Enabling OAuth

Note: Pivotal Platform is now part of VMware Tanzu. In v1.20 and later, VMware Tanzu RabbitMQ [VMs] is named VMware Tanzu RabbitMQ for VMs.

This topic explains how to enable OAuth. This enables developers to access the RabbitMQ Management UI using their VMware Tanzu Application Service for VMs credentials.

Overview

OAuth enables developers to access the RabbitMQ Management UI using their TAS for VMs credentials instead of using the binding credentials from a service key. After enabling OAuth, developers are authenticated through a JSON Web Token (JWT) encoded OAuth 2.0 access token obtained from User Account and Authentication (UAA).

Note: Enabling OAuth does not remove user credentials from service keys or from the internal backend of existing Tanzu RabbitMQ instances. However, you can no longer use these credentials to access the RabbitMQ Management UI.

Warning: Manually rotating the JWT signing key using the UAA API is not supported. Doing so renders RabbitMQ Management UI inaccessible.

To enable OAuth for an on-demand offering:

  1. Configure UAA Groups for RabbitMQ
  2. Enable OAuth in Ops Manager

Configure UAA Groups for RabbitMQ

  1. Get Admin User Credentials for UAA
  2. Set up UAAC
  3. Create UAA Groups
  4. Configure Users for the RabbitMQ UAA Groups

Get Admin User Credentials for UAA

To fetch the UAA Admin Client secret from the Ops Manager UI:

  1. Click on the VMware Tanzu Application Service for VMs tile.
  2. Click the Credentials tab. Screenshot of the VMware Tanzu Application Service for VMs tile UI in Ops Manager.
The location of the Credentials tab is shown with a red circle.
The Credentials tab is the third tab from the left, after 'Settings' and 'Status'.
  3. Locate the Admin Client Credentials in the UAA job. Screenshot of the VMware Tanzu Application Service for VMs tile UI in Ops Manager.
There is a list of credential types and, next to it, a list of corresponding links.
The location of the link for Admin Client Credentials is shown with a red circle.
  4. Click Link to Credential next to Admin Client Credentials.
  5. Record the text in the identity field (UAA-ADMIN-CLIENT-IDENTITY in the next step) and password field (UAA-ADMIN-CLIENT-SECRET in the next step).

Install and Set up UAAC

To install and set up UAAC:

  1. Install UAAC by running:

    gem install cf-uaac
    
  2. Set up UAAC by running:

    uaac target UAA-URL
    
    uaac token client get UAA-ADMIN-CLIENT-IDENTITY -s UAA-ADMIN-CLIENT-SECRET
    

    Where:

Create a UAA Group

You must create a group for each space in TAS for VMs that contains, or is expected to contain, on-demand Tanzu RabbitMQ service instances.

To create a UAA group for a space:

  1. Display the space GUID by running:

    cf space SPACE-NAME --guid
    

    Where SPACE-NAME is the name of the space.

  2. Record the space GUID.

  3. Create a UAA group using the space GUID and a RabbitMQ tag by running:

    uaac group add p-rabbitmq_SPACE-GUID.tag:RABBITMQ-TAG
    

    Where:

    • SPACE-GUID is the space GUID.
    • RABBITMQ-TAG must be either monitoring or administrator. The RabbitMQ tag dictates what the user is permitted to do. For more information about the RabbitMQ tags, see the RabbitMQ documentation.

    For example:

    $ uaac group add p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring
    
  4. If you used the monitoring tag, grant additional permissions to allow the user to view resources by running:

    uaac group add p-rabbitmq_SPACE-GUID.PERMISSION:VHOST-PATTERN/NAME-PATTERN[/ROUTING-KEY-PATTERN]
    

    Where:

    • SPACE-GUID is the space GUID.
    • PERMISSION is an access permission – configure, read, or write.
    • VHOST-PATTERN is a wildcard pattern for virtual hosts.
    • NAME-PATTERN is a wildcard pattern for a resource name.
    • ROUTING-KEY-PATTERN is an optional wildcard pattern for a routing key in topic authorization.

    For example:

    $ uaac group add 'p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.read:*/*'
    

    For more information about RabbitMQ permissions, see the OAuth plugin documentation in GitHub.

The on-demand broker creates a separate UAA client with scope p-rabbitmq_SPACE-GUID for every new on-demand service instance. When an access token is created, UAA intersects the user groups with the client scopes. The intersection of these two fields are scopes that can be populated in the access token.

Configure Users for the RabbitMQ UAA Groups

You can either map external identity provider groups to the RabbitMQ UAA groups or add UAA members to the groups. Users gain the permissions specified by the RabbitMQ tag provided in the UAA group name.

Do one of the following:

  • Map the RabbitMQ UAA groups created above to your LDAP provider group by running the following command for every RabbitMQ UAA group:

    uaac group map --name "RABBITMQ-UAA-GROUP" "GROUP-DISTINGUISHED-NAME"
    

    Where:

    • RABBITMQ-UAA-GROUP is the UAA group name created above. For example: p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
    • GROUP-DISTINGUISHED-NAME is the Distinguished Name (DN) of the LDAP group. For example: ou=operators,dc=example,dc=com.
  • Map the RabbitMQ UAA groups created above to your SAML IdP group by running the following command for every RabbitMQ UAA group:

    uaac group map --name "RABBITMQ-UAA-GROUP" "GROUP-NAME" --origin "PROVIDER-NAME"
    

    Where:

    • RABBITMQ-UAA-GROUP is the UAA group name created above. For example: p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
    • GROUP-NAME is the name of the group in the SAML IdP.
    • PROVIDER-NAME is the name of the SAML IdP.
  • Add UAA members to UAA groups by running:

    uaac member add RABBITMQ-UAA-GROUP USERNAME
    

    Where:

    • RABBITMQ-UAA-GROUP is the UAA group name created above. For example, p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
    • USERNAME is a UAA group member, such as a Cloud Foundry user.

Enable OAuth in Ops Manager

To enable OAuth in Tanzu RabbitMQ tile:

  1. Go to the Security for On-Demand Plans section of the Tanzu RabbitMQ tile.
  2. Select the Enable OAuth checkbox. Screenshot of the Security for On-Demand Plans section, which includes 'TLS Option' radio buttons,
a checkbox for enabling OAuth, and a Save button. The 'Not Configured' radio button and the
'Enable OAuth' checkbox are selected.
  3. Click Save.
  4. Go back to Ops Manager Installation Dashboard > Review Pending Changes.
  5. Click Apply Changes to apply the changes to the Tanzu RabbitMQ tile.
Was this helpful?
What can we do to improve?