Enabling OAuth for RabbitMQ

Note: Pivotal Platform is now part of VMware Tanzu. In v1.20 and later, VMware Tanzu RabbitMQ [VMs] is named VMware Tanzu RabbitMQ for VMs.

This topic explains how to enable OAuth. This enables developers to access the RabbitMQ Management UI using their VMware Tanzu Application Service for VMs credentials.

Overview

OAuth enables developers to access the RabbitMQ Management UI using their TAS for VMs credentials instead of using the binding credentials from a service key. After enabling OAuth, developers are authenticated through a JSON Web Token (JWT) encoded OAuth 2.0 access token obtained from User Account and Authentication (UAA).

Note: Enabling OAuth does not remove user credentials from service keys or from the internal backend of existing Tanzu RabbitMQ instances. However, you can no longer use these credentials to access the RabbitMQ Management UI.

Warning: Manually rotating the JWT signing key using the UAA API is not supported. Doing so renders RabbitMQ Management UI inaccessible.

To enable OAuth for an on-demand offering:

1. Configure UAA Groups for RabbitMQ
2. Enable OAuth in Ops Manager

Configure UAA Groups for RabbitMQ

1. Get Admin User Credentials for UAA
2. Set up UAAC
3. Create UAA Groups
4. Configure Users for the RabbitMQ UAA Groups

Get Admin User Credentials for UAA

To fetch the UAA Admin Client secret from the Ops Manager UI:

1. Click on the VMware Tanzu Application Service for VMs tile.
2. Click the Credentials tab.
3. Locate the Admin Client Credentials in the UAA job.
4. Click Link to Credential next to Admin Client Credentials.
5. Record the text in the identity field (UAA-ADMIN-CLIENT-IDENTITY in the next step) and password field (UAA-ADMIN-CLIENT-SECRET in the next step).

Install and Set up UAAC

To install and set up UAAC:

1. Install UAAC by running:

   gem install cf-uaac
   

2. Set up UAAC by running:

   uaac target UAA-URL
   

   uaac token client get UAA-ADMIN-CLIENT-IDENTITY -s UAA-ADMIN-CLIENT-SECRET
   

   Where:

   • UAA-URL is the UAA URL.
   • UAA-ADMIN-CLIENT-IDENTITY and UAA-ADMIN-CLIENT-SECRET are from the text you recorded in Get Admin User Credentials for UAA above.

Create a UAA Group

You must create a group for each space in TAS for VMs that contains, or is expected to contain, on-demand Tanzu RabbitMQ service instances.

To create a UAA group for a space:

1. Display the space GUID by running:

   cf space SPACE-NAME --guid
   

   Where SPACE-NAME is the name of the space.

2. Record the space GUID.

3. Create a UAA group using the space GUID and a RabbitMQ tag by running:

   uaac group add p-rabbitmq_SPACE-GUID.tag:RABBITMQ-TAG
   

   Where:

   • SPACE-GUID is the space GUID.
   • RABBITMQ-TAG must be either monitoring or administrator. The RabbitMQ tag dictates what the user is permitted to do. For more information about the RabbitMQ tags, see the RabbitMQ documentation.

   For example:

   $ uaac group add p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring
   

4. If you used the monitoring tag, grant additional permissions to allow the user to view resources by running:

   uaac group add p-rabbitmq_SPACE-GUID.PERMISSION:VHOST-PATTERN/NAME-PATTERN[/ROUTING-KEY-PATTERN]
   

   Where:

   • SPACE-GUID is the space GUID.
   • PERMISSION is an access permission – configure, read, or write.
   • VHOST-PATTERN is a wildcard pattern for virtual hosts.
   • NAME-PATTERN is a wildcard pattern for a resource name.
   • ROUTING-KEY-PATTERN is an optional wildcard pattern for a routing key in topic authorization.

   For example:

   $ uaac group add 'p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.read:*/*'
   

   For more information about RabbitMQ permissions, see the OAuth plugin documentation in GitHub.

The on-demand broker creates a separate UAA client with scope p-rabbitmq_SPACE-GUID for every new on-demand service instance. When an access token is created, UAA intersects the user groups with the client scopes. The intersection of these two fields are scopes that can be populated in the access token.

Configure Users for the RabbitMQ UAA Groups

You can either map external identity provider groups to the RabbitMQ UAA groups or add UAA members to the groups. Users gain the permissions specified by the RabbitMQ tag provided in the UAA group name.

Do one of the following:

• Map the RabbitMQ UAA groups created above to your LDAP provider group by running the following command for every RabbitMQ UAA group:

  uaac group map --name "RABBITMQ-UAA-GROUP" "GROUP-DISTINGUISHED-NAME"
  

  Where:

  • RABBITMQ-UAA-GROUP is the UAA group name created above. For example: p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
  • GROUP-DISTINGUISHED-NAME is the Distinguished Name (DN) of the LDAP group. For example: ou=operators,dc=example,dc=com.

• Map the RabbitMQ UAA groups created above to your SAML IdP group by running the following command for every RabbitMQ UAA group:

  uaac group map --name "RABBITMQ-UAA-GROUP" "GROUP-NAME" --origin "PROVIDER-NAME"
  

  Where:

  • RABBITMQ-UAA-GROUP is the UAA group name created above. For example: p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
  • GROUP-NAME is the name of the group in the SAML IdP.
  • PROVIDER-NAME is the name of the SAML IdP.

• Add UAA members to UAA groups by running:

  uaac member add RABBITMQ-UAA-GROUP USERNAME
  

  Where:

  • RABBITMQ-UAA-GROUP is the UAA group name created above. For example, p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
  • USERNAME is a UAA group member, such as a Cloud Foundry user.

Enable OAuth in Ops Manager

To enable OAuth in Tanzu RabbitMQ tile:

1. Go to the Security for On-Demand Plans section of the Tanzu RabbitMQ tile.
2. Select the Enable OAuth checkbox. Click here to view a larger version of the image above
3. Click Save.
4. Go back to Ops Manager Installation Dashboard > Review Pending Changes.
5. Click Apply Changes to apply the changes to the Tanzu RabbitMQ tile.