[cf-dev] Mapping ORGs and Space permissions via LDAP

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] Mapping ORGs and Space permissions via LDAP

Mark Coumounduros
Hey All,

I recently updated a Cloud Foundation to map CC admin permission to LDAP via this UAAC command:

uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

I now just want to fine tune LDAP permission to specific ORGs and/or Spaces.  Is this possible, if so, how?
Reply | Threaded
Open this post in threaded view
|

[cf-dev] Re: Mapping ORGs and Space permissions via LDAP

Alexander Lomov
Hey, Mark.

At the moment there is no way to control access to org or spaces using UAA scopes.

You can find list of currently available UAA scopes here [1]. To control org or spaces access you need something like zone id for org or space, but I don’t know the way to create such binding right now. I suppose the feature development is in progress.

Since you added UAA-LDAP integration, you can log in with LDAP user. After that you can control user access by CF roles [2] and this process does not involve UAA.

We also use cf-mgmt tool [3] to automate LDAP user binding with org/spaces on some of our projects. You may find it useful.

Best wishes, 
Alex L.


On Feb 18, 2017, at 6:19 PM, Mark Coumounduros <[hidden email]> wrote:

Hey All,

I recently updated a Cloud Foundation to map CC admin permission to LDAP via this UAAC command:

uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

I now just want to fine tune LDAP permission to specific ORGs and/or Spaces.  Is this possible, if so, how?

Reply | Threaded
Open this post in threaded view
|

[cf-dev] Re: Re: Mapping ORGs and Space permissions via LDAP

Dieu Cao
This has been a long requested feature.  
We've recently started to have more active conversations about this between CAPI and UAA teams and we hope to be able to share a proposal addressing this once an approach has been agreed on in the next month or two.

-Dieu
CF Runtime PMC Lead

On Sun, Feb 19, 2017 at 4:33 AM, Alexander Lomov <[hidden email]> wrote:
Hey, Mark.

At the moment there is no way to control access to org or spaces using UAA scopes.

You can find list of currently available UAA scopes here [1]. To control org or spaces access you need something like zone id for org or space, but I don’t know the way to create such binding right now. I suppose the feature development is in progress.

Since you added UAA-LDAP integration, you can log in with LDAP user. After that you can control user access by CF roles [2] and this process does not involve UAA.

We also use cf-mgmt tool [3] to automate LDAP user binding with org/spaces on some of our projects. You may find it useful.

Best wishes, 
Alex L.


On Feb 18, 2017, at 6:19 PM, Mark Coumounduros <[hidden email]> wrote:

Hey All,

I recently updated a Cloud Foundation to map CC admin permission to LDAP via this UAAC command:

uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

I now just want to fine tune LDAP permission to specific ORGs and/or Spaces.  Is this possible, if so, how?


Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Mapping ORGs and Space permissions via LDAP

Mark Coumounduros

Hello Cloud Foundry:

Just checking back on whether there are ways to control access to org or spaces using UAA scopes (i.e., mapping LDAP Groups to Cloud Foundry Orgs and/or Spaces).

I last posted to the community back in Feb 2017 and am hoping this feature is now enabled for end users (or forthcoming).  Cheers!

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8555) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Mapping ORGs and Space permissions via LDAP

Eric Malm
Hi, Mark,

The CF community engaged in a serious effort in this domain for much of last year, in the incubating CF Perm project (https://github.com/cloudfoundry-incubator/perm). In the course of that effort, that team and the CAPI team discovered that while it was easy to integrate Perm with the authorization model for Cloud Controller's v3 API endpoints, it was nearly impossible to do so systematically for the v2 endpoints because of the complexity of their authorization model in CC.

Consequently, the CF Perm project has effectively been on hiatus while the CAPI and CLI teams work through their v3 API acceleration effort to implement replacements for the remaining v2 API endpoints in v3. Those teams have also published some information about their progress towards v3 in recent cf-dev topics, such as CC API v3 Proposals and the CC API v2 Deprecation plan.

Best,
Eric Malm, CF Application Runtime PMC Lead

On Mon, Apr 1, 2019 at 10:21 AM Mark Coumounduros <[hidden email]> wrote:

Hello Cloud Foundry:

Just checking back on whether there are ways to control access to org or spaces using UAA scopes (i.e., mapping LDAP Groups to Cloud Foundry Orgs and/or Spaces).

I last posted to the community back in Feb 2017 and am hoping this feature is now enabled for end users (or forthcoming).  Cheers!

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8572) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_