Pivotal/UAA
(→Authenticating with UAA for ops man api) |
(→Authenticating with UAA for cf api) |
||
Line 79: | Line 79: | ||
===Authenticating with UAA for cf api=== | ===Authenticating with UAA for cf api=== | ||
− | <nowiki>~$ uaac target uaa.run-10.haas- | + | <nowiki>~$ uaac target uaa.run-10.haas-59.pez.pivotal.io |
~$ uaac token owner get | ~$ uaac token owner get | ||
Client ID: cf | Client ID: cf |
Latest revision as of 15:58, 6 September 2018
UAA UAA (User Account and Authentication) is used as the identity management service for Cloud Foundry.
Contents |
[edit] UAAC CLI
[edit] Installing Ruby on Mac OSX
Use Homebrew
~$ brew install rbenv ~$ eval "$(rbenv init -)" ~$ rbenv install 2.5.1
[edit] Install UAAC CLI
~$ sudo gem install cf-uaac
[edit] Connecting to UAA server
use the uaac target uaa.<system domain>
command to target the UAA server.
ie. ~$ uaac target uaa.run-16.haas-59.pez.pivotal.io
next, we need to authenticate and obtain an access token. Record the uaa:admin:client_secret from your deployment manifest (stored in ~/.uaac.yml
OR, if you are using a vcenter deployment, obtain it by:
OPs Manager > PAS > Credentials > UAA > Admin Client Credentials
With that information, we can use
~$ uaac token client get admin -s ADMIN-CLIENT-SECRET
If the above doesn't work, try decrypting the installation yml file. SSH into the ops manager and then run these with the admin passcode:
~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/actual-installation.yml /tmp/actual-installation.yml ~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/installation.yml /tmp/installation.yml
You will then have a decrypted copy of the installation yml file and you can search for the uaa admin secret.
~$ cat /tmp/actual-installation.yml | grep -A 4 uaa_admin_credentials
[edit] Creating admin user
To create an admin user that can be used in CF, follow these steps:
Obtain an access token for the UAA server with admin credentials. ~$ uaac user add admin2 -p password --emails [email protected] ~$ uaac member add cloud_controller.admin admin2 ~$ uaac member add uaa.admin admin2 ~$ uaac member add scim.read admin2 ~$ uaac member add scim.write admin2
You can verify the user exists by using uaac users
. They should be listed there along with their assigned permissions.
Now you should be able to log in with the user using CF CLI
[edit] Quick Reference
[edit] uaac permissions/scopes
https://docs.cloudfoundry.org/concepts/architecture/uaa.html#uaa-scopes
[edit] uaac contexts
Displays the users and applications authorized by the UAA server, along with the permissions granted, within the current scope.
~$ uaac contexts
[edit] uaac users
Displays all UAA user accounts and their respective permissions.
However, if you want a readable output or to search for users, you can use some options like these:
[edit] show users by email address
~$ uaac users --attributes emails
[edit] locate specific user based on username
~$ uaac users "username eq 'username'"
[edit] Common UAA Instances
Below are some common instances of UAA as it pertains to Cloud Foundry installations.
[edit] Operations Manager (Ops Man)
The UAA api target for Ops Man should be:
https://{ops-manager-fqdn}/uaa ie. https://opsmgr-10.haas-59.pez.pivotal.io/uaa
This api target provides access to:
- the Ops Man API token, users, and scopes
[edit] Authenticating with UAA for ops man api
~$ uaac target opsmgr-10.haas-59.pez.pivotal.io/uaa ~$ uaac target owner get Client ID: opsman Client secret: User name: admin Password: {password from BOSH deployment manifest}
[edit] Pivotal Application Service (PAS)
The UAA api target for PAS should be:
https://uaa.{system_domain} ie. https://uaa.run-10.haas-59.pez.pivotal.io
This api target provides access to:
- the CF API token, users, and scopes
- creating users and scopes for apps manager
[edit] Authenticating with UAA for cf api
~$ uaac target uaa.run-10.haas-59.pez.pivotal.io ~$ uaac token owner get Client ID: cf Client secret: User name: admin Password: {password from PAS > UAA > Admin}
[edit] Authenticating with UAA for uaa api
~$ uaac target uaa.run-10.haas-59.pez.pivotal.io ~$ uaac token client get admin -s {password from PAS > UAA > Admin Client Credentials}