The steps to configure the object using markers are as follows.
Configure the Object
Let us consider configuring the pool object pool-123 with two owners, engineer, and marketing. Here, “Key”: [“value1”, “value2”] :: “Owner”: [“eng”, “marketing”]
.
[admin:ctrl10]: > configure pool pool-123 [admin:ctrl10]: pool> markers New object being created [admin:ctrl10]: pool:markers> key owner [admin:ctrl10]: pool:markers> values eng [admin:ctrl10]: pool:markers> values marketing [admin:ctrl10]: pool:markers> save [admin:ctrl10]: pool> save
The pool configuration shows that the key and the corresponding values are assigned as shown below.
+---------------------------------------+-------------------------------+ | Field | Value | +---------------------------------------+-------------------------------+ | uuid | pool-0f373267-d62d-47b5-90e6-486abdd5da53 | | name | pool-123 | | default_server_port | 80 | | graceful_disable_timeout | 1 min | | connection_ramp_duration | 10 min | | max_concurrent_connections_per_server | 0 | | lb_algorithm | LB_ALGORITHM_LEAST_CONNECTIONS| | lb_algorithm_hash | LB_ALGORITHM_CONSISTENT_HASH_SOURCE_IP_ADDRESS | | inline_health_monitor | True | | use_service_port | False | | capacity_estimation | False | | capacity_estimation_ttfb_thresh | 0 milliseconds | | vrf_ref | global | | fewest_tasks_feedback_delay | 10 sec | | enabled | True | | request_queue_enabled | False | | request_queue_depth | 128 | | host_check_enabled | False | | sni_enabled | True | | rewrite_host_header_to_sni | False | | rewrite_host_header_to_server_name | False | | lb_algorithm_core_nonaffinity | 2 | | lookup_server_by_name | False | | analytics_profile_ref | System-Analytics-Profile | | markers[1] | | | key | owner | | values[1] | eng | | values[2] | marketing | | tenant_ref | admin | | cloud_ref | Default-Cloud | | server_timeout | 0 milliseconds | | delete_server_on_dns_refresh | True | | enable_http2 | False | | ignore_server_port | False | | routing_pool | False | +---------------------------------------+-------------------------------+
Create Roles
Create the Role named Eng with write access to the pool object.
[admin:ctrl10.79.169.184]: > configure role role-eng [admin:ctrl10.79.169.184]: role> privileges New object being created [admin:ctrl10.79.169.184]: role:privileges> type write_access [admin:ctrl10.79.169.184]: role:privileges> resource permission_pool [admin:ctrl10.79.169.184]: role:privileges> save [admin:ctrl10.79.169.184]: role> filters New object being created [admin:ctrl10.79.169.184]: role:filters> match_operation role_filter_glob_match [admin:ctrl10.79.169.184]: role:filters> match_label [admin:ctrl10.79.169.184]: role:filters:match_label> key owner [admin:ctrl10.79.169.184]: role:filters:match_label> values *eng* [admin:ctrl10.79.169.184]: role:filters:match_label> save [admin:ctrl10.79.169.184]: role:filters> save [admin:ctrl10.79.169.184]: role> no allow_unlabelled_access [admin:ctrl10.79.169.184]: role> save
The role is viewed as shown below.
+-------------------------+-------------------------------------------+ | Field | Value | +-------------------------+-------------------------------------------+ | uuid | role-870880cf-6093-4dbb-83bb-b6e0566dfc83 | | name | role-eng | | privileges[1] | | | type | WRITE_ACCESS | | resource | PERMISSION_POOL | | filters[1] | | | match_operation | ROLE_FILTER_GLOB_MATCH | | match_label | | | key | owner | | values[1] | *eng* | | enabled | True | | allow_unlabelled_access | False | | tenant_ref | admin | +-------------------------+-------------------------------------------+
For this role, allow_unlabelled_access is disabled. This means, the unlabelled objects are not visible to the user. For unlabelled objects to be visible, this option has to be set to True
.
Similarly, the role marketing can be configured with the required permissions to the object.
Create a Label Group
Create label group-123 which is a new object that holds a list of [“key1”: [“value1”, “value2’, “value3”, …]
.
[admin:ctrl]: > configure labelgroup labelgroup-123 [admin:ctrl]: labelgroup> labels New object being created [admin:ctrl]: labelgroup:labels> match_operation role_filter_equals [admin:ctrl]: labelgroup:labels> match_label [admin:ctrl]: labelgroup:labels:match_label> key owner [admin:ctrl1]: labelgroup:labels:match_label> values eng [admin:ctrl1]: labelgroup:labels:match_label> values marketing [admin:ctrl1]: labelgroup:labels:match_label> values testing [admin:ctrl1]: labelgroup:labels:match_label> save [admin:ctrl1]: labelgroup:labels> save [admin:ctrl1]: labelgroup> save
The label group object is as shown below.
+-------------------+-------------------------------------------------+ | Field | Value | +-------------------+-------------------------------------------------+ | uuid | labelgroup-dee35ef6-b3c3-4eae-956a-9b32b6a87d26 | | name | labelgroup-123 | | labels[1] | | | match_operation | ROLE_FILTER_EQUALS | | match_label | | | key | owner | | values[1] | eng | | values[2] | marketing | | values[3] | testing | +-------------------+-------------------------------------------------+
Associate Label Group to a Tenant
[admin:ctrl]: > configure tenant t-1 [admin:ctrl]: tenant> enforce_label_group [admin:ctrl]: tenant> label_group_refs labelgroup-123 [admin:ctrl]: tenant> save
The configured tenant is as shown below.
+--------------------------------+--------------------------------------+ | Field | Value | +--------------------------------+--------------------------------------+ | uuid | tenant-b7a85c33-26c3-40eb-a25c-f86a58d3e5ff | | name | t-1 | | local | True | | config_settings | | | tenant_vrf | False | | se_in_provider_context | True | | tenant_access_to_provider_se | True | | enforce_label_group | True | | label_group_refs[1] | labelgroup-123 | +--------------------------------+--------------------------------------+
Creating an object with markers that does not qualify the assigned key:value rules in the label group, displayed as error.
For example, if the pool object is configured with the marker “Key”: [“sales”]
, an error is displayed as shown below:
[admin:ctrl]: > configure pool pool-4 [admin:ctrl]: pool> markers New object being created [admin:ctrl]: pool:markers> key owner [admin:ctrl]: pool:markers> value sales [admin:ctrl]: pool:markers> save [admin:ctrl]: pool> save Error: {"error": "Marker with key 'owner' to value 'sales' does not qualify the labelgroup rules on this tenant."}