Authorization: Tenant and Role Mapping Examples

Overview

Remote Auth requires assignment of roles and tenants for every user login via the authorization mapping rules. Authorization is assessed on every login and the user record is updated. Upon successful user login via an external authentication server, all mapping rules are evaluated; tenant and role pairs are added to user access list.

NSX Advanced Load Balancer supports user profile mapping for remote users.

Configuring Remote Authentication

By default, a Controller has only local authentication established.
To configure remote authentication using the NSX Advanced Load Balancer UI,

  1. Navigate to Administration > Settings > Authentication/Authorization.

    Edit Authentication

  2. In the Edit Authentication screen, select Remote as the Authentication method.

  3. Select Enable Local User Login to allow users from the local user database to log in with their user credentials.

  4. Under Auth Profiles & Mapping Profiles, click Add.

  5. From the Select Auth Profile select an existing remote auth profile or click the vertical menu icon (three dots) to create a new auth profile.

    Edit Authentication

  6. Click Save.

Note Tenant and role mapping are available only with remote authentication.

Multiple remote authentication profiles can be configured using the NSX Advanced Load Balancer UI under the following conditions:

  • Any number of auth profiles (more than 2) can be created provided they are of the same type. Consider the following examples to understand this further:
    Profile Types Result Reason
    • TACACS
    • TACACS
    • TACACS
    Successful All profiles are of the same type
    • TACACS
    • TACACS
    • LDAP
    Fails with an error All the profiles are not of the same type
  • If there are only two auth profiles configured
    • The primary auth profile has to be SAML auth profile.
    • Both profiles cannot be SAMl. So if SAML is the first auth profile, then the second profile has to be any profile other than SAML

Consider the following examples to understand this further:

Primary Auth Profile Secondary Auth Profile Result Reason
SAML LDAP Successful The primary and the secondary profiles are of different types
SAML SAML Fails with an error The primary and secondary profiles are both of type SAML
LDAP TACACS Fails with an error The primary auth profile is not of type SAML

Creating an Auth Profile.

An Auth profile is a set of Authentication, Authorization, and Accounting (AAA) attributes used to log into NSX Advanced Load Balancer.
To create an auth profile,

  1. From the NSX Advanced Load Balancer UI, navigate to Templates > Security > Auth Profile, and click Create.

  2. In the CREATE AUTH PROFILE, enter the Name of the profile.

  3. Select the Type of auth profile from the dropdown list. Note: Depending on the type selected, the auth profile settings are displayed.

  4. Configure the auth profile type specific settings.

  5. Click Save to complete the auth profile creation.

Creating an Auth Mapping Profile

To create an auth mapping profile,

  1. From the NSX Advanced Load Balancer UI, navigate to Templates > Security > Auth Mapping Profile, and click Create.

  2. In the CREATE AUTH MAPPING PROFILE under the General tab, enter the profile Name and select the Type of auth mapping profile to which these rules are applied.

  3. Under Rules click Add to view the Mapping Rule sub-screen.

  4. In the Match section, select the criteria for matching attributes for successful authentication. In case of LDAP profile, you can also define the criteria for **LDAP Group Match.

  5. Under Action, define the action to be performed in case of the match criteria being met. You can either select Super User or Custom Mapping to define your own mapping rules.

  6. Click Save to complete the auth mapping rule creation.

Sample Mapping Rules

Any Group/Any Attribute Rule

A rule with any group or any attribute applies to all users and can be used as a default option. The rule below assigns every user to a least privileged role and tenant (Note, the role and tenant need to configured to only allow least privileges). If the user is not assigned any more role/tenant pairs, the least privileged access will take effect after login.

Rule Any

Super User Rule

A rule can be configured to assign Super User privileges to a user. This user will have access to all tenants with the most privileged role. Once a user is super user, no other tenant/role mapping assignments will make a difference to the user’s access.

Rule Super User

Attribute and Group Match

A mapping rule can be required to match both an attribute and group requirement. This will ensure a more specific assignment of role(s) and tenant(s).

Rule Attr

Assign Matching Attribute Values

LDAP/TACACS+ attribute “vantageRole” for a user can have one or more values. For each value, if there is a configured role with the same name, the role is assigned to the user with access to all tenants. A user session can end up with multiple roles and the most privileged role will take effect.

authrz - mapping 4

Assign Matching Group Names

A user can be a member of multiple LDAP/AD groups. For each group, if there is a configured tenant, the user will be given access to the tenant, along with any other tenants the user may already have obtained access via matching rules.

Rule Super User

Configuring Default Tenant for Remote Users

When configuring auth mapping rules, you can now select default tenants. When a remote user is created, the tenant selected here will be used as the default tenant.

  1. From the NSX Advanced Load Balancer UI, navigate to Administration > Authentication/ Authorization. Click New Mapping or edit an existing auth mapping rule.

  2. Under Action, select Custom Mapping.

  3. Click Add.

  4. From the User Tenant dropdown list, click Selected.

  5. Select the required Tenants.
    Note: If multiple tenants are created in the mapping rules, the first tenant selected is taken as the default tenant by default.
    default tenant

  6. Click Save.

Alternatively, default tenant for remote users can be configured using the field default_tenant_ref through the CLI as shown below:


[admin:10-102-64-241]: authmappingprofile:mapping_rules> default_tenant_ref admin
[admin:10-102-64-241]: authmappingprofile:mapping_rules> save
[admin:10-102-64-241]: authmappingprofile> save
+----------------------+---------------------------------------------------------+
| Field                | Value                                                   |
+----------------------+---------------------------------------------------------+
| uuid                 | authmappingprofile-46400ba5-9f05-4ec9-9464-e188010ce7b7 |
| name                 | saml                                                    |
| type                 | AUTH_PROFILE_SAML                                       |
| mapping_rules[1]     |                                                         |
|   index              | 0                                                       |
|   is_superuser       | True                                                    |
|   default_tenant_ref | admin                                                   |
| tenant_ref           | admin                                                   |
+----------------------+---------------------------------------------------------+
[admin:10-102-64-241]: >

Default tenant mapping based on the tenant selected, is as shown below:

User Tenant Behavior Default Tenant Description
All Admin All tenant values Any user-specified tenant is used. In the absence of user-defined tenants, admin will be selected as the default tenant
Admin Admin All tenant values Any user-specified tenant is used. In the absence of user-defined tenants, admin will be selected as the default tenant
Selected Tenant ref Only selected tenant values Any User-specified Tenant that is part of selected tenant list otherwise Must check will throw an error while creating a new mapping
For example, if the selected tenant list has T1 and T2 but the user has provided T3 as default tenant then must check will throw an error "Default tenant is not in selected tenants list.
If the user has not selected any tenant but has provided default tenant ref then the error **Please add at least one tenant in the selected list** is displayed.
Attribute Regex Tenant ref All tenant values User-specified tenant
Attribute value Tenant ref All tenant values User-specified tenant
Group name Tenant ref All tenant values User-specified tenant

Note:In case of Attribute Regex, Attribute value, Group Name, if the user has entered a tenant that is not part of the user tenant list (retrieved at runtime on the basis of Attribute Regex, Attribute Value, Group Name, Group Regex match), then the first entry in the retrieved list will be assigned as default tenant from the tenant list. For example, U1 can be assigned T1, T2 but T3 is provided as the default tenant at that time either T1 or T2 will become the default tenant based on which one is first entry in the retrieved tenant list.

Tenant to Role Mappings

Avi Vantage supports dynamically assigning tenant and role name based on a regex match. This requires a tenant or role variable to be configured in the regex to assign tenant/role name based on the regex. The variables must be in the (?P{tenant}regex) form.

Example:

LDAP DATA

user: test_user

test_user is a member of the following groups:

  • lb_ap1234_test

  • lb_ap7890_test

Mapping Rule Configuration:

The following is the CLI format:


"attribute_match": {
           "values": [ "lb_?P{tenant}\\w*)_test" ], 
           "name": "tenant",
           "criteria": "AUTH_MATCH_REGEX" 
         } 
 "assign_tenant": "ASSIGN_MATCHING_ATTRIBUTE_REGEX",
 "assign_role": "ASSIGN_FROM_SELECT_LIST"
 "role_refs": ["https://10.10.24.204/api/role/[Role-UUID]" ],
}

Result:

With this rule mapping and LDAP configuration, test_user will get </code> (say, Tenant-admin) assigned in tenants ap1234 and ap7890.

You can configure the above rule in the CLI as follows:


configure authmappingprofile authmapping
[admin:10-206-252-141]: > configure authmappingprofile authmapping
[admin:10-206-252-141]: authmappingprofile> mapping_rules index 2
New object being created
[admin:10-206-252-141]: authmappingprofile:mapping_rules> group_match
[admin:10-206-252-141]: authmappingprofile:mapping_rules:group_match> criteria auth_match_regex groups "sec-esp-(?P{tenant}\w*})-admin" 
[admin:10-206-252-141]: authmappingprofile:mapping_rules:group_match> save
[admin:10-206-252-141]: authmappingprofile:mapping_rules> assign_tenant assign_matching_group_regex
[admin:10-206-252-141]: authmappingprofile:mapping_rules> assign_role assign_from_select_list
[admin:10-206-252-141]: authmappingprofile:mapping_rules> role_refs Tenant-Admin
[admin:10-206-252-141]: authmappingprofile:mapping_rules> default_tenant_ref admin
[admin:10-206-252-141]: authmappingprofile:mapping_rules> save

User Profile Mapping

With user profile mapping, it is possible to choose a user profile for remote users based on certain conditions.

To configure the user profile,


[admin:123]: systemconfiguration> admin_auth_configuration
[admin:123]: systemconfiguration:admin_auth_configuration> mapping_rules index 1
[admin:123]: systemconfiguration:admin_auth_configuration:mapping_rules> assign_userprofile assign_from_select_list
[admin:123]: systemconfiguration:admin_auth_configuration:mapping_rules> userprofile_ref Tacacs-Userprofile
[admin:123]: systemconfiguration:admin_auth_configuration:mapping_rules> save

Note: Ensure the user profile is already created. To know more about how to create and configure a user profile, click here.

View the user profile configuration as shown below:


[admin:123]: > show systemconfiguration
|----------------------------------|------------------------------------|
|Field                             |    Value                           |
|----------------------------------|------------------------------------|
|                          Truncated Output                             |                        
| admin_auth_configuration         |                                    |
|   auth_profile_ref               | tacacs1                            |
|   mapping_rules[1]               |                                    |
|     index                        | 1                                  |
|     assign_tenant                | ASSIGN_FROM_SELECT_LIST            |
|     tenant_attribute_name        |                                    |
|     tenant_refs[1]               | admin                              |
|     assign_role                  | ASSIGN_FROM_SELECT_LIST            |
|     role_attribute_name          |                                    |
|     role_refs[1]                 | Application-Admin                  |
|     is_superuser                 | False                              |
|     assign_userprofile           | ASSIGN_FROM_SELECT_LIST            |
|     userprofile_ref              | Tacacs-Userprofile                 |
|   allow_local_user_login         | True                               |
|----------------------------------|------------------------------------|

Notes:

  • Alternate authentication profile is only supported when the primary authentication profile is SAML.
  • Using SAML as the secondary authentication profile is not supported.

NSX Advanced Load Balancer will fallback to alternative auth configuration when primary auth is SAML and alternative auth is configured.
API/CLI will fallback to alternative auth configuration when the primary auth is SAML and an alternative auth is configured.
UI will also fall back to alternate auth if it is forced to local login even when the configured auth profile is SAML through https://<controller-ip>/#!/login?local=true.