Pivotal/UAA
From r00tedvw.com wiki
(Difference between revisions)
(→Creating admin user) |
(→Authenticating with UAA for cf api) |
||
| (17 intermediate revisions by one user not shown) | |||
| Line 14: | Line 14: | ||
<nowiki>ie. ~$ uaac target uaa.run-16.haas-59.pez.pivotal.io</nowiki> | <nowiki>ie. ~$ uaac target uaa.run-16.haas-59.pez.pivotal.io</nowiki> | ||
<br> | <br> | ||
| − | next, we need to authenticate and obtain an access token. Record the <b>uaa:admin:client_secret</b> from your deployment manifest (stored in <code>~/.uaac.yml</code><br> | + | next, we need to authenticate and obtain an access token. Record the <b>uaa:admin:client_secret</b> from your deployment manifest (stored in <code>~/.uaac.yml</code><br> <br \> |
OR, if you are using a vcenter deployment, obtain it by: | OR, if you are using a vcenter deployment, obtain it by: | ||
<nowiki>OPs Manager > PAS > Credentials > UAA > Admin Client Credentials</nowiki> | <nowiki>OPs Manager > PAS > Credentials > UAA > Admin Client Credentials</nowiki> | ||
| − | With that information, we can use < | + | With that information, we can use |
| + | <nowiki>~$ uaac token client get admin -s ADMIN-CLIENT-SECRET</nowiki><br \> | ||
| + | <br \>If the above doesn't work, try decrypting the installation yml file. SSH into the ops manager and then run these with the admin passcode: | ||
| + | <nowiki>~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/actual-installation.yml /tmp/actual-installation.yml | ||
| + | ~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/installation.yml /tmp/installation.yml</nowiki> | ||
| + | You will then have a decrypted copy of the installation yml file and you can search for the uaa admin secret. | ||
| + | <nowiki>~$ cat /tmp/actual-installation.yml | grep -A 4 uaa_admin_credentials</nowiki> | ||
=Creating admin user= | =Creating admin user= | ||
| Line 28: | Line 34: | ||
~$ uaac member add scim.write admin2</nowiki> | ~$ uaac member add scim.write admin2</nowiki> | ||
| − | You can | + | You can verify the user exists by using <code>uaac users</code>. They should be listed there along with their assigned permissions.<br> |
Now you should be able to log in with the user using CF CLI | Now you should be able to log in with the user using CF CLI | ||
=Quick Reference= | =Quick Reference= | ||
| + | ==uaac permissions/scopes== | ||
| + | [https://docs.cloudfoundry.org/concepts/architecture/uaa.html#uaa-scopes https://docs.cloudfoundry.org/concepts/architecture/uaa.html#uaa-scopes] | ||
==uaac contexts== | ==uaac contexts== | ||
Displays the users and applications authorized by the UAA server, along with the permissions granted, within the current scope. | Displays the users and applications authorized by the UAA server, along with the permissions granted, within the current scope. | ||
<nowiki>~$ uaac contexts</nowiki> | <nowiki>~$ uaac contexts</nowiki> | ||
| + | ==uaac users== | ||
| + | Displays all UAA user accounts and their respective permissions. | ||
| + | <br>However, if you want a readable output or to search for users, you can use some options like these: | ||
| + | ===show users by email address=== | ||
| + | <nowiki>~$ uaac users --attributes emails</nowiki> | ||
| + | ===locate specific user based on username=== | ||
| + | <nowiki>~$ uaac users "username eq 'username'"</nowiki> | ||
| + | |||
| + | =Common UAA Instances= | ||
| + | Below are some common instances of UAA as it pertains to Cloud Foundry installations. | ||
| + | ==Operations Manager (Ops Man)== | ||
| + | The UAA api target for Ops Man should be: | ||
| + | <nowiki>https://{ops-manager-fqdn}/uaa | ||
| + | ie. https://opsmgr-10.haas-59.pez.pivotal.io/uaa</nowiki> | ||
| + | This api target provides access to: | ||
| + | * the Ops Man API token, users, and scopes | ||
| + | |||
| + | ===Authenticating with UAA for ops man api=== | ||
| + | [https://docs.pivotal.io/pivotalcf/2-2/opsman-api/#authentication reference] | ||
| + | <nowiki>~$ uaac target opsmgr-10.haas-59.pez.pivotal.io/uaa | ||
| + | ~$ uaac target owner get | ||
| + | Client ID: opsman | ||
| + | Client secret: | ||
| + | User name: admin | ||
| + | Password: {password from BOSH deployment manifest}</nowiki> | ||
| + | |||
| + | ==Pivotal Application Service (PAS)== | ||
| + | The UAA api target for PAS should be: | ||
| + | <nowiki>https://uaa.{system_domain} | ||
| + | ie. https://uaa.run-10.haas-59.pez.pivotal.io</nowiki> | ||
| + | This api target provides access to: | ||
| + | * the CF API token, users, and scopes | ||
| + | * creating users and scopes for apps manager | ||
| + | |||
| + | ===Authenticating with UAA for cf api=== | ||
| + | <nowiki>~$ uaac target uaa.run-10.haas-59.pez.pivotal.io | ||
| + | ~$ uaac token owner get | ||
| + | Client ID: cf | ||
| + | Client secret: | ||
| + | User name: admin | ||
| + | Password: {password from PAS > UAA > Admin}</nowiki> | ||
| + | |||
| + | ===Authenticating with UAA for uaa api=== | ||
| + | [https://docs.cloudfoundry.org/uaa/uaa-user-management.html reference] | ||
| + | <nowiki>~$ uaac target uaa.run-10.haas-59.pez.pivotal.io | ||
| + | ~$ uaac token client get admin -s {password from PAS > UAA > Admin Client Credentials}</nowiki> | ||
| + | |||
| + | ==Pivotal Container Service (PKS)== | ||
| + | |||
| + | ==Concourse== | ||
Latest revision as of 15:58, 6 September 2018
UAA UAA (User Account and Authentication) is used as the identity management service for Cloud Foundry.
Contents |
[edit] UAAC CLI
[edit] Installing Ruby on Mac OSX
Use Homebrew
~$ brew install rbenv ~$ eval "$(rbenv init -)" ~$ rbenv install 2.5.1
[edit] Install UAAC CLI
~$ sudo gem install cf-uaac
[edit] Connecting to UAA server
use the uaac target uaa.<system domain> command to target the UAA server.
ie. ~$ uaac target uaa.run-16.haas-59.pez.pivotal.io
next, we need to authenticate and obtain an access token. Record the uaa:admin:client_secret from your deployment manifest (stored in ~/.uaac.yml
OR, if you are using a vcenter deployment, obtain it by:
OPs Manager > PAS > Credentials > UAA > Admin Client Credentials
With that information, we can use
~$ uaac token client get admin -s ADMIN-CLIENT-SECRET
If the above doesn't work, try decrypting the installation yml file. SSH into the ops manager and then run these with the admin passcode:
~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/actual-installation.yml /tmp/actual-installation.yml ~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/installation.yml /tmp/installation.yml
You will then have a decrypted copy of the installation yml file and you can search for the uaa admin secret.
~$ cat /tmp/actual-installation.yml | grep -A 4 uaa_admin_credentials
[edit] Creating admin user
To create an admin user that can be used in CF, follow these steps:
Obtain an access token for the UAA server with admin credentials. ~$ uaac user add admin2 -p password --emails [email protected] ~$ uaac member add cloud_controller.admin admin2 ~$ uaac member add uaa.admin admin2 ~$ uaac member add scim.read admin2 ~$ uaac member add scim.write admin2
You can verify the user exists by using uaac users. They should be listed there along with their assigned permissions.
Now you should be able to log in with the user using CF CLI
[edit] Quick Reference
[edit] uaac permissions/scopes
https://docs.cloudfoundry.org/concepts/architecture/uaa.html#uaa-scopes
[edit] uaac contexts
Displays the users and applications authorized by the UAA server, along with the permissions granted, within the current scope.
~$ uaac contexts
[edit] uaac users
Displays all UAA user accounts and their respective permissions.
However, if you want a readable output or to search for users, you can use some options like these:
[edit] show users by email address
~$ uaac users --attributes emails
[edit] locate specific user based on username
~$ uaac users "username eq 'username'"
[edit] Common UAA Instances
Below are some common instances of UAA as it pertains to Cloud Foundry installations.
[edit] Operations Manager (Ops Man)
The UAA api target for Ops Man should be:
https://{ops-manager-fqdn}/uaa
ie. https://opsmgr-10.haas-59.pez.pivotal.io/uaa
This api target provides access to:
- the Ops Man API token, users, and scopes
[edit] Authenticating with UAA for ops man api
~$ uaac target opsmgr-10.haas-59.pez.pivotal.io/uaa
~$ uaac target owner get
Client ID: opsman
Client secret:
User name: admin
Password: {password from BOSH deployment manifest}
[edit] Pivotal Application Service (PAS)
The UAA api target for PAS should be:
https://uaa.{system_domain}
ie. https://uaa.run-10.haas-59.pez.pivotal.io
This api target provides access to:
- the CF API token, users, and scopes
- creating users and scopes for apps manager
[edit] Authenticating with UAA for cf api
~$ uaac target uaa.run-10.haas-59.pez.pivotal.io
~$ uaac token owner get
Client ID: cf
Client secret:
User name: admin
Password: {password from PAS > UAA > Admin}
[edit] Authenticating with UAA for uaa api
~$ uaac target uaa.run-10.haas-59.pez.pivotal.io
~$ uaac token client get admin -s {password from PAS > UAA > Admin Client Credentials}
