Configuring User Account and Authentication (UAA) Roles
Extra configuration is required when defining users that have specific security roles with an authentication and enterprise single sign-on (SSO) such as LDAP.
Before VMware Tanzu GemFire for VMs installation, create a UAA client as described in Create a UAA Client.
Complete the remainder of configuration in conjunction with choosing the UAA Auth enabled radio button on the Security properties page when installing the Tanzu GemFire tile, as detailed in Security.
The Roles
A Tanzu GemFire service instance internally defines four security roles. Each role is given predefined permissions for cluster operations. Each user is assigned security roles. As that user invokes a Tanzu GemFire cluster operation using gfsh, the Tanzu GemFire service’s security manager verifies that the permission required for the cluster operation is one that the user’s security role has.
The permissions assigned for each of the security roles:
- PCC_ADMIN has all permissions needed to manage the cluster and
can access region data.
This role has the VMware Tanzu GemFire permissions
CLUSTER:MANAGE
,CLUSTER:WRITE
,CLUSTER:READ
,DATA:MANAGE
,DATA:WRITE
, andDATA:READ
. - PCC_OPERATOR has all permissions needed to manage the cluster.
This role may not handle or see region data.
This role has the VMware Tanzu GemFire permissions
CLUSTER:MANAGE
,CLUSTER:WRITE
, andCLUSTER:READ
. - PCC_DATA-ACCESS has all permissions needed to handle and see region data.
This role has the VMware Tanzu GemFire permissions
CLUSTER:READ
,DATA:WRITE
, andDATA:READ
. - PCC_READ-ONLY has the single VMware Tanzu GemFire permission
DATA:READ
to see region data.
Configuring the Roles
Configure the UAA server and your Enterprise SSO system (such as LDAP) with the space-specific roles.
Acquire the Globally Unique Identifier (GUID) for the CF space that will host your Tanzu GemFire service instance:
cf login -a REST-OF-ARGS-HERE cf target -o NAME-OF-ORG cf space --guid NAME-OF-SPACE
The form of the output GUID will be similar to the example:
03badc2a-4243-4251-84b5-c9bfba276f04
Create space-specific groups for each role within your Enterprise SSO system. The group name will take the form
ROLE_GUID
. For example, in the following group name:PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04
PCC_ADMIN
is the role, and03badc2a-4243-4251-84b5-c9bfba276f04
is the GUID.Place users into the created space-specific groups you created within your Enterprise SSO system.
Use the UAA Command Line Interface (UAAC) to log in as
admin client
to your UAA server.Use the UAAC to add each group name with:
$ uaac group add ROLE_GUID
Using the example GUID, the commands to add the four group names will be similar to:
$ uaac group add PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 $ uaac group add PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
Use the UAAC to map each group name with
uaac group map
commands. The commands are described in Grant Admin Permissions to an External Group (SAML or LDAP). For LDAP:$ uaac group map --name ROLE_GUID "GROUP-DISTINGUISHED-NAME"
where
GROUP-DISTINGUISHED-NAME
is the LDAP distinguished name of each space-specific group created in step 2. For example:$ uaac group map --name PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 "CN=PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04,OU=Groups,DC=pivotal,DC=io"