Pivotal/UAA
Line 52: | Line 52: | ||
<nowiki>~$ uaac users "username eq 'username'"</nowiki> | <nowiki>~$ uaac users "username eq 'username'"</nowiki> | ||
− | + | =Common UAA Instances= | |
Below are some common instances of UAA as it pertains to Cloud Foundry installations. | Below are some common instances of UAA as it pertains to Cloud Foundry installations. | ||
− | + | ==Operations Manager (Ops Man)== | |
− | + | ==Pivotal Application Service (PAS)== | |
− | + | ==Pivotal Container Service (PKS)== | |
− | + | ==Concourse== |
Revision as of 13:24, 6 September 2018
UAA UAA (User Account and Authentication) is used as the identity management service for Cloud Foundry.
Contents |
UAAC CLI
Installing Ruby on Mac OSX
Use Homebrew
~$ brew install rbenv ~$ eval "$(rbenv init -)" ~$ rbenv install 2.5.1
Install UAAC CLI
~$ sudo gem install cf-uaac
Connecting to UAA server
use the uaac target uaa.<system domain>
command to target the UAA server.
ie. ~$ uaac target uaa.run-16.haas-59.pez.pivotal.io
next, we need to authenticate and obtain an access token. Record the uaa:admin:client_secret from your deployment manifest (stored in ~/.uaac.yml
OR, if you are using a vcenter deployment, obtain it by:
OPs Manager > PAS > Credentials > UAA > Admin Client Credentials
With that information, we can use
~$ uaac token client get admin -s ADMIN-CLIENT-SECRET
If the above doesn't work, try decrypting the installation yml file. SSH into the ops manager and then run these with the admin passcode:
~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/actual-installation.yml /tmp/actual-installation.yml ~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/installation.yml /tmp/installation.yml
You will then have a decrypted copy of the installation yml file and you can search for the uaa admin secret.
~$ cat /tmp/actual-installation.yml | grep -A 4 uaa_admin_credentials
Creating admin user
To create an admin user that can be used in CF, follow these steps:
Obtain an access token for the UAA server with admin credentials. ~$ uaac user add admin2 -p password --emails [email protected] ~$ uaac member add cloud_controller.admin admin2 ~$ uaac member add uaa.admin admin2 ~$ uaac member add scim.read admin2 ~$ uaac member add scim.write admin2
You can verify the user exists by using uaac users
. They should be listed there along with their assigned permissions.
Now you should be able to log in with the user using CF CLI
Quick Reference
uaac permissions/scopes
https://docs.cloudfoundry.org/concepts/architecture/uaa.html#uaa-scopes
uaac contexts
Displays the users and applications authorized by the UAA server, along with the permissions granted, within the current scope.
~$ uaac contexts
uaac users
Displays all UAA user accounts and their respective permissions.
However, if you want a readable output or to search for users, you can use some options like these:
show users by email address
~$ uaac users --attributes emails
locate specific user based on username
~$ uaac users "username eq 'username'"
Common UAA Instances
Below are some common instances of UAA as it pertains to Cloud Foundry installations.