[UAA on PWS] How to override uaa.yml on PWS

Cyrille Le Clerc

unread,

Feb 5, 2015, 11:13:38 AM2/5/15

to vcap...@cloudfoundry.org, Sree Tummidi

Dear Cloud Foundry community,

Context: I work on the integration of an application (Jenkins Enterprise by Cloudbees) on Cloud Foundry (Pivotal CF) and we want to test the SSO integration of our app to UAA in a test environment installing a standalone UAA (without installing the full cf_release).

What is the best practice to override uaa.yml on a PWS deployment of UAA?

My overwrites look like (could be mysql or postgresql)

spring_profiles: default,mysql

oauth:
clients:
jenkins_app:
id: jenkins_app
secret: $complex_passwod
scope: oauth.approvals,openid,scim.me
authorities: scim.me,oauth.login
authorized-grant-types: authorization_code,client_credentials,refresh_token
redirect-uri: http://localhost:8080/securityRealm/finishLogin

scim:
users:
- admin|$complex_passwod|ad...@test.org|M.|Administrator|uaa.admin,scim.write,scim.read,openid

database:
driverClassName: com.mysql.jdbc.Driver
url: jdbc:mysql://localhost:3306/uaa
username: uaa
password: uaa

Josh Ghiloni

unread,

Feb 5, 2015, 12:07:18 PM2/5/15

to vcap...@cloudfoundry.org

We also use UAA for SSO, though not on PWS, but the concept would be the same, I think. What I would do is this:

- deploy vanilla UAA bound to the proper database (call it, perhaps, my-sso)

- deploy your uaa.yml file to another app, using the static buildpack

- cf set-env my-sso UAA_CONFIG_URL http://pathtomyuaayml.cfapps.io/uaa.yml

- cf restage my-sso

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/3ace86c2-328d-4e67-bc46-17a5bc5149da%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

Cyrille Le Clerc

unread,

Feb 5, 2015, 1:34:40 PM2/5/15

to vcap...@cloudfoundry.org

Thanks Josh,

I thought about it but this would require to make publicly accessible a file with a database password. This is not very exciting even if I can obfuscate the URL.

Cyrille

Josh Ghiloni

unread,

Feb 5, 2015, 1:56:54 PM2/5/15

to vcap...@cloudfoundry.org

Why not bind to the database using a user provided service? I never have db credentials in my uaa yml

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/cf9415fb-dc5c-4d91-bd49-18bf1fbba86b%40cloudfoundry.org.

Sree Tummidi

unread,

Feb 5, 2015, 2:29:18 PM2/5/15

to vcap...@cloudfoundry.org

Hi Cyril,

Any changes to OAuth Clients on PWS is handled via Pivotal Support. This is accomplished via the use of the UAAC command line tool.

Direct changes to UAA.yml is not feasible as its overridden on redeploys via the manifest file.

Let me circle back with you separately on your required changes and we can get those applied.

Thanks,

Sree Tummidi

Sr. Product Manager

Identity @ Pivotal Cloud Foundry

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CAMdgCYspBxAG4km3214U5%3D1gHyxtMpfqR0d-mzYbvBkjO%3Du7zg%40mail.gmail.com.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

--

Thanks,

Sree Tummidi

Sr. Product Manager

Pivotal Cloud Foundry

Cyrille Le Clerc

unread,

Feb 5, 2015, 6:37:17 PM2/5/15

to vcap...@cloudfoundry.org

Thanks Josh,

I did not have in mind the database binding "auto magically" discovered by Spring Framework.

I did the following

bound a postgresql database to my app
declared the environment variable "UAA_CONFIG_URL=https://s3.amazonaws.com/mybucket/123456789/uaa.yml"
in this uaa.yml, declared a profile "default,postgresql" but I did not define the database section with db.username, db.password ...

My uaa.yml config file look like:

spring_profiles: default,postgresql

oauth:
clients:
jenkins_app:
id: jenkins_app

secret: jenkins_app_secret

scope: oauth.approvals,openid,scim.me
authorities: scim.me,oauth.login
authorized-grant-types: authorization_code,client_credentials,refresh_token
redirect-uri: http://localhost:8080/securityRealm/finishLogin

user:
authorities:
- openid
- scim.me
- cloud_controller.read
- cloud_controller.write
- cloud_controller_service_permissions.read
- password.write
- scim.userids
- uaa.user
- approvals.me
- oauth.approvals
- uaa.admin

issuer.uri: http://localhost:8081

scim:
users: # example only, default is empty
- admin|admin|ad...@test.org|M.|Administrator|uaa.admin,scim.write,scim.read,openid

Cyrille

Cyrille Le Clerc

unread,

Feb 5, 2015, 6:38:26 PM2/5/15

to vcap...@cloudfoundry.org

Thanks Sree,

I want to start my own UAA to be able to configure it the way I want for testing. I don't use the UAA provided by PWS.

Cyrille

Sree Tummidi

unread,

Feb 5, 2015, 6:46:01 PM2/5/15

to vcap...@cloudfoundry.org

Thanks Cyrille. I got lost on the long thread.

Let me know if you need any help updating the Client on PWS later.

Thanks,

Sree

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/c6438d1f-87c7-4636-bc1d-f14f9e1bafc0%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

--

Thanks,

Sree Tummidi

Sr. Product Manager

Identity - Pivotal Cloud Foundry

Reply all

Reply to author

Forward