This topic tells you how to enable OAuth 2.0 for VMware Tanzu RabbitMQ for Tanzu Application Service. This enables developers to access the RabbitMQ Management UI using their VMware Tanzu Application Service for VMs credentials.
OAuth enables developers to access the RabbitMQ Management UI using their TAS for VMs credentials instead of using the binding credentials from a service key. After enabling OAuth, developers are authenticated through a JSON Web Token (JWT) encoded OAuth access token obtained from User Account and Authentication (UAA).
NoteEnabling OAuth does not remove user credentials from service keys or from the internal backend of existing Tanzu RabbitMQ for Tanzu Application Service instances. However, you can no longer use these credentials to access the RabbitMQ Management UI.
Caution Manually rotating the JWT signing key using the UAA API is not supported. Doing so renders RabbitMQ Management UI inaccessible.
To configure OAuth for an on-demand offering:
To configure UAA groups:
To fetch the UAA Admin Client secret from the Ops Manager UI:
Click the Credentials tab.
Locate the Admin Client Credentials in the UAA job.
Click Link to Credential next to Admin Client Credentials.
UAA-ADMIN-CLIENT-IDENTITY
in the next step) and password field (UAA-ADMIN-CLIENT-SECRET
in the next step).To install and set up UAAC:
Install UAAC by running:
gem install cf-uaac
Set up UAAC by running these commands:
uaac target UAA-URL
uaac token client get UAA-ADMIN-CLIENT-IDENTITY -s UAA-ADMIN-CLIENT-SECRET
Where:
UAA-URL
is the UAA URL.UAA-ADMIN-CLIENT-IDENTITY
and UAA-ADMIN-CLIENT-SECRET
are from the text you recorded in Get Admin User Credentials for UAA above.You must create a group for each space in TAS for VMs that contains, or is expected to contain, on-demand Tanzu RabbitMQ for Tanzu Application Service service instances.
To create a UAA group for a space:
Display the space GUID by running:
cf space SPACE-NAME --guid
Where SPACE-NAME
is the name of the space.
Record the space GUID.
Create a UAA group using the space GUID and a RabbitMQ tag by running:
uaac group add p-rabbitmq_SPACE-GUID.tag:RABBITMQ-TAG
Where:
SPACE-GUID
is the space GUID.RABBITMQ-TAG
must be either monitoring
or administrator
. The RabbitMQ tag dictates what the user is permitted to do. For more information about RabbitMQ tags, see the RabbitMQ documentationFor example:
$ uaac group add p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring
If you used the monitoring
tag, grant additional permissions to allow the user to view resources by running:
uaac group add p-rabbitmq_SPACE-GUID.PERMISSION:VHOST-PATTERN/NAME-PATTERN[/ROUTING-KEY-PATTERN]
Where:
SPACE-GUID
is the space GUID.PERMISSION
is an access permission – configure
, read
, or write
.VHOST-PATTERN
is a wildcard pattern for virtual hosts.NAME-PATTERN
is a wildcard pattern for a resource name.ROUTING-KEY-PATTERN
is an optional wildcard pattern for a routing key in topic authorization.For example:
$ uaac group add 'p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.read:*/*'
For more information about RabbitMQ permissions, see the OAuth plug-in documentation in GitHub.
The on-demand broker creates a separate UAA client with scope p-rabbitmq_SPACE-GUID
for every new on-demand service instance. When an access token is created, UAA intersects the user groups with the client scopes. The intersection of these two fields are scopes that can be populated in the access token.
You can either map external identity provider groups to the RabbitMQ UAA groups or add UAA members to the groups. Users gain the permissions specified by the RabbitMQ tag provided in the UAA group name.
Do one of the following:
Map the RabbitMQ UAA groups created above to your LDAP provider group by running the following command for every RabbitMQ UAA group:
uaac group map --name "RABBITMQ-UAA-GROUP" "GROUP-DISTINGUISHED-NAME"
Where:
RABBITMQ-UAA-GROUP
is the UAA group name created above. For example: p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring
.GROUP-DISTINGUISHED-NAME
is the Distinguished Name (DN) of the LDAP group. For example: ou=operators,dc=example,dc=com
.Map the RabbitMQ UAA groups created above to your SAML IdP group by running the following command for every RabbitMQ UAA group:
uaac group map --name "RABBITMQ-UAA-GROUP" "GROUP-NAME" --origin "PROVIDER-NAME"
Where:
RABBITMQ-UAA-GROUP
is the UAA group name created above. For example: p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring
.GROUP-NAME
is the name of the group in the SAML IdP.PROVIDER-NAME
is the name of the SAML IdP.Add UAA members to UAA groups by running:
uaac member add RABBITMQ-UAA-GROUP USERNAME
Where:
RABBITMQ-UAA-GROUP
is the UAA group name created above. For example, p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring
.USERNAME
is a UAA group member, such as a Cloud Foundry user.To configure OAuth in the Tanzu RabbitMQ for Tanzu Application Service tile:
There are three different OAuth Options: Not Configured, Optional, and Enforced:
1.21.x
and before enforcing OAuth.
Click Save.