privileges> resource PERMISSION_GSLBSERVICE 
[admin:10.10.10.2]: role:privileges> save

In the below CLI snippets, the user gslbsitegroupmemberadmin is configured with the role of Gslb_Group_Member-Enabled. The configured user has the write access to the GSLB service and the privilege to enable or disable a GSLB group within the specified GSLB service.

[admin:10-10-10-2]: > show user gslbsitegroupmemberadmin
+------------------+-------------------------------------------+
| Field            | Value                                     |
+------------------+-------------------------------------------+
| uuid             | user-52a6e643-d55d-45e9-8bca-0601b53d5b20 |
| username         | gslbsitegroupmemberadmin                  |
| password         | <sensitive>                               |
| name             | gslbsitegroupmemberadmin                  |
| email            |                                           |
| access[1]        |                                           |
|   role_ref       | Gslb_Group_Member_Enabled                 |
|   all_tenants    | True                                      |
| access[2]        |                                           |
|   role_ref       | Gslb_Health_Monitor                       |
|   all_tenants    | True                                      |
| is_superuser     | False                                     |
| local            | True                                      |
| user_profile_ref | Default-User-Account-Profile              |
+------------------+-------------------------------------------+
[admin:10-10-10-2]: > show role Gslb_Group_Member_Enabled
+--------------------------+----------------------------------------------+
| Field                    | Value                                        |
+--------------------------+----------------------------------------------+
| uuid                     | role-95e82558-1883-47af-8802-a6834c5feb76    |
| name                     | Gslb_Group_Member_Enabled                    |
| privileges[1]            |                                              |
|   type                   | WRITE_ACCESS                                 |
|   resource               | PERMISSION_GSLBSERVICE                       |
|   subresource            |                                              |
|     exclude_subresources | False                                        |
|     subresources[1]      | SUBRESOURCE_GSLBSERVICE_GROUP_MEMBER_ENABLED |
| allow_unlabelled_access  | True                                         |
| tenant_ref               | admin                                        |
+--------------------------+----------------------------------------------+

Similarly, in the below CLI snippets, the user gslbsitegroupadmin is configured with the role of Gslb_Group_Enabled. The configured user has write access to GSLB service and the privilege to enable or disable a GSLB group within the specified GSLB service.

[admin:10-10-10-2]: > show user gslbsitegroupadmin
+------------------+-----------------------------------------------+
| Field            | Value                                         |
+------------------+-----------------------------------------------+
| uuid             | user-27a528f5-2e8e-42bb-b5b0-2229123215ec     |
| username         | gslbsitegroupadmin                            |
| password         | <sensitive>                                   |
| name             | gslbsitegroupadmin                            |
| email            |                                               |  
| access[1]        |                                               |
|   role_ref       | Gslb_Group_Enabled                            |
|   all_tenants    | True                                          |
| access[2]        |                                               |
|   role_ref       | Gslb_Health_Monitor                           |
|   all_tenants    | True                                          |
| is_superuser     | False                                         |
| local            | True                                          |
| user_profile_ref | Default-User-Account-Profile                  |
+------------------+-----------------------------------------------+
[admin:10-10-10-2]: > show role Gslb_Group_Enabled
+--------------------------+-------------------------------------------+
| Field                    | Value                                     |
+--------------------------+-------------------------------------------+
| uuid                     | role-0facf895-c551-4cd0-b1f6-73b4c890c746 |
| name                     | Gslb_Group_Enabled                        |
| privileges[1]            |                                           |
|   type                   | WRITE_ACCESS                              |
|   resource               | PERMISSION_GSLBSERVICE                    |
|   subresource            |                                           |
|     exclude_subresources | False                                     |
|     subresources[1]      | SUBRESOURCE_GSLBSERVICE_GROUP_ENABLED     |
| allow_unlabelled_access  | True                                      |
| tenant_ref               | admin                                     |
+--------------------------+-------------------------------------------+
Note:

The above mentioned roles need to be added on all the follower sites, and the leader site.

Configuring Federated JWT Profile

GSLB follower sites use the JWT token to communicate with the leader site for configuration API calls. Hence, all sites need a JWT server profile to encrypt or decrypt the token to get the desired information from it. The JWT server profile needs to be configured as a federated object by enabling the is_federated flag in the JWT server profile configuration. This is a mandatory step to be performed on the leader site, and GSLB site agnostic configuration cannot be enabled without it. Use the configure jwtserverprofile command to configure the JWT server profile on the leader site and set the is_federated flag to True.

The following are the algorithms supported for the JWS Keys:

  • HS256 with 32 bytes as the key length

  • HS384 with 48 bytes as the key length

  • HS512 with 64 bytes as the key length

Use the following API to generate the key used in the JWT server profile:

https://example.com/api/symmetric-key?alg=HS512

The sample output post applying the above API is shown below:

{
"kid": "5105e67b-85c0-4d27-aaf1-3bef8020d8ac",
"alg": "HS512",
"kty": "oct",
"key": "TTA2Zk5Kb2NWTWE4ZmZ2bnRrbHNDZ0xNbUV2Z211ZThHMnBTaFE1Nm1DM0tZMmFqWjlHcjRBcmI2NDdyNGhoQg"
}

The algorithm parameter is optional, and the default value is HS256.

Use the command configure jwtserverprofile to configure the JWT server profile on the leader site and set the value of the is_federated flag to True and the jwt_profile_type to CONTROLLER_INTERNAL_AUTH.

In the following CLI snippet, the JWT profile gslb_jwt_server_profile is configured with the HS256 algorithm:

[admin:10-79-169-140]: > show jwtserverprofile gslb_jwt_server_profile
+--------------------------+-------------------------------------------------------+
| Field                    | Value                                                 |
+--------------------------+-------------------------------------------------------+
| uuid                     | jwtserverprofile-03201645-2556-4d13-9d0c-8415c80faa73 |
| name                     | gslb_jwt_server_profile                               |
| tenant_ref               | admin                                                 |
| jwt_profile_type         | CONTROLLER_INTERNAL_AUTH                              |
| controller_internal_auth |                                                       |
|   symmetric_jwks_keys[1] |                                                       |
|     alg                  | HS256                                                 |
|     kty                  | OEpZREZsTThXU2RxdjJVd0g5WG5pRHVoMkNQaHU2Mjc           |
|     kid                  | ef0ae791-2380-4447-bf79-d3d01575d3e2                  |
|     key                  | <sensitive>                                        |
| is_federated             | True                                                  |
+--------------------------+-------------------------------------------------------+
[admin:10-79-169-140]: >

Enabling Configuration Changes from Followers

Set the enable_config_by_members flag to True in the GSLB global configuration on the leader site. The federated JWTProfile must be configured and available for enabling this configuration.

[admin:10-10-10-1]: > show gslb glb-1
+--------------------------+-----------------------------------------------------+
| Field                    | Value                                               |
+--------------------------+-----------------------------------------------------+
| uuid                     | gslb-c8ebc3e3-16e1-47f2-9f70-5ade3f1e1221           |
| name                     | glb-1                                               |
....
....
| tenant_scoped            | False                                               |
| enable_config_by_members | True                                                |
+--------------------------+-----------------------------------------------------+

Once the steps mentioned above are performed, a user at the follower with the required roles can enable or disable a GSLB service group or a GSLB service group member.