GSLB Configuration Changes From a Follower Site
Overview
Starting with Avi Vantage release 20.1.5, the following configuration changes can be performed from a follower site too: *
- This is useful in the maintainenace or change window, or for a specific purpose when there is a need to avoid traffic to some of the sites and the user does not have access to the leader site. Prior to Avi Vantage release 20.1.5, the configuration changes were possible only from the leader site only. Using this feature, you can enable or disable GSLB group or GSLB group members from a follower site too. The following configuration changes or prerequisites are required to enable a user at a follower site for preforming changes:
- Configuring per-field authorization
- JWT Profile Configuration at the Leader site
Configuring Per-field Authorization
Configuring Roles for GSLB_Group_Enabled and GSLB_Group_Member-Enabled
https://avinetworks.com/docs/20.1/per-field-role-based-access-controls/
[admin:ctrl10.79.169.184]: > configure role role-eng
[admin:ctrl10.79.169.184]: role> privileges
New object being created
[admin:ctrl10.79.169.184]: role:privileges> type write_access
[admin:ctrl10.79.169.184]: role:privileges> resource GSLB_Group_Enabled
[admin:ctrl10.79.169.184]: role:privileges> save
[admin:ctrl10.79.169.184]: role> filters
New object being created
[admin:ctrl10.79.169.184]: role:filters> match_operation role_filter_glob_match
[admin:ctrl10.79.169.184]: role:filters> match_label
[admin:ctrl10.79.169.184]: role:filters:match_label> key owner
[admin:ctrl10.79.169.184]: role:filters:match_label> values *eng*
[admin:ctrl10.79.169.184]: role:filters:match_label> save
[admin:ctrl10.79.169.184]: role:filters> save
[admin:ctrl10.79.169.184]: role> no allow_unlabelled_access
[admin:ctrl10.79.169.184]: role> save
In the below CLI snippets, the user gslbsitegroupmemberadmin is configured with the role of Gslb_Group_Member_Enabled. The configured user has the write access to the GSLB service and privilege to enable or disable a GSLB group within the specified GSLB service.
[admin:10-102-65-168]: > show user gslbsitegroupmemberadmin
+------------------+-------------------------------------------+
| Field | Value |
+------------------+-------------------------------------------+
| uuid | user-52a6e643-d55d-45e9-8bca-0601b53d5b20 |
| username | gslbsitegroupmemberadmin |
| password | <sensitive> |
| name | gslbsitegroupmemberadmin |
| email | |
| access[1] | |
| role_ref | Gslb_Group_Member_Enabled |
| all_tenants | True |
| access[2] | |
| role_ref | Gslb_Health_Monitor |
| all_tenants | True |
| is_superuser | False |
| local | True |
| user_profile_ref | Default-User-Account-Profile |
+------------------+-------------------------------------------+
[admin:10-102-65-168]: > show role Gslb_Group_Member_Enabled
+--------------------------+----------------------------------------------+
| Field | Value |
+--------------------------+----------------------------------------------+
| uuid | role-95e82558-1883-47af-8802-a6834c5feb76 |
| name | Gslb_Group_Member_Enabled |
| privileges[1] | |
| type | WRITE_ACCESS |
| resource | PERMISSION_GSLBSERVICE |
| subresource | |
| exclude_subresources | False |
| subresources[1] | SUBRESOURCE_GSLBSERVICE_GROUP_MEMBER_ENABLED |
| allow_unlabelled_access | True |
| tenant_ref | admin |
+--------------------------+----------------------------------------------+
Similarly, in the below CLI snippets, the user gslbsitegroupadmin is configured with the role of Gslb_Group_Enabled. The configured user has the write access to GSLB service and priviledge to enable or disable a GSLB group within the specified GSLB service.
[admin:10-102-65-168]: > show user gslbsitegroupadmin
+------------------+-----------------------------------------------+
| Field | Value |
+------------------+-----------------------------------------------+
| uuid | user-27a528f5-2e8e-42bb-b5b0-2229123215ec |
| username | gslbsitegroupadmin |
| password | <sensitive> |
| name | gslbsitegroupadmin |
| email | |
| access[1] | |
| role_ref | Gslb_Group_Enabled |
| all_tenants | True |
| access[2] | |
| role_ref | Gslb_Health_Monitor |
| all_tenants | True |
| is_superuser | False |
| local | True |
| user_profile_ref | Default-User-Account-Profile |
+------------------+-----------------------------------------------+
[admin:10-102-65-168]: > show role Gslb_Group_Enabled
+--------------------------+-------------------------------------------+
| Field | Value |
+--------------------------+-------------------------------------------+
| uuid | role-0facf895-c551-4cd0-b1f6-73b4c890c746 |
| name | Gslb_Group_Enabled |
| privileges[1] | |
| type | WRITE_ACCESS |
| resource | PERMISSION_GSLBSERVICE |
| subresource | |
| exclude_subresources | False |
| subresources[1] | SUBRESOURCE_GSLBSERVICE_GROUP_ENABLED |
| allow_unlabelled_access | True |
| tenant_ref | admin |
+--------------------------+-------------------------------------------+
Configuring Federated JWT Profile
GSLB follower sites use JWT token to communicate with the leader site for configuration API calls. For that reason, all sites need JWTProfile to encrypt/decrypt the token to get the desired information from the token. JWTProfile needs to be configured as federated object using is_federated configuration flag in JWTProfile configuration. This is a mandatory step to be performed on the leader site and GSLB site agnostic configuration cannot be enabled without it.
Use the command to configure the JWT profile on the leader site with the
The followings are the algorithm, and the key values supported for the JWS Keys:
In the following CLI snippet, the JWT profile jwtprofile-1 is configured with the HS256 algorithm, and the is_federated flag set to True.
[admin:10-102-65-168]: > show jwtprofile jwtprofile-1
+---------------+---------------------------------------------------+
| Field | Value |
+---------------+---------------------------------------------------+
| uuid | jwtprofile-1e343e8a-cb2b-4e3e-94ee-1a85f7ef488e |
| name | jwtprofile-1 |
| jwks_keys[1] | |
| alg | HS256 |
| kty | oct |
| kid | be22d65b-efc1-44bb-a09d-1914540a253d |
| key | <sensitive> |
| jwt_auth_type | JWT_TYPE_JWS |
| is_federated | True |
| tenant_ref | admin |
+---------------+---------------------------------------------------+