Extra configuration is required when defining users that have specific security roles from an external authentication such as LDAP via User Account and Authentication (UAA).
Before VMware Tanzu GemFire for VMs installation, create a UAA client as described in Create a UAA Client.
Complete the remainder of configuration in conjunction with choosing the UAA Auth enabled radio button on the Security properties page when installing the GemFire for VMs tile, as detailed in Security.
A GemFire for VMs service instance internally defines four security roles. Each role is given predefined permissions for cluster operations. Each user is assigned security roles. As that user invokes a GemFire for VMs cluster operation using gfsh, the GemFire for VMs service's security manager verifies that the permission required for the cluster operation is one that the user's security role has.
The permissions assigned for each of the security roles:
DATA:READto see region data.
Configure the UAA server and your external authentication system (such as LDAP) with the space-specific roles.
Acquire the Globally Unique Identifier (GUID) for the CF space that will host your GemFire for VMs service instance:
cf login -a REST-OF-ARGS-HERE cf target -o NAME-OF-ORG cf space --guid NAME-OF-SPACE
The form of the output GUID will be similar to the example:
Create space-specific groups for each role within your Enterprise SSO system. The group name will take the form
ROLE_GUID. For example, in the following group name:
PCC_ADMIN is the role, and
03badc2a-4243-4251-84b5-c9bfba276f04 is the GUID.
Place users into the created space-specific groups you created within your Enterprise SSO system.
Use the UAA Command Line Interface (UAAC) to log in as
admin client to your UAA server.
Use the UAAC to add each group name with:
$ uaac group add ROLE_GUID
Using the example GUID, the commands to add the four group names will be similar to:
$ uaac group add PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
Use the UAAC to map each group name with
uaac group map commands. For more information about these commands, see Grant Admin Permissions to an External Group (SAML, LDAP, or OIDC) in Creating and Managing Users with the UAA CLI (UAAC) in the VMware Tanzu Application Service for VMs documentation. For LDAP:
$ uaac group map --name ROLE_GUID "GROUP-DISTINGUISHED-NAME"
GROUP-DISTINGUISHED-NAME is the LDAP distinguished name of each space-specific group created in step 2. For example:
$ uaac group map --name PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 "CN=PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04,OU=Groups,DC=pivotal,DC=io"