what is cloud_controller.admin

293 views
Skip to first unread message

hai wang

unread,
Oct 20, 2014, 11:43:23 PM10/20/14
to vcap...@cloudfoundry.org
what does uaa's scope cloud_controller.admin means? is it combined with cloud_controller.read and cloud_controller.write?

James Bayer

unread,
Oct 21, 2014, 1:12:46 AM10/21/14
to vcap...@cloudfoundry.org
if the cloud_controller.admin scope is in a user's OAuth token, then they are considered an administrator for cloud controller

On Mon, Oct 20, 2014 at 8:43 PM, hai wang <jamee...@gmail.com> wrote:
what does uaa's scope cloud_controller.admin means? is it combined with cloud_controller.read and cloud_controller.write?

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/8a2490ba-8c0b-46c1-b2a7-e438ea3d39c2%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.



--
Thank you,

James Bayer

hai wang

unread,
Oct 21, 2014, 1:43:20 AM10/21/14
to vcap...@cloudfoundry.org
What does cloud_controller.admin can do?
and for cloud_controller.read and cloud_controller.write?

Seems the user with cloud_controller.write can not create space or org, why?

在 2014年10月21日星期二UTC+8下午1时12分46秒,jbayer写道:

Luan Santos

unread,
Oct 23, 2014, 12:37:22 PM10/23/14
to vcap...@cloudfoundry.org
The cloud_controller.admin scope can do pretty much anything on cloud_controller. The cloud_controller.write scope will grant that OAUTH token permission to act as that user and write to their spaces/orgs depending on their role (if they are SpaceDeveloper they can create apps on that space).

For more details on this you can try browsing through the access classes on the CC codebase, an example for app creation can be found at : https://github.com/cloudfoundry/cloud_controller_ng/tree/master/app/access

Please let us know if you need any further clarification.

Thanks,
Luan & Dave, CF Runtime Team

On Monday, October 20, 2014 10:43:20 PM UTC-7, hai wang wrote:
What does cloud_controller.admin can do?
and for cloud_controller.read and cloud_controller.write?

Seems the user with cloud_controller.write can not create space or org, why?

在 2014年10月21日星期二UTC+8下午1时12分46秒,jbayer写道:
if the cloud_controller.admin scope is in a user's OAuth token, then they are considered an administrator for cloud controller

On Mon, Oct 20, 2014 at 8:43 PM, hai wang<jamee...@gmail.com>wrote:

what does uaa's scope cloud_controller.admin means? is it combined with cloud_controller.read and cloud_controller.write?
--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.

Luan Santos

unread,
Oct 23, 2014, 2:18:38 PM10/23/14
to vcap...@cloudfoundry.org
To answer your last question:

cloud_controller.write will give the user permissions to create orgs if the feature_flag "user_org_creation" is set to true. Run `cf feature-flags` for more info, you can set it as admin with `cf enable-feature-flag user_org_creation`.
Creating spaces is allowed if the user is an OrgManager in the currently targeted organization. Again, an OrgManager or an admin can change the user role in an org by doing `cf set-org-role USERNAME ORG ROLE`.

Thanks,
Luan & Dave, CF Runtime Team

hai wang

unread,
Oct 24, 2014, 3:01:43 AM10/24/14
to vcap...@cloudfoundry.org
Thanks

In short, if a user has cloud_controller.admin permission, he can do all POST/PUT/DELETE operations, if a user has cloud_controller.write permission, and he is OrgManager he can create/update/delete space not org.
And I checked the code, seems noly admin can create org.

Am I right?


在 2014年10月24日星期五UTC+8上午2时18分38秒,Luan Santos写道:
Reply all
Reply to author
Forward
0 new messages