This topic describes how to manage users in VMware Tanzu Kubernetes Grid Integrated Edition with User Account and Authentication (UAA).
UAA is the identity management service for Tanzu Kubernetes Grid Integrated Edition. Tanzu Kubernetes Grid Integrated Edition includes a UAA server, which is hosted on the TKGI API VM.
To interact with the UAA server, you can use the UAA Command Line Interface (UAAC). You can either run UAAC commands from the Ops Manager VM or install UAAC on your local workstation.
By assigning UAA scopes, you grant users the ability to create, manage, and audit Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition.
A UAA admin user can assign the following UAA scopes to Tanzu Kubernetes Grid Integrated Edition users:
pks.clusters.admin
: Accounts with this scope can create and access all clusters.pks.clusters.manage
: Accounts with this scope can create and access their own clusters.pks.clusters.admin.read
: Accounts with this scope can access any information about all clusters except for cluster credentials.You can assign these scopes to individual users, external identity provider groups, or clients for automation purposes.
For more information about UAA scopes in Tanzu Kubernetes Grid Integrated Edition, see UAA Scopes.
Before managing users for Tanzu Kubernetes Grid Integrated Edition, you must connect to the TKGI API VM. To connect to the TKGI API VM, you need one of the following:
For instructions on how to connect to the TKGI control plane, see Connect to the TKGI API VM for your IaaS.
Before creating TKGI users, you must log in to the UAA server as a UAA admin. To log in to the UAA server, do the following:
Retrieve the UAA management admin client secret:
In a web browser, navigate to the Ops Manager Installation Dashboard and click the Tanzu Kubernetes Grid Integrated Edition tile.
Click the Credentials tab.
Click Link to Credential next to Pks Uaa Management Admin Client and copy the value of
secret
.
Target your UAA server by running the following command:
uaac target https://TKGI-API:8443 --ca-cert CERTIFICATE-PATH
Where:
TKGI-API
is the domain name of your TKGI API server. You entered this domain name in the Tanzu Kubernetes Grid Integrated Edition tile > TKGI API > API Hostname (FQDN).CERTIFICATE-PATH
is the path to your Ops Manager root CA certificate. Provide this certificate to validate the TKGI API certificate with SSL.
/var/tempest/workspaces/default/root_ca_certificate
as the path. This is the default location of the root certificate on the Ops Manager VM.For example:
$ uaac target api.tkgi.example.com:8443 –ca-cert /var/tempest/workspaces/default/root_ca_certificate
Note: If you receive an Unknown key: Max-Age = 86400
warning message, you can ignore it because it has no impact.
Authenticate with UAA by running the following command:
uaac token client get admin -s ADMIN-CLIENT-SECRET
Where ADMIN-CLIENT-SECRET
is your UAA management admin client secret that you retrieved in a previous step. The client username is admin
.
To create a new UAA user with Tanzu Kubernetes Grid Integrated Edition access, do the following:
If you are not logged in as the UAA admin, perform the steps in Log In as a UAA Admin.
Create a new user by running the following command:
uaac user add USERNAME --emails USER-EMAIL -p USER-PASSWORD
For example:
$ uaac user add cody –emails [email protected] -p password
Note: If your operator has configured Tanzu Kubernetes Grid Integrated Edition to use a SAML identity provider, you must add –origin SAML-ORIGIN
to the above command.SAML-ORIGIN
is the domain name for your SAML identity provider. To find SAML-ORIGIN
, click on the TKGI tile, select Settings > UAA > SAML, and locate the Provider Name
. For information about configuring SAML, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider.
Assign a TKGI cluster scope to the new user by running the following command:
uaac member add UAA-SCOPE USERNAME
Where:
UAA-SCOPE
is one of the UAA scopes described in UAA Scopes for Tanzu Kubernetes Grid Integrated Edition Users.USERNAME
is the user that you created in the previous step.For example:
$ uaac member add pks.clusters.admin cody
After you assign this scope, the user can create and manage Kubernetes clusters. For more information, see Managing Kubernetes Clusters and Workloads.
Connecting Tanzu Kubernetes Grid Integrated Edition to an external LDAP or SAML user store enables the UAA server to delegate authentication to existing enterprise user stores.
Note: When integrating UAA with an external identity provider, authentication within UAA becomes chained. UAA first attempts to authenticate with user credentials against the UAA user store before the external identity provider. For more information about integrating LDAP, see Chained Authentication in the User Account and Authentication LDAP Integration GitHub documentation.
For more information about the process used by the UAA server when it attempts to authenticate a user through LDAP, see the Configuring LDAP Integration with Pivotal Cloud Foundry Knowledge Base article.
To grant Tanzu Kubernetes Grid Integrated Edition access to an external identity provider group, do one the following procedures:
To grant Tanzu Kubernetes Grid Integrated Edition access to an external LDAP group, do the following:
If you are not logged in as the UAA admin, do the steps in Log In as a UAA Admin.
Assign a TKGI cluster scope to all users in an LDAP group by running the following command:
uaac group map --name UAA-SCOPE GROUP-DISTINGUISHED-NAME
Where:
UAA-SCOPE
is one of the UAA scopes described in UAA Scopes for Tanzu Kubernetes Grid Integrated Edition Users.GROUP-DISTINGUISHED-NAME
is the LDAP Distinguished Name (DN) for the group.For example:
$ uaac group map –name pks.clusters.manage cn=operators,ou=groups,dc=example,dc=com
For more information about LDAP DNs, see the LDAP DNs and RDNs in the LDAP documentation.
To grant Tanzu Kubernetes Grid Integrated Edition access to an external SAML group, do the following:
If you are not logged in as the UAA admin, do the steps in Log In as a UAA Admin.
Assign a TKGI cluster scope to all users in a SAML group by running the following command:
uaac group map --name UAA-SCOPE SAML-GROUP --origin SAML-ORIGIN
Where:
UAA-SCOPE
is one of the UAA scopes described in UAA Scopes for Tanzu Kubernetes Grid Integrated Edition Users.SAML-GROUP
is name of your SAML identity provider group.SAML-ORIGIN
is the domain name for your SAML identity provider. To find SAML-ORIGIN
, click on the TKGI tile, select Settings > UAA > SAML, and locate the Provider Name
.For example:
$ uaac group map –name pks.clusters.manage tkgi-devs –origin my-sso.example.com
To grant Tanzu Kubernetes Grid Integrated Edition access to a client for a script or service automation, do the following:
If you are not logged in as the UAA admin, perform the steps in Log In as a UAA Admin.
Create a client with the desired scopes by running the following command:
uaac client add CLIENT-NAME -s CLIENT-SECRET \
--authorized_grant_types client_credentials \
--authorities UAA-SCOPES
Where:
CLIENT-NAME
and CLIENT-SECRET
are the client credentials.UAA-SCOPES
is one or more of the UAA scopes described in UAA Scopes for Tanzu Kubernetes Grid Integrated Edition Users, separated by a comma. For example: $ uaac client add automated-client
-s randomly-generated-secret –authorized_grant_types client_credentials
–authorities pks.clusters.admin,pks.clusters.manage