An auditor's access to services credentials

44 views
Skip to first unread message

Mike Youngstrom

unread,
Oct 7, 2013, 6:53:57 PM10/7/13
to vcap...@cloudfoundry.org
We've been working CF through our organizational security policies.  One aspect that seems to raise eyebrows is the idea that members of a space can acquire the credentials to a service in that space.

To help appease the security concerned we have suggested that they simply limit production space access to a limited number of system administrators.  However, this also then limits a developers ability to diagnose issues to applications deployed to the prod space.

After doing some testing I have discovered the following with regards to a rolea's ccess to services:
* The Manager of a space cannot access service credentials
* The Developer and Auditor of a space can access service credentials

One idea is to give those with the need to diagnose issues in production "Auditor" access so they can view logs and some configuration but not have the ability to actually break things or see sensitive things.  However, the Auditor currently has access to view service credentials.

Anyone have thoughts on changing the auditor role so that it cannot acquire service credentials for services in a space?

Mike

Shannon Coen

unread,
Oct 8, 2013, 6:54:14 PM10/8/13
to vcap...@cloudfoundry.org
I am surprised to hear that an Auditor has access to service credentials. My understanding was that only Developer had permissions to manage services.

Our frontend team is currently working on a story to give Manager permissions to manage services. This seems to be headed in the opposite direction than you'd like. I'll see if Scott can chime in with his reasoning.

Best,
Shannon

Scott Truitt

unread,
Oct 9, 2013, 1:15:08 AM10/9/13
to vcap-dev
Actually, we reverted that change, Shannon, so it's just the Space Developer role that can access service credentials. Mike, I've filed a bug to remove Auditor access to them too. I'll let you know when it's fixed. 


To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

Mike Youngstrom

unread,
Oct 9, 2013, 2:01:39 AM10/9/13
to vcap...@cloudfoundry.org
Great!  Thanks Shannon and Scott.  So, just to clarify.  Once this is fixed, if I execute:

cf curl GET /v2/service_instances

I won't see any service credentials for the spaces I am only an auditor in correct?

Mike

Scott Truitt

unread,
Oct 9, 2013, 10:50:45 AM10/9/13
to vcap-dev
That's the plan, yes. 
Reply all
Reply to author
Forward
0 new messages