This topic tells you how to enable OAuth 2.0 for VMware Tanzu RabbitMQ for Tanzu Application Service. This enables developers to access the RabbitMQ Management UI using their VMware Tanzu Application Service for VMs credentials.

Overview

OAuth enables developers to access the RabbitMQ Management UI using their TAS for VMs credentials instead of using the binding credentials from a service key. After enabling OAuth, developers are authenticated through a JSON Web Token (JWT) encoded OAuth access token obtained from User Account and Authentication (UAA).

Enabling OAuth does not remove user credentials from service keys or from the internal backend of existing Tanzu RabbitMQ for Tanzu Application Service instances. However, you can no longer use these credentials to access the RabbitMQ Management UI.

Caution Manually rotating the JWT signing key using the UAA API is not supported. Doing so renders RabbitMQ Management UI inaccessible.

To configure OAuth for an on-demand offering:

1. Configure UAA Groups for RabbitMQ
2. Configure OAuth in Ops Manager
   

Configure UAA Groups for RabbitMQ

To configure UAA groups:

• Overview
• Configure UAA Groups for RabbitMQ
  • Get Admin User Credentials for UAA
  • Install and Set up UAAC
  • Create a UAA Group
  • Configure Users for the RabbitMQ UAA Groups
• Configure OAuth in <%= vars.ops_manager %>

Get Admin User Credentials for UAA

To fetch the UAA Admin Client secret from the Ops Manager UI:

1. Click on the VMware Tanzu Application Service for VMs tile.

2. Click the Credentials tab.

   

3. Locate the Admin Client Credentials in the UAA job.

   

4. Click Link to Credential next to Admin Client Credentials.

5. Record the text in the identity field (UAA-ADMIN-CLIENT-IDENTITY in the next step) and password field (UAA-ADMIN-CLIENT-SECRET in the next step).

Install and Set up UAAC

To install and set up UAAC:

1. Install UAAC by running:

   gem install cf-uaac
   

2. Set up UAAC by running these commands:

   uaac target UAA-URL
   

   uaac token client get UAA-ADMIN-CLIENT-IDENTITY -s UAA-ADMIN-CLIENT-SECRET
   

   Where:

   • UAA-URL is the UAA URL.
   • UAA-ADMIN-CLIENT-IDENTITY and UAA-ADMIN-CLIENT-SECRET are from the text you recorded in Get Admin User Credentials for UAA above.

Create a UAA Group

You must create a group for each space in TAS for VMs that contains, or is expected to contain, on-demand Tanzu RabbitMQ for Tanzu Application Service service instances.

To create a UAA group for a space:

1. Display the space GUID by running:

   cf space SPACE-NAME --guid
   

   Where SPACE-NAME is the name of the space.

2. Record the space GUID.

3. Create a UAA group using the space GUID and a RabbitMQ tag by running:

   uaac group add p-rabbitmq_SPACE-GUID.tag:RABBITMQ-TAG
   

   Where:

   • SPACE-GUID is the space GUID.
   • RABBITMQ-TAG must be either monitoring or administrator. The RabbitMQ tag dictates what the user is permitted to do. For more information about RabbitMQ tags, see the RabbitMQ documentation

   For example:

   $ uaac group add p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring
   

4. If you used the monitoring tag, grant additional permissions to allow the user to view resources by running:

   uaac group add p-rabbitmq_SPACE-GUID.PERMISSION:VHOST-PATTERN/NAME-PATTERN[/ROUTING-KEY-PATTERN]
   

   Where:

   • SPACE-GUID is the space GUID.
   • PERMISSION is an access permission – configure, read, or write.
   • VHOST-PATTERN is a wildcard pattern for virtual hosts.
   • NAME-PATTERN is a wildcard pattern for a resource name.
   • ROUTING-KEY-PATTERN is an optional wildcard pattern for a routing key in topic authorization.

   For example:

   $ uaac group add 'p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.read:*/*'
   

   For more information about RabbitMQ permissions, see the OAuth plug-in documentation in GitHub.

The on-demand broker creates a separate UAA client with scope p-rabbitmq_SPACE-GUID for every new on-demand service instance. When an access token is created, UAA intersects the user groups with the client scopes. The intersection of these two fields are scopes that can be populated in the access token.

Configure Users for the RabbitMQ UAA Groups

You can either map external identity provider groups to the RabbitMQ UAA groups or add UAA members to the groups. Users gain the permissions specified by the RabbitMQ tag provided in the UAA group name.

Do one of the following:

• Map the RabbitMQ UAA groups created above to your LDAP provider group by running the following command for every RabbitMQ UAA group:

  uaac group map --name "RABBITMQ-UAA-GROUP" "GROUP-DISTINGUISHED-NAME"
  

  Where:

  • RABBITMQ-UAA-GROUP is the UAA group name created above. For example: p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
  • GROUP-DISTINGUISHED-NAME is the Distinguished Name (DN) of the LDAP group. For example: ou=operators,dc=example,dc=com.

• Map the RabbitMQ UAA groups created above to your SAML IdP group by running the following command for every RabbitMQ UAA group:

  uaac group map --name "RABBITMQ-UAA-GROUP" "GROUP-NAME" --origin "PROVIDER-NAME"
  

  Where:

  • RABBITMQ-UAA-GROUP is the UAA group name created above. For example: p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
  • GROUP-NAME is the name of the group in the SAML IdP.
  • PROVIDER-NAME is the name of the SAML IdP.

• Add UAA members to UAA groups by running:

  uaac member add RABBITMQ-UAA-GROUP USERNAME
  

  Where:

  • RABBITMQ-UAA-GROUP is the UAA group name created above. For example, p-rabbitmq_64bd9d4d-d2c8-4207-bb76-91a245e67d9d.tag:monitoring.
  • USERNAME is a UAA group member, such as a Cloud Foundry user.

Configure OAuth in Ops Manager

To configure OAuth in the Tanzu RabbitMQ for Tanzu Application Service tile:

1. Go to the Security for On-Demand Plans section of the Tanzu RabbitMQ for Tanzu Application Service tile.

2. There are three different OAuth Options: Not Configured, Optional, and Enforced:

   • Not Configured does not use OAuth.
     
     
   • Optional enforces OAuth for developers accessing the RabbitMQ Management UI. Apps accessing RabbitMQ can use either basic authentication or OAuth.
     
     
   • Enforced enforces OAuth for both developers and apps to access RabbitMQ. No user is created or returned as part of a service binding or service key creation. To ensure RabbitMQ does not store any user credentials, delete all service bindings and service keys, and then run the Upgrade All Service Instances errand after upgrading to 1.21.x and before enforcing OAuth.

   Click here to view a larger version of the image above

3. Click Save.

4. Go back to Ops Manager Installation Dashboard > Review Pending Changes.
5. Click Apply Changes to apply the changes to the Tanzu RabbitMQ for Tanzu Application Service tile.