Configuring User Account and Authentication (UAA) Roles

The Roles
Configuring the Roles

Extra configuration is required when defining users that have specific security roles with an authentication and enterprise single sign-on (SSO) such as LDAP.

Before VMware Tanzu GemFire for VMs installation, create a UAA client as described in Create a UAA Client.

Complete the remainder of configuration in conjunction with choosing the UAA Auth enabled radio button on the Security properties page when installing the Tanzu GemFire tile, as detailed in Security.

The Roles

A Tanzu GemFire service instance internally defines four security roles. Each role is given predefined permissions for cluster operations. Each user is assigned security roles. As that user invokes a Tanzu GemFire cluster operation using gfsh, the Tanzu GemFire service’s security manager verifies that the permission required for the cluster operation is one that the user’s security role has.

The permissions assigned for each of the security roles:

PCC_ADMIN has all permissions needed to manage the cluster and can access region data. This role has the VMware Tanzu GemFire permissions CLUSTER:MANAGE, CLUSTER:WRITE, CLUSTER:READ, DATA:MANAGE, DATA:WRITE, and DATA:READ.
PCC_OPERATOR has all permissions needed to manage the cluster. This role may not handle or see region data. This role has the VMware Tanzu GemFire permissions CLUSTER:MANAGE, CLUSTER:WRITE, and CLUSTER:READ.
PCC_DATA-ACCESS has all permissions needed to handle and see region data. This role has the VMware Tanzu GemFire permissions CLUSTER:READ, DATA:WRITE, and DATA:READ.
PCC_READ-ONLY has the single VMware Tanzu GemFire permission DATA:READ to see region data.

Configuring the Roles

Configure the UAA server and your Enterprise SSO system (such as LDAP) with the space-specific roles.

Acquire the Globally Unique Identifier (GUID) for the CF space that will host your Tanzu GemFire service instance:
```
cf login -a REST-OF-ARGS-HERE
cf target -o NAME-OF-ORG
cf space --guid NAME-OF-SPACE
```
The form of the output GUID will be similar to the example:
```
03badc2a-4243-4251-84b5-c9bfba276f04
```
Create space-specific groups for each role within your Enterprise SSO system. The group name will take the form ROLE_GUID. For example, in the following group name:
```
PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04
```
PCC_ADMIN is the role, and 03badc2a-4243-4251-84b5-c9bfba276f04 is the GUID.
Place users into the created space-specific groups you created within your Enterprise SSO system.
Use the UAA Command Line Interface (UAAC) to log in as admin client to your UAA server.

Use the UAAC to add each group name with:

$ uaac group add ROLE_GUID

Using the example GUID, the commands to add the four group names will be similar to:

$ uaac group add PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04
$ uaac group add PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04
$ uaac group add PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04
$ uaac group add PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04

Use the UAAC to map each group name with uaac group map commands. The commands are described in Grant Admin Permissions to an External Group (SAML or LDAP). For LDAP:
```
$ uaac group map --name ROLE_GUID "GROUP-DISTINGUISHED-NAME"
```
where GROUP-DISTINGUISHED-NAME is the LDAP distinguished name of each space-specific group created in step 2. For example:
```
$ uaac group map --name PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 "CN=PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04,OU=Groups,DC=pivotal,DC=io"
```

Create a pull request or raise an issue on the source for this page in GitHub