[UAA on PWS] How to override uaa.yml on PWS

160 views
Skip to first unread message

Cyrille Le Clerc

unread,
Feb 5, 2015, 11:13:38 AM2/5/15
to vcap...@cloudfoundry.org, Sree Tummidi
Dear Cloud Foundry community,

Context: I work on the integration of an application (Jenkins Enterprise by Cloudbees) on Cloud Foundry (Pivotal CF) and we want to test the SSO integration of our app to UAA in a test environment installing a standalone UAA (without installing the full cf_release).

What is the best practice to override uaa.yml on a PWS deployment of UAA? 

My overwrites look like (could be mysql or postgresql)
spring_profiles: default,mysql

oauth:
  clients:
    jenkins_app:
      id: jenkins_app
      secret: $complex_passwod
      scope: oauth.approvals,openid,scim.me
      authorities: scim.me,oauth.login
      authorized-grant-types: authorization_code,client_credentials,refresh_token

scim:
  users:
    - admin|$complex_passwod|ad...@test.org|M.|Administrator|uaa.admin,scim.write,scim.read,openid

database:
  driverClassName: com.mysql.jdbc.Driver
  url: jdbc:mysql://localhost:3306/uaa
  username: uaa
  password: uaa

Josh Ghiloni

unread,
Feb 5, 2015, 12:07:18 PM2/5/15
to vcap...@cloudfoundry.org
We also use UAA for SSO, though not on PWS, but the concept would be the same, I think. What I would do is this:

- deploy vanilla UAA bound to the proper database (call it, perhaps, my-sso)
- deploy your uaa.yml file to another app, using the static buildpack
- cf set-env my-sso UAA_CONFIG_URL http://pathtomyuaayml.cfapps.io/uaa.yml
- cf restage my-sso

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/3ace86c2-328d-4e67-bc46-17a5bc5149da%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

Cyrille Le Clerc

unread,
Feb 5, 2015, 1:34:40 PM2/5/15
to vcap...@cloudfoundry.org
Thanks Josh,

I thought about it but this would require to make publicly accessible a file with a database password. This is not very exciting even if I can obfuscate the URL.

Cyrille

Josh Ghiloni

unread,
Feb 5, 2015, 1:56:54 PM2/5/15
to vcap...@cloudfoundry.org

Why not bind to the database using a user provided service? I never have db credentials in my uaa yml

Sree Tummidi

unread,
Feb 5, 2015, 2:29:18 PM2/5/15
to vcap...@cloudfoundry.org
Hi Cyril,
Any changes to OAuth Clients on PWS is handled via Pivotal Support. This is accomplished via the use of the UAAC command line tool.
Direct changes to UAA.yml is not feasible as its overridden on redeploys via the manifest file.

Let me circle back with you separately on your required changes and we can get those applied.

Thanks,
Sree Tummidi
Sr. Product Manager
Identity @ Pivotal Cloud Foundry


To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.



--
Thanks,
Sree Tummidi
Sr. Product Manager
Pivotal Cloud Foundry

Cyrille Le Clerc

unread,
Feb 5, 2015, 6:37:17 PM2/5/15
to vcap...@cloudfoundry.org
Thanks Josh,

I did not have in mind the database binding "auto magically" discovered by Spring Framework.

I did the following
  • bound a postgresql database to my app
  • declared the environment variable "UAA_CONFIG_URL=https://s3.amazonaws.com/mybucket/123456789/uaa.yml"
  • in this uaa.yml, declared a profile "default,postgresql" but I did not define the database section with db.username, db.password ...

My uaa.yml config file look like:

spring_profiles: default,postgresql

oauth:
  clients:
    jenkins_app:
      id: jenkins_app
      secret: jenkins_app_secret
      scope: oauth.approvals,openid,scim.me
      authorities: scim.me,oauth.login
      authorized-grant-types: authorization_code,client_credentials,refresh_token
  user:
    authorities:
      - openid
      - scim.me
      - cloud_controller.read
      - cloud_controller.write
      - cloud_controller_service_permissions.read
      - password.write
      - scim.userids
      - uaa.user
      - approvals.me
      - oauth.approvals
      - uaa.admin


scim:
  users: # example only, default is empty
    - admin|admin|ad...@test.org|M.|Administrator|uaa.admin,scim.write,scim.read,openid
Cyrille

Cyrille Le Clerc

unread,
Feb 5, 2015, 6:38:26 PM2/5/15
to vcap...@cloudfoundry.org
Thanks Sree,

I want to start my own UAA to be able to configure it the way I want for testing. I don't use the UAA provided by PWS.

Cyrille

Sree Tummidi

unread,
Feb 5, 2015, 6:46:01 PM2/5/15
to vcap...@cloudfoundry.org
Thanks Cyrille. I got lost on the long thread.
Let me know if you need any help updating the Client on PWS later.

Thanks,
Sree


To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.



--
Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry

Reply all
Reply to author
Forward
0 new messages