GSLB Configuration Changes From a Follower Site
Overview
Starting with Avi Vantage release 20.1.6, the following configuration changes can be performed from a follower site too:
- Enable or disable GSLB Service groups
- Enable/Disable GSLB Service Group members
This is useful when there is a requirement to avoid traffic to some of the servers on a GSLB follower site only and you do not have access to the leader site. Prior to Avi Vantage release 20.1.6, the configuration changes were possible from the leader site only. Using this feature, you can enable or disable GSLB group or GSLB group members from a follower site too. The following configuration changes or prerequisites are required to enable a user at a follower site for preforming changes:
- Configuring per-field authorization
- Configuring JWT Profile at the leader site
- Enabling Configuration from the follower site
Configuring Per-field Authorization
Configuring Roles for GSLB_Group_Enabled and GSLB_Group_Member-Enabled
To perform changes from a follower site, the users should have the following roles associated with them:
- Gslb_Group_Member_Enabled - This role should have the write access to GSLB service.
- Gslb_Group_Enabled - This role should have the write access to GSLB service.
For more information on configuring per-field authorization, refer to Per-filed RBAC.
[admin:10-10-10-2]: > configure role Gslb_Group_Member_Enabled
[admin:10.10.10.2]: role> privileges
New object being created
[admin:10.10.10.2]: role:privileges> type write_access
[admin:10.10.10.2]: role:privileges> resource PERMISSION_GSLBSERVICE
[admin:10.10.10.2]: role:privileges> save
In the below CLI snippets, the user gslbsitegroupmemberadmin is configured with the role of Gslb_Group_Member_Enabled. The configured user has the write access to the GSLB service and the priviledge to enable or disable a GSLB group within the specified GSLB service.
[admin:10-10-10-2]: > show user gslbsitegroupmemberadmin
+------------------+-------------------------------------------+
| Field | Value |
+------------------+-------------------------------------------+
| uuid | user-52a6e643-d55d-45e9-8bca-0601b53d5b20 |
| username | gslbsitegroupmemberadmin |
| password | <sensitive> |
| name | gslbsitegroupmemberadmin |
| email | |
| access[1] | |
| role_ref | Gslb_Group_Member_Enabled |
| all_tenants | True |
| access[2] | |
| role_ref | Gslb_Health_Monitor |
| all_tenants | True |
| is_superuser | False |
| local | True |
| user_profile_ref | Default-User-Account-Profile |
+------------------+-------------------------------------------+
[admin:10-10-10-2]: > show role Gslb_Group_Member_Enabled
+--------------------------+----------------------------------------------+
| Field | Value |
+--------------------------+----------------------------------------------+
| uuid | role-95e82558-1883-47af-8802-a6834c5feb76 |
| name | Gslb_Group_Member_Enabled |
| privileges[1] | |
| type | WRITE_ACCESS |
| resource | PERMISSION_GSLBSERVICE |
| subresource | |
| exclude_subresources | False |
| subresources[1] | SUBRESOURCE_GSLBSERVICE_GROUP_MEMBER_ENABLED |
| allow_unlabelled_access | True |
| tenant_ref | admin |
+--------------------------+----------------------------------------------+
Similarly, in the below CLI snippets, the user gslbsitegroupadmin is configured with the role of Gslb_Group_Enabled. The configured user has the write access to GSLB service and the priviledge to enable or disable a GSLB group within the specified GSLB service.
[admin:10-10-10-2]: > show user gslbsitegroupadmin
+------------------+-----------------------------------------------+
| Field | Value |
+------------------+-----------------------------------------------+
| uuid | user-27a528f5-2e8e-42bb-b5b0-2229123215ec |
| username | gslbsitegroupadmin |
| password | <sensitive> |
| name | gslbsitegroupadmin |
| email | |
| access[1] | |
| role_ref | Gslb_Group_Enabled |
| all_tenants | True |
| access[2] | |
| role_ref | Gslb_Health_Monitor |
| all_tenants | True |
| is_superuser | False |
| local | True |
| user_profile_ref | Default-User-Account-Profile |
+------------------+-----------------------------------------------+
[admin:10-10-10-2]: > show role Gslb_Group_Enabled
+--------------------------+-------------------------------------------+
| Field | Value |
+--------------------------+-------------------------------------------+
| uuid | role-0facf895-c551-4cd0-b1f6-73b4c890c746 |
| name | Gslb_Group_Enabled |
| privileges[1] | |
| type | WRITE_ACCESS |
| resource | PERMISSION_GSLBSERVICE |
| subresource | |
| exclude_subresources | False |
| subresources[1] | SUBRESOURCE_GSLBSERVICE_GROUP_ENABLED |
| allow_unlabelled_access | True |
| tenant_ref | admin |
+--------------------------+-------------------------------------------+
Note: The above mentioned roles need to be added on all the follower sites, and the leader site.
Configuring Federated JWT Profile
GSLB follower sites use JWT token to communicate with the leader site for configuration API calls. For that reason, all sites need JWT server profile to encrypt/decrypt the token to get the desired information from the token. JWT server profile needs to be configured as a federated object enabling the is_federated flag in JWT server profile configuration. This is a mandatory step to be performed on the leader site and GSLB site agnostic configuration cannot be enabled without it.
Use the configure jwtserverprofile command to configure the JWT server profile on the leader site and set the value of the is_federated flag to True.
The followings are the algorithms supported for the JWS Keys:
- HS256 with 32 bytes as the key length
- HS384 with 48 bytes as the key length
- HS512 with 64 bytes as the key length
Use the following API to generate the key used in the JWT serer profile:
https://10.79.169.140/api/symmetric-key?alg=HS512
The sample output post applying the above API is shown below:
{
"kid": "5105e67b-85c0-4d27-aaf1-3bef8020d8ac",
"alg": "HS512",
"kty": "oct",
"key": "TTA2Zk5Kb2NWTWE4ZmZ2bnRrbHNDZ0xNbUV2Z211ZThHMnBTaFE1Nm1DM0tZMmFqWjlHcjRBcmI2NDdyNGhoQg"
}
The algorithm parameter is optional, and default value is HS256.
Use the command configure jwtserverprofile to configure the JWT server profile on the leader site and set the value of the is_federated flag to True and the jwt_profile_type to CONTROLLER_INTERNAL_AUTH.
In the following CLI snippet, the JWT profile gslb_jwt_server_profile is configured with the HS256 algorithm,
[admin:10-79-169-140]: > show jwtserverprofile gslb_jwt_server_profile
+--------------------------+-------------------------------------------------------+
| Field | Value |
+--------------------------+-------------------------------------------------------+
| uuid | jwtserverprofile-03201645-2556-4d13-9d0c-8415c80faa73 |
| name | gslb_jwt_server_profile |
| tenant_ref | admin |
| jwt_profile_type | CONTROLLER_INTERNAL_AUTH |
| controller_internal_auth | |
| symmetric_jwks_keys[1] | |
| alg | HS256 |
| kty | OEpZREZsTThXU2RxdjJVd0g5WG5pRHVoMkNQaHU2Mjc |
| kid | ef0ae791-2380-4447-bf79-d3d01575d3e2 |
| key | <sensitive> |
| is_federated | True |
+--------------------------+-------------------------------------------------------+
[admin:10-79-169-140]: >
Enabling Configuration Changes from Followers
Set the value of the enable_config_by_members flag to True in the GSLB global configuration on the leader site. The federated JWTProfile must be configured and available for enabling this configuration.
[admin:10-10-10-1]: > show gslb glb-1
+--------------------------+-----------------------------------------------------+
| Field | Value |
+--------------------------+-----------------------------------------------------+
| uuid | gslb-c8ebc3e3-16e1-47f2-9f70-5ade3f1e1221 |
| name | glb-1 |
....
....
| tenant_scoped | False |
| enable_config_by_members | True |
+--------------------------+-----------------------------------------------------+
Once the steps mentioned above are performed, a user at the follower with the required roles can enable or disable a GSLB service group member, or a GSLB service group members.