The steps to configure the object using markers are as follows.

Configure the Object

Let us consider configuring the pool object pool-123 with two owners, engineer, and marketing. Here, “Key”: [“value1”, “value2”] :: “Owner”: [“eng”, “marketing”].

[admin:ctrl10]: > configure pool pool-123
[admin:ctrl10]: pool> markers
New object being created
[admin:ctrl10]: pool:markers> key owner
[admin:ctrl10]: pool:markers> values eng
[admin:ctrl10]: pool:markers> values marketing
[admin:ctrl10]: pool:markers> save
[admin:ctrl10]: pool> save

The pool configuration shows that the key and the corresponding values are assigned as shown below.

+---------------------------------------+-------------------------------+
| Field                                 | Value                         |
+---------------------------------------+-------------------------------+
| uuid                                  | pool-0f373267-d62d-47b5-90e6-486abdd5da53                                                            |
| name                                  | pool-123                      |
| default_server_port                   | 80                            |
| graceful_disable_timeout              | 1 min                         |
| connection_ramp_duration              | 10 min                        |
| max_concurrent_connections_per_server | 0                             |
| lb_algorithm                          | LB_ALGORITHM_LEAST_CONNECTIONS|
| lb_algorithm_hash                     | LB_ALGORITHM_CONSISTENT_HASH_SOURCE_IP_ADDRESS                          |
| inline_health_monitor                 | True                          |
| use_service_port                      | False                         |
| capacity_estimation                   | False                         |
| capacity_estimation_ttfb_thresh       | 0 milliseconds                |
| vrf_ref                               | global                        |
| fewest_tasks_feedback_delay           | 10 sec                        |
| enabled                               | True                          |
| request_queue_enabled                 | False                         |
| request_queue_depth                   | 128                           |
| host_check_enabled                    | False                         |
| sni_enabled                           | True                          |
| rewrite_host_header_to_sni            | False                         |
| rewrite_host_header_to_server_name    | False                         |
| lb_algorithm_core_nonaffinity         | 2                             |
| lookup_server_by_name                 | False                         |
| analytics_profile_ref                 | System-Analytics-Profile      |
| markers[1]                            |                               |
|   key                                 | owner                         |
|   values[1]                           | eng                           |
|   values[2]                           | marketing                     |
| tenant_ref                            | admin                         |
| cloud_ref                             | Default-Cloud                 |
| server_timeout                        | 0 milliseconds                |
| delete_server_on_dns_refresh          | True                          |
| enable_http2                          | False                         |
| ignore_server_port                    | False                         |
| routing_pool                          | False                         |
+---------------------------------------+-------------------------------+

Create Roles

Create the Role named Eng with write access to the pool object.

[admin:ctrl10.79.169.184]: > configure role role-eng
[admin:ctrl10.79.169.184]: role> privileges
New object being created
[admin:ctrl10.79.169.184]: role:privileges> type write_access
[admin:ctrl10.79.169.184]: role:privileges> resource permission_pool
[admin:ctrl10.79.169.184]: role:privileges> save
[admin:ctrl10.79.169.184]: role> filters
New object being created
[admin:ctrl10.79.169.184]: role:filters> match_operation role_filter_glob_match
[admin:ctrl10.79.169.184]: role:filters> match_label
[admin:ctrl10.79.169.184]: role:filters:match_label> key owner
[admin:ctrl10.79.169.184]: role:filters:match_label> values *eng*
[admin:ctrl10.79.169.184]: role:filters:match_label> save
[admin:ctrl10.79.169.184]: role:filters> save
[admin:ctrl10.79.169.184]: role> no allow_unlabelled_access
[admin:ctrl10.79.169.184]: role> save

The role is viewed as shown below.

+-------------------------+-------------------------------------------+
| Field                   | Value                                     |
+-------------------------+-------------------------------------------+
| uuid                    | role-870880cf-6093-4dbb-83bb-b6e0566dfc83 |
| name                    | role-eng                                  |
| privileges[1]           |                                           |
|   type                  | WRITE_ACCESS                              |
|   resource              | PERMISSION_POOL                           |
| filters[1]              |                                           |
|   match_operation       | ROLE_FILTER_GLOB_MATCH                    |
|   match_label           |                                           |
|     key                 | owner                                     |
|     values[1]           | *eng*                                     |
|   enabled               | True                                      |
| allow_unlabelled_access | False                                     |
| tenant_ref              | admin                                     |
+-------------------------+-------------------------------------------+
Note:

For this role, allow_unlabelled_access is disabled. This means, the unlabelled objects are not visible to the user. For unlabelled objects to be visible, this option has to be set to True.

Similarly, the role marketing can be configured with the required permissions to the object.

Create a Label Group

Create label group-123 which is a new object that holds a list of [“key1”: [“value1”, “value2’, “value3”, …].

[admin:ctrl]: > configure labelgroup labelgroup-123
[admin:ctrl]: labelgroup> labels
New object being created
[admin:ctrl]: labelgroup:labels> match_operation role_filter_equals
[admin:ctrl]: labelgroup:labels> match_label
[admin:ctrl]: labelgroup:labels:match_label> key owner
[admin:ctrl1]: labelgroup:labels:match_label> values eng
[admin:ctrl1]: labelgroup:labels:match_label> values marketing
[admin:ctrl1]: labelgroup:labels:match_label> values testing
[admin:ctrl1]: labelgroup:labels:match_label> save
[admin:ctrl1]: labelgroup:labels> save
[admin:ctrl1]: labelgroup> save

The label group object is as shown below.

+-------------------+-------------------------------------------------+
| Field             | Value                                           |
+-------------------+-------------------------------------------------+
| uuid              | labelgroup-dee35ef6-b3c3-4eae-956a-9b32b6a87d26 |
| name              | labelgroup-123                                  |
| labels[1]         |                                                 |
|   match_operation | ROLE_FILTER_EQUALS                              |
|   match_label     |                                                 |
|     key           | owner                                           |
|     values[1]     | eng                                             |
|     values[2]     | marketing                                       |
|     values[3]     | testing                                         |
+-------------------+-------------------------------------------------+

Associate Label Group to a Tenant

[admin:ctrl]: > configure tenant t-1
[admin:ctrl]: tenant> enforce_label_group
[admin:ctrl]: tenant> label_group_refs labelgroup-123
[admin:ctrl]: tenant> save

The configured tenant is as shown below.

+--------------------------------+--------------------------------------+
| Field                          | Value                                |
+--------------------------------+--------------------------------------+
| uuid                           | tenant-b7a85c33-26c3-40eb-a25c-f86a58d3e5ff                                                            |
| name                           | t-1                                  |
| local                          | True                                 |
| config_settings                |                                      |
|   tenant_vrf                   | False                                |
|   se_in_provider_context       | True                                 |
|   tenant_access_to_provider_se | True                                 |
| enforce_label_group            | True                                 |
| label_group_refs[1]            | labelgroup-123                       |
+--------------------------------+--------------------------------------+

Creating an object with markers that does not qualify the assigned key:value rules in the label group, displayed as error.

For example, if the pool object is configured with the marker “Key”: [“sales”], an error is displayed as shown below:

[admin:ctrl]: > configure pool pool-4
[admin:ctrl]: pool> markers
New object being created
[admin:ctrl]: pool:markers> key owner
[admin:ctrl]: pool:markers> value sales
[admin:ctrl]: pool:markers> save
[admin:ctrl]: pool> save
Error: {"error": "Marker with key 'owner' to value 'sales' does not qualify the labelgroup rules on this tenant."}