Pivotal/UAA

From r00tedvw.com wiki
Revision as of 13:21, 6 September 2018 by R00t (Talk | contribs)

Jump to: navigation, search

UAA UAA (User Account and Authentication) is used as the identity management service for Cloud Foundry.

Contents

UAAC CLI

Installing Ruby on Mac OSX

Use Homebrew

~$ brew install rbenv
~$ eval "$(rbenv init -)"
~$ rbenv install 2.5.1

Install UAAC CLI

~$ sudo gem install cf-uaac 

Connecting to UAA server

use the uaac target uaa.<system domain> command to target the UAA server.

ie. ~$ uaac target uaa.run-16.haas-59.pez.pivotal.io


next, we need to authenticate and obtain an access token. Record the uaa:admin:client_secret from your deployment manifest (stored in ~/.uaac.yml

OR, if you are using a vcenter deployment, obtain it by:

OPs Manager > PAS > Credentials > UAA > Admin Client Credentials

With that information, we can use

~$ uaac token client get admin -s ADMIN-CLIENT-SECRET


If the above doesn't work, try decrypting the installation yml file. SSH into the ops manager and then run these with the admin passcode:

~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/actual-installation.yml /tmp/actual-installation.yml
~$ sudo -u tempest-web RAILS_ENV=production /home/tempest-web/tempest/web/scripts/decrypt /var/tempest/workspaces/default/installation.yml /tmp/installation.yml

You will then have a decrypted copy of the installation yml file and you can search for the uaa admin secret.

~$ cat /tmp/actual-installation.yml | grep -A 4 uaa_admin_credentials

Creating admin user

To create an admin user that can be used in CF, follow these steps:

Obtain an access token for the UAA server with admin credentials.
~$ uaac user add admin2 -p password --emails [email protected]
~$ uaac member add cloud_controller.admin admin2
~$ uaac member add uaa.admin admin2
~$ uaac member add scim.read admin2
~$ uaac member add scim.write admin2

You can verify the user exists by using uaac users. They should be listed there along with their assigned permissions.

Now you should be able to log in with the user using CF CLI

Quick Reference

uaac permissions/scopes

https://docs.cloudfoundry.org/concepts/architecture/uaa.html#uaa-scopes

uaac contexts

Displays the users and applications authorized by the UAA server, along with the permissions granted, within the current scope.

~$ uaac contexts

uaac users

Displays all UAA user accounts and their respective permissions.
However, if you want a readable output or to search for users, you can use some options like these:

show users by email address

~$ uaac users --attributes emails

locate specific user based on username

~$ uaac users "username eq 'username'"

Common UAA Instances

Below are some common instances of UAA as it pertains to Cloud Foundry installations.

Operations Manager (Ops Man)

Pivotal Application Service (PAS)

Pivotal Container Service (PKS)

Concourse

Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Open Source Products
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
MagicMirror
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Politics
Volkswagen
Covid
NCDMV
Toolbox