The steps to configure the object using markers are as follows.
Configuring the Object
Let us consider configuring the pool object pool-123 with two owners, engineer, and marketing. Here, “Key”: [“value1”, “value2”] :: “Owner”: [“eng”, “marketing”].
[admin:ctrl10]: > configure pool pool-123 [admin:ctrl10]: pool> markers New object being created [admin:ctrl10]: pool:markers> key owner [admin:ctrl10]: pool:markers> values eng [admin:ctrl10]: pool:markers> values marketing [admin:ctrl10]: pool:markers> save [admin:ctrl10]: pool> save
The pool configuration shows that the key and the corresponding values are assigned as shown below.
+---------------------------------------+-------------------------------+ | Field | Value | +---------------------------------------+-------------------------------+ | uuid | pool-0f373267-d62d-47b5-90e6-486abdd5da53 | | name | pool-123 | | default_server_port | 80 | | graceful_disable_timeout | 1 min | | connection_ramp_duration | 10 min | | max_concurrent_connections_per_server | 0 | | lb_algorithm | LB_ALGORITHM_LEAST_CONNECTIONS| | lb_algorithm_hash | LB_ALGORITHM_CONSISTENT_HASH_SOURCE_IP_ADDRESS | | inline_health_monitor | True | | use_service_port | False | | capacity_estimation | False | | capacity_estimation_ttfb_thresh | 0 milliseconds | | vrf_ref | global | | fewest_tasks_feedback_delay | 10 sec | | enabled | True | | request_queue_enabled | False | | request_queue_depth | 128 | | host_check_enabled | False | | sni_enabled | True | | rewrite_host_header_to_sni | False | | rewrite_host_header_to_server_name | False | | lb_algorithm_core_nonaffinity | 2 | | lookup_server_by_name | False | | analytics_profile_ref | System-Analytics-Profile | | markers[1] | | | key | owner | | values[1] | eng | | values[2] | marketing | | tenant_ref | admin | | cloud_ref | Default-Cloud | | server_timeout | 0 milliseconds | | delete_server_on_dns_refresh | True | | enable_http2 | False | | ignore_server_port | False | | routing_pool | False | +---------------------------------------+-------------------------------+
Creating Roles
Create the Role named Eng with write access to the pool object.
[admin:ctrl10.79.169.184]: > configure role role-eng [admin:ctrl10.79.169.184]: role> privileges New object being created [admin:ctrl10.79.169.184]: role:privileges> type write_access [admin:ctrl10.79.169.184]: role:privileges> resource permission_pool [admin:ctrl10.79.169.184]: role:privileges> save [admin:ctrl10.79.169.184]: role> filters New object being created [admin:ctrl10.79.169.184]: role:filters> match_operation role_filter_glob_match [admin:ctrl10.79.169.184]: role:filters> match_label [admin:ctrl10.79.169.184]: role:filters:match_label> key owner [admin:ctrl10.79.169.184]: role:filters:match_label> values *eng* [admin:ctrl10.79.169.184]: role:filters:match_label> save [admin:ctrl10.79.169.184]: role:filters> save [admin:ctrl10.79.169.184]: role> no allow_unlabelled_access [admin:ctrl10.79.169.184]: role> save
The role is viewed as shown below.
+-------------------------+-------------------------------------------+ | Field | Value | +-------------------------+-------------------------------------------+ | uuid | role-870880cf-6093-4dbb-83bb-b6e0566dfc83 | | name | role-eng | | privileges[1] | | | type | WRITE_ACCESS | | resource | PERMISSION_POOL | | filters[1] | | | match_operation | ROLE_FILTER_GLOB_MATCH | | match_label | | | key | owner | | values[1] | *eng* | | enabled | True | | allow_unlabelled_access | False | | tenant_ref | admin | +-------------------------+-------------------------------------------+
Note:
For this role, allow_unlabelled_access is disabled. This means, the unlabelled objects are not visible to the user. For unlabelled objects to be visible, this option has to be set to True.
Similarly, the role marketing can be configured with the required permissions to the object.
Creating a Label Group
Create label group-123 which is a new object that holds a list of [“key1”: [“value1”, “value2’, “value3”, …].
[admin:ctrl]: > configure labelgroup labelgroup-123 [admin:ctrl]: labelgroup> labels New object being created [admin:ctrl]: labelgroup:labels> match_operation role_filter_equals [admin:ctrl]: labelgroup:labels> match_label [admin:ctrl]: labelgroup:labels:match_label> key owner [admin:ctrl1]: labelgroup:labels:match_label> values eng [admin:ctrl1]: labelgroup:labels:match_label> values marketing [admin:ctrl1]: labelgroup:labels:match_label> values testing [admin:ctrl1]: labelgroup:labels:match_label> save [admin:ctrl1]: labelgroup:labels> save [admin:ctrl1]: labelgroup> save
The label group object is as shown below.
+-------------------+-------------------------------------------------+ | Field | Value | +-------------------+-------------------------------------------------+ | uuid | labelgroup-dee35ef6-b3c3-4eae-956a-9b32b6a87d26 | | name | labelgroup-123 | | labels[1] | | | match_operation | ROLE_FILTER_EQUALS | | match_label | | | key | owner | | values[1] | eng | | values[2] | marketing | | values[3] | testing | +-------------------+-------------------------------------------------+
Associating Label Group to a Tenant
[admin:ctrl]: > configure tenant t-1 [admin:ctrl]: tenant> enforce_label_group [admin:ctrl]: tenant> label_group_refs labelgroup-123 [admin:ctrl]: tenant> save
The configured tenant is as shown below.
+--------------------------------+--------------------------------------+ | Field | Value | +--------------------------------+--------------------------------------+ | uuid | tenant-b7a85c33-26c3-40eb-a25c-f86a58d3e5ff | | name | t-1 | | local | True | | config_settings | | | tenant_vrf | False | | se_in_provider_context | True | | tenant_access_to_provider_se | True | | enforce_label_group | True | | label_group_refs[1] | labelgroup-123 | +--------------------------------+--------------------------------------+
Creating an object with markers that does not qualify the assigned key:value rules in the label group, displayed as error.
For example, if the pool object is configured with the marker “Key”: [“sales”], an error is displayed as shown below:
[admin:ctrl]: > configure pool pool-4
[admin:ctrl]: pool> markers
New object being created
[admin:ctrl]: pool:markers> key owner
[admin:ctrl]: pool:markers> value sales
[admin:ctrl]: pool:markers> save
[admin:ctrl]: pool> save
Error: {"error": "Marker with key 'owner' to value 'sales' does not qualify the labelgroup rules on this tenant."}
