This topic describes how to configure User Account and Authentication (UAA) roles in VMware Tanzu GemFire for Tanzu Application Service.
CautionThe UAA roles are not the same as the default roles used by GemFire for Tanzu Application Service when external authentication has not been activated. For information about the default roles, see Security within the Cluster in Security.
GemFire for Tanzu Application Service service instances include predefined security roles for use with UAA. Each role has specific permissions for cluster operations. Each user is assigned one or more of these roles.
When a user invokes a cluster operation using gfsh
, the security manager for the GemFire for Tanzu Application Service service verifies that at least one of the user’s security roles has the permissions required to perform the cluster operation.
The cluster within a GemFire for Tanzu Application Service service instance implements role-based authentication and authorizes cluster operations based upon the roles. Two sets of roles exist:
UAA Roles: A set of roles for GemFire for Tanzu Application Service instances that integrate with external authentication like LDAP.
Default Roles: The default roles used by GemFire for Tanzu Application Service when no external authentication was integrated during the GemFire for Tanzu Application Service tile installation.
This topic describes how to configure UAA roles. For information about the default roles, see Security within the Cluster in Security.
Before installing GemFire for Tanzu Application Service and configuring UAA roles, you must create a UAA client. For more information, see Create a User Account and Authentication (UAA) Client. Record the UAA client name and client secret.
Before configuring UAA roles, you must activate UAA Authorization within the Tanzu GemFire tile:
For more information about configuring the Tanzu GemFire tile, see Installing and Configuring GemFire for Tanzu Application Service.
GemFire for Tanzu Application Service predefined security roles for use with UAA and permissions:
Security Role Name | Permissions | Description |
---|---|---|
PCC_ADMIN | CLUSTER:MANAGE CLUSTER:WRITE CLUSTER:READ DATA:MANAGE DATA:WRITE DATA:READ |
All permissions required to manage the cluster and access region data. |
PCC_OPERATOR | CLUSTER:MANAGE CLUSTER:WRITE CLUSTER:READ |
All permissions required to manage the cluster. Cannot access region data. |
PCC_DATA-ACCESS | CLUSTER:READ DATA:MANAGE DATA:WRITE DATA:READ |
All permissions required to access region data. Cannot manage the cluster. |
PCC_CLUSTER-READ-ONLY | CLUSTER:READ DATA:READ |
Can view cluster and region data. Cannot manage the cluster or manipulate region data. |
PCC_READ-ONLY | DATA:READ |
Can view region data. Cannot manage the cluster or manipulate region data. |
Before configuring the UAA roles, you must configure GemFire for Tanzu Application Service to use UAA. For more information, see Prerequisites.
Configure the UAA server and your external authentication system, such as LDAP, with the Space-specific roles as follows:
In a terminal window, log in to the Cloud Foundry CLI and your Org. For example:
cf login
cf target -o NAME-OF-ORG
Where NAME-OF-ORG
is the name of your Org.
Retrieve and record the GUID of the Space that will host your GemFire for Tanzu Application Service service instance using the command below. You use this GUID to create Space-specific groups within your Enterprise SSO system in the next step.
cf space --guid NAME-OF-SPACE
Where NAME-OF-SPACE
is the name of the Space that will host your GemFire for Tanzu Application Service service instance.
The form of the output GUID will be similar to this example:
03badc2a-4243-4251-84b5-c9bfba276f04
Create Space-specific groups for each of the UAA roles within your Enterprise SSO system. The name of each group is the name of the UAA role followed by an underscore character, followed by the GUID of the Space that you recorded in the previous step.
Using the Space GUID in the example above, the names of the groups would be: * PCC_ADMIN group: PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04
* PCC_OPERATOR group: PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04
* PCC_DATA-ACCESS group: PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04
* PCC_CLUSTER-READ-ONLY group: PCC_CLUSTER-READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
* PCC_READ-ONLY group: PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
Assign users to these Space-specific groups within your Enterprise SSO system.
In a terminal window, use the UAA Command Line Interface (UAAC) to log in as admin client
to your UAA server.
Use the UAAC to add each group name to the UAA server by running the following command for each group:
uaac group add ROLE_SPACEGUID
Where ROLE_SPACEGUID
is a group name that you created in a previous step.
For example, using the group name from above, the following commands add the groups to the UAA server:
$ uaac group add PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_CLUSTER-READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
Use the UAAC to map each group name to the UAA server by running the uaac group map
command. For example, for LDAP:
uaac group map --name ROLE_SPACEGUID "GROUP-DISTINGUISHED-NAME"
Where: * ROLE_SPACEGUID
is a group name that you created in a previous step. * GROUP-DISTINGUISHED-NAME
is the LDAP distinguished name of a Space-specific group that you created in a previous step.
For example:
$ uaac group map --name PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 "CN=PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04,OU=Groups,DC=pivotal,DC=io"
For more information about the uaac group map
command, see Grant Admin Permissions to an External Group (SAML, LDAP, or OIDC) in Creating and Managing Users with the UAA CLI (UAAC) in the VMware Tanzu Application Service for VMs product documentation.