This topic describes how to configure User Account and Authentication (UAA) roles in VMware Tanzu GemFire for Tanzu Application Service.

Caution

The UAA roles are not the same as the default roles used by GemFire for Tanzu Application Service when external authentication has not been activated. For information about the default roles, see Security within the Cluster in Security.

Overview

GemFire for Tanzu Application Service service instances include predefined security roles for use with UAA. Each role has specific permissions for cluster operations. Each user is assigned one or more of these roles.

When a user invokes a cluster operation using gfsh, the security manager for the GemFire for Tanzu Application Service service verifies that at least one of the user’s security roles has the permissions required to perform the cluster operation.

The cluster within a GemFire for Tanzu Application Service service instance implements role-based authentication and authorizes cluster operations based upon the roles. Two sets of roles exist:

• UAA Roles: A set of roles for GemFire for Tanzu Application Service instances that integrate with external authentication like LDAP.

• Default Roles: The default roles used by GemFire for Tanzu Application Service when no external authentication was integrated during the GemFire for Tanzu Application Service tile installation.

This topic describes how to configure UAA roles. For information about the default roles, see Security within the Cluster in Security.

Prerequisites

1. Before installing GemFire for Tanzu Application Service and configuring UAA roles, you must create a UAA client. For more information, see Create a User Account and Authentication (UAA) Client. Record the UAA client name and client secret.

2. Before configuring UAA roles, you must activate UAA Authorization within the Tanzu GemFire tile:

   1. In the Ops Manager Installation Dashboard, open the Tanzu GemFire tile.
   2. Open the Security pane.
   3. Select the UAA Auth enable radio button and input the UAA client name and client secret when prompted.

For more information about configuring the Tanzu GemFire tile, see Installing and Configuring GemFire for Tanzu Application Service.

GemFire for Tanzu Application Service Predefined UAA Security Roles

GemFire for Tanzu Application Service predefined security roles for use with UAA and permissions:

Configure the Roles

Before configuring the UAA roles, you must configure GemFire for Tanzu Application Service to use UAA. For more information, see Prerequisites.

Configure the UAA server and your external authentication system, such as LDAP, with the Space-specific roles as follows:

1. In a terminal window, log in to the Cloud Foundry CLI and your Org. For example:

   cf login
   cf target -o NAME-OF-ORG
   

   Where NAME-OF-ORG is the name of your Org.

2. Retrieve and record the GUID of the Space that will host your GemFire for Tanzu Application Service service instance using the command below. You use this GUID to create Space-specific groups within your Enterprise SSO system in the next step.

   cf space --guid NAME-OF-SPACE
   

   Where NAME-OF-SPACE is the name of the Space that will host your GemFire for Tanzu Application Service service instance.

   The form of the output GUID will be similar to this example:

   03badc2a-4243-4251-84b5-c9bfba276f04
   

3. Create Space-specific groups for each of the UAA roles within your Enterprise SSO system. The name of each group is the name of the UAA role followed by an underscore character, followed by the GUID of the Space that you recorded in the previous step.

   Using the Space GUID in the example above, the names of the groups would be: * PCC_ADMIN group: PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04 * PCC_OPERATOR group: PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04 * PCC_DATA-ACCESS group: PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 * PCC_CLUSTER-READ-ONLY group: PCC_CLUSTER-READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04 * PCC_READ-ONLY group: PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04

4. Assign users to these Space-specific groups within your Enterprise SSO system.

5. In a terminal window, use the UAA Command Line Interface (UAAC) to log in as admin client to your UAA server.

6. Use the UAAC to add each group name to the UAA server by running the following command for each group:

   uaac group add ROLE_SPACEGUID
   

   Where ROLE_SPACEGUID is a group name that you created in a previous step.

   For example, using the group name from above, the following commands add the groups to the UAA server:

   $ uaac group add PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04
   $ uaac group add PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04
   $ uaac group add PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04
   $ uaac group add PCC_CLUSTER-READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
   $ uaac group add PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
   

7. Use the UAAC to map each group name to the UAA server by running the uaac group map command. For example, for LDAP:

   uaac group map --name ROLE_SPACEGUID "GROUP-DISTINGUISHED-NAME"
   

   Where: * ROLE_SPACEGUID is a group name that you created in a previous step. * GROUP-DISTINGUISHED-NAME is the LDAP distinguished name of a Space-specific group that you created in a previous step.

   For example:

   $ uaac group map --name PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 "CN=PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04,OU=Groups,DC=pivotal,DC=io"
   

   For more information about the uaac group map command, see Grant Admin Permissions to an External Group (SAML, LDAP, or OIDC) in Creating and Managing Users with the UAA CLI (UAAC) in the VMware Tanzu Application Service for VMs product documentation.