Extra configuration is required when defining users that have specific security roles from an external authentication such as LDAP via User Account and Authentication (UAA).

Before VMware Tanzu GemFire for VMs installation, create a UAA client as described in Create a UAA Client.

Complete the remainder of configuration in conjunction with choosing the UAA Auth enabled radio button on the Security properties page when installing the GemFire for VMs tile, as detailed in Security.

The Roles

A GemFire for VMs service instance internally defines four security roles. Each role is given predefined permissions for cluster operations. Each user is assigned security roles. As that user invokes a GemFire for VMs cluster operation using gfsh, the GemFire for VMs service's security manager verifies that the permission required for the cluster operation is one that the user's security role has.

The permissions assigned for each of the security roles:

  • PCC_ADMIN has all permissions needed to manage the cluster and can access region data. This role has the permissions CLUSTER:MANAGE, CLUSTER:WRITE, CLUSTER:READ, DATA:MANAGE, DATA:WRITE, and DATA:READ.
  • PCC_OPERATOR has all permissions needed to manage the cluster. This role may not handle or see region data. This role has the permissions CLUSTER:MANAGE, CLUSTER:WRITE, and CLUSTER:READ.
  • PCC_DATA-ACCESS has all permissions needed to handle and see region data. This role has the permissions CLUSTER:READ, DATA:WRITE, and DATA:READ.
  • PCC_READ-ONLY has the single permission DATA:READ to see region data.

Configuring the Roles

Configure the UAA server and your external authentication system (such as LDAP) with the space-specific roles.

  1. Acquire the Globally Unique Identifier (GUID) for the CF space that will host your GemFire for VMs service instance:

    cf login -a REST-OF-ARGS-HERE
    cf target -o NAME-OF-ORG
    cf space --guid NAME-OF-SPACE

    The form of the output GUID will be similar to the example:

  2. Create space-specific groups for each role within your Enterprise SSO system. The group name will take the form ROLE_GUID. For example, in the following group name:


    PCC_ADMIN is the role, and 03badc2a-4243-4251-84b5-c9bfba276f04 is the GUID.

  3. Place users into the created space-specific groups you created within your Enterprise SSO system.

  4. Use the UAA Command Line Interface (UAAC) to log in as admin client to your UAA server.

  5. Use the UAAC to add each group name with:

    $ uaac group add ROLE_GUID

    Using the example GUID, the commands to add the four group names will be similar to:

    $ uaac group add PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04
    $ uaac group add PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04
    $ uaac group add PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04
    $ uaac group add PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
  6. Use the UAAC to map each group name with uaac group map commands. For more information about these commands, see Grant Admin Permissions to an External Group (SAML, LDAP, or OIDC) in Creating and Managing Users with the UAA CLI (UAAC) in the VMware Tanzu Application Service for VMs documentation. For LDAP:

    $ uaac group map --name ROLE_GUID "GROUP-DISTINGUISHED-NAME"

    where GROUP-DISTINGUISHED-NAME is the LDAP distinguished name of each space-specific group created in step 2. For example:

     $ uaac group map --name PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 "CN=PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04,OU=Groups,DC=pivotal,DC=io"
check-circle-line exclamation-circle-line close-line
Scroll to top icon