Configuring UAA Roles

Extra configuration is required when defining users that have specific security roles with an authentication and enterprise single sign-on (SSO) such as LDAP.

Before PCC installation, create a UAA client as described in Create a UAA Client.

Complete the remainder of configuration in conjunction with choosing the UAA Auth enabled radio button on the Security properties page when installing the PCC tile, as detailed in Security.

The Roles

A PCC service instance internally defines four security roles. Each role is given predefined permissions for cluster operations. Each user is assigned security roles. As that user invokes a PCC cluster operation using gfsh, the PCC service’s security manager verifies that the permission required for the cluster operation is one that the user’s security role has.

The permissions assigned for each of the security roles:

  • PCC_ADMIN has all permissions needed to manage the cluster and can access region data. This role has the GemFire permissions CLUSTER:MANAGE, CLUSTER:WRITE, CLUSTER:READ, DATA:MANAGE, DATA:WRITE, and DATA:READ.
  • PCC_OPERATOR has all permissions needed to manage the cluster. This role may not handle or see region data. This role has the GemFire permissions CLUSTER:MANAGE, CLUSTER:WRITE, and CLUSTER:READ.
  • PCC_DATA-ACCESS has all permissions needed to handle and see region data. This role has the GemFire permissions CLUSTER:READ, DATA:WRITE, and DATA:READ.
  • PCC_READ-ONLY has the single GemFire permission DATA:READ to see region data.

Configuring the Roles

Configure the UAA server and your Enterprise SSO system (such as LDAP) with the space-specific roles.

  1. Acquire the Globally Unique Identifier (GUID) for the CF space that will host your PCC service instance:

    cf login -a REST-OF-ARGS-HERE
    cf target -o NAME-OF-ORG
    cf space --guid NAME-OF-SPACE
    

    The form of the output GUID will be similar to the example:

    03badc2a-4243-4251-84b5-c9bfba276f04
    
  2. Create space-specific groups for each role within your Enterprise SSO system. The group name will take the form ROLE_GUID. For example, in the following group name:

    PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04
    

    PCC_ADMIN is the role, and 03badc2a-4243-4251-84b5-c9bfba276f04 is the GUID.

  3. Place users into the created space-specific groups you created within your Enterprise SSO system.

  4. Use the UAA Command Line Interface (UAAC) to log in as admin client to your UAA server.

  5. Use the UAAC to add each group name with:

    $ uaac group add ROLE_GUID
    

    Using the example GUID, the commands to add the four group names will be similar to:

    $ uaac group add PCC_ADMIN_03badc2a-4243-4251-84b5-c9bfba276f04
    $ uaac group add PCC_OPERATOR_03badc2a-4243-4251-84b5-c9bfba276f04
    $ uaac group add PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04
    $ uaac group add PCC_READ-ONLY_03badc2a-4243-4251-84b5-c9bfba276f04
    
  6. Use the UAAC to map each group name with uaac group map commands. The commands are described in Grant Admin Permissions to an External Group (SAML or LDAP). For LDAP:

    $ uaac group map --name ROLE_GUID "GROUP-DISTINGUISHED-NAME"
    

    where GROUP-DISTINGUISHED-NAME is the LDAP distinguished name of each space-specific group created in step 2. For example:

    $ uaac group map --name PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04 "CN=PCC_DATA-ACCESS_03badc2a-4243-4251-84b5-c9bfba276f04,OU=Groups,DC=pivotal,DC=io"