Creating a read-only user to query the Cloud Controller

[Troy Astle]

As part of our Cloud Foundry log aggregation query the Cloud Controller and retrieve the Name, Organisation and Space associated with an Application GUID. This works just fine using admin credential against a development instance of Cloud Foundry (cf-172).

However the admin user is vastly more powerful than we need for this job so I'd like to create a user with permission to read about all applications but modify none of them.

Looking at the Cloud Controller it seems that there is no way to create a user with access to read the environment without also being able to create update and delete apps:

https://github.com/cloudfoundry/cloud_controller_ng/blob/master/app/access/app_access.rb#L17-L20 

Has anyone successfully devised a way to query all apps on the Cloud Controller as a read-only user?

[James Bayer]

troy,

this is not possible today.

short note on roles: we have only several pre-canned roles today with a fixed set of permissions.

we want to move in the direction where the system uses fine-grained permissions for particular actions and the pre-canned user roles each have a list of permissions that can be adjusted by admins. 

incrementally later, introducing a new feature for custom roles that enables admins/managers to associate a list of permissions to each role.

for now we suggest to our customers to use the pre-canned roles and know that we treat cloud_controller_admin as a special type of admin user. we do not have a way to do a read-only admin user currently.

i definitely understand the need for this use case and we're under active discussions about how to address it.

thanks,

james

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/4cc442ef-68ac-4185-a43e-f4caf3ab4119%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

--

Thank you,

James Bayer

[Aristoteles Neto]

Similarly it would be great to have a user that’s allowed to query App and Service usage events for the purposes of billing integration, without providing it with any additional access. 

Aristoteles Neto

ne...@orcon.net.nz

[Troy Astle]

Thanks James,

That was the conclusion that I had come to but I wanted to make sure I was not missing something obvious.

It sounds like Aristoteles and I have similar uses in mind for read only access to data. 

This is not a high priority for us at the moment but definitely falls into the nice to have category.

We will eventually need to be able to audit CF activity and having a single god user breaks this pretty badly.

Are use cases being collected for Custom Roles? Perhaps we could help out by documenting these in a little more detail for the future.

Troy.

[James Bayer]

troy,

the main requirements are to add the concept of permissions for various cloud controller models and actions on those models, and then map roles (pre-canned and custom roles) to those permissions. my thinking is that we would be moving to a RBAC [1]. mark kropf has experience with an ACL approach and we are discussing tradeoffs [2]. i really like having a role map to a number permissions and having the user to roles mapping being derived from OAuth scopes, and the OAuth scopes are derived from LDAP/AD/UAA groups. we'll publish more details when we have a proposal.

[1] http://en.wikipedia.org/wiki/Role-based_access_control
[2] http://en.wikipedia.org/wiki/Access_control_list

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/bdcb2499-3055-4ec8-b208-3314c5cf1262%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.