This section focuses on the steps to enable GSLB configuration changes from a follower site.
The following are the configuration changes that can be performed from a follower site:
Enable/disable GSLB Service Groups
Enable/disable GSLB Service Group members
This is useful in the maintenance or change window or for a specific purpose when the user does not have access to the leader site and needs to avoid traffic to some sites. Using this feature, you can enable or disable a GSLB group or GSLB group members from a follower site. The following configuration changes or prerequisites are required to enable a user at a follower site:
Configuring Per-field Authorization
Configuring JWT Profile at the Leader Site
Configuring Per-field Authorization
Configuring Roles for Gslb_Group_Enabled and Gslb_Group_Member-Enabled.
Configuring Roles for GSLB_Group_Enabled and GSLB_Group_Member-Enabled
To perform changes from a follower site, the users must have the following roles associated with them:
Gslb_Group_Member-Enabled - This role must have write access to the GSLB service.
Gslb_Group-Enabled - This role must have write access to the GSLB service.
For more information on configuring per-field authorization, see Granular Role-Based Access Controls Per Field in the VMware Avi Load Balancer Administration Guide.
[admin:10-10-10-2]: > configure role Gslb_Group_Member_Enabled [admin:10.10.10.2]: role> privileges New object being created [admin:10.10.10.2]: role:privileges> type write_access [admin:10.10.10.2]: role:privileges> resource PERMISSION_GSLBSERVICE [admin:10.10.10.2]: role:privileges> save
In the below CLI snippets, the user gslbsitegroupmemberadmin is configured with the role of Gslb_Group_Member-Enabled. The configured user has the write access to the GSLB service and the privilege to enable or disable a GSLB group within the specified GSLB service.
[admin:10-10-10-2]: > show user gslbsitegroupmemberadmin +------------------+-------------------------------------------+ | Field | Value | +------------------+-------------------------------------------+ | uuid | user-52a6e643-d55d-45e9-8bca-0601b53d5b20 | | username | gslbsitegroupmemberadmin | | password | <sensitive> | | name | gslbsitegroupmemberadmin | | email | | | access[1] | | | role_ref | Gslb_Group_Member_Enabled | | all_tenants | True | | access[2] | | | role_ref | Gslb_Health_Monitor | | all_tenants | True | | is_superuser | False | | local | True | | user_profile_ref | Default-User-Account-Profile | +------------------+-------------------------------------------+
[admin:10-10-10-2]: > show role Gslb_Group_Member_Enabled +--------------------------+----------------------------------------------+ | Field | Value | +--------------------------+----------------------------------------------+ | uuid | role-95e82558-1883-47af-8802-a6834c5feb76 | | name | Gslb_Group_Member_Enabled | | privileges[1] | | | type | WRITE_ACCESS | | resource | PERMISSION_GSLBSERVICE | | subresource | | | exclude_subresources | False | | subresources[1] | SUBRESOURCE_GSLBSERVICE_GROUP_MEMBER_ENABLED | | allow_unlabelled_access | True | | tenant_ref | admin | +--------------------------+----------------------------------------------+
Similarly, in the below CLI snippets, the user gslbsitegroupadmin is configured with the role of Gslb_Group_Enabled. The configured user has write access to GSLB service and the privilege to enable or disable a GSLB group within the specified GSLB service.
[admin:10-10-10-2]: > show user gslbsitegroupadmin +------------------+-----------------------------------------------+ | Field | Value | +------------------+-----------------------------------------------+ | uuid | user-27a528f5-2e8e-42bb-b5b0-2229123215ec | | username | gslbsitegroupadmin | | password | <sensitive> | | name | gslbsitegroupadmin | | email | | | access[1] | | | role_ref | Gslb_Group_Enabled | | all_tenants | True | | access[2] | | | role_ref | Gslb_Health_Monitor | | all_tenants | True | | is_superuser | False | | local | True | | user_profile_ref | Default-User-Account-Profile | +------------------+-----------------------------------------------+
[admin:10-10-10-2]: > show role Gslb_Group_Enabled +--------------------------+-------------------------------------------+ | Field | Value | +--------------------------+-------------------------------------------+ | uuid | role-0facf895-c551-4cd0-b1f6-73b4c890c746 | | name | Gslb_Group_Enabled | | privileges[1] | | | type | WRITE_ACCESS | | resource | PERMISSION_GSLBSERVICE | | subresource | | | exclude_subresources | False | | subresources[1] | SUBRESOURCE_GSLBSERVICE_GROUP_ENABLED | | allow_unlabelled_access | True | | tenant_ref | admin | +--------------------------+-------------------------------------------+
The above mentioned roles need to be added on all the follower sites, and the leader site.
Configuring Federated JWT Profile
GSLB follower sites use the JWT token to communicate with the leader site for configuration API calls. Hence, all sites need a JWT server profile to encrypt or decrypt the token to get the desired information from it. The JWT server profile needs to be configured as a federated object by enabling the is_federated flag in the JWT server profile configuration. This is a mandatory step to be performed on the leader site, and GSLB site agnostic configuration cannot be enabled without it. Use the configure jwtserverprofile command to configure the JWT server profile on the leader site and set the is_federated flag to True.
The following are the algorithms supported for the JWS Keys:
HS256 with 32 bytes as the key length
HS384 with 48 bytes as the key length
HS512 with 64 bytes as the key length
Use the following API to generate the key used in the JWT server profile:
https://example.com/api/symmetric-key?alg=HS512
The sample output post applying the above API is shown below:
{
"kid": "5105e67b-85c0-4d27-aaf1-3bef8020d8ac",
"alg": "HS512",
"kty": "oct",
"key": "TTA2Zk5Kb2NWTWE4ZmZ2bnRrbHNDZ0xNbUV2Z211ZThHMnBTaFE1Nm1DM0tZMmFqWjlHcjRBcmI2NDdyNGhoQg"
}
The algorithm parameter is optional, and the default value is HS256.
Use the command configure jwtserverprofile to configure the JWT server profile on the leader site and set the value of the is_federated flag to True and the jwt_profile_type to CONTROLLER_INTERNAL_AUTH.
In the following CLI snippet, the JWT profile gslb_jwt_server_profile is configured with the HS256 algorithm:
[admin:10-79-169-140]: > show jwtserverprofile gslb_jwt_server_profile +--------------------------+-------------------------------------------------------+ | Field | Value | +--------------------------+-------------------------------------------------------+ | uuid | jwtserverprofile-03201645-2556-4d13-9d0c-8415c80faa73 | | name | gslb_jwt_server_profile | | tenant_ref | admin | | jwt_profile_type | CONTROLLER_INTERNAL_AUTH | | controller_internal_auth | | | symmetric_jwks_keys[1] | | | alg | HS256 | | kty | OEpZREZsTThXU2RxdjJVd0g5WG5pRHVoMkNQaHU2Mjc | | kid | ef0ae791-2380-4447-bf79-d3d01575d3e2 | | key | <sensitive> | | is_federated | True | +--------------------------+-------------------------------------------------------+ [admin:10-79-169-140]: >
Enabling Configuration Changes from Followers
Set the enable_config_by_members flag to True in the GSLB global configuration on the leader site. The federated JWTProfile must be configured and available for enabling this configuration.
[admin:10-10-10-1]: > show gslb glb-1 +--------------------------+-----------------------------------------------------+ | Field | Value | +--------------------------+-----------------------------------------------------+ | uuid | gslb-c8ebc3e3-16e1-47f2-9f70-5ade3f1e1221 | | name | glb-1 | .... .... | tenant_scoped | False | | enable_config_by_members | True | +--------------------------+-----------------------------------------------------+
Once the steps mentioned above are performed, a user at the follower with the required roles can enable or disable a GSLB service group or a GSLB service group member.
