Skip to content

Instantly share code, notes, and snippets.

@ghillert

ghillert/uaa-with-role-mapping.md

Last active October 25, 2019 07:28
Show Gist options
  • Save ghillert/9df8d9892f7ab1b656274ec39f15438e to your computer and use it in GitHub Desktop.
Save ghillert/9df8d9892f7ab1b656274ec39f15438e to your computer and use it in GitHub Desktop.
Download ZIP
Data Flow + UAA with Role Mapping
Raw
uaa-with-role-mapping.md

Create a base directory where we store everything.

Requirements

In case you run into issues installing uaac, you may have to set

export GEM_HOME="$HOME/.gem"

and/or add this to your pathL

~/.gem/gems/cf-uaac-4.2.0/bin

Prepare UAA for JWT (Required for Data Flow >=2.3.x)

openssl genrsa -out signingkey.pem 2048
openssl rsa -in signingkey.pem -pubout -out verificationkey.pem
export JWT_TOKEN_SIGNING_KEY=$(cat signingkey.pem)
export JWT_TOKEN_VERIFICATION_KEY=$(cat verificationkey.pem)

Later, once the UAA is started you can see the keys when accessing e.g. http://dataflow.local:8080/uaa/token_keys

For some more information see: https://www.baeldung.com/cloud-foundry-uaa

Download + Start UAA

Download and run https://github.com/pivotal/uaa-bundled

#!/bin/sh

git clone https://github.com/pivotal/uaa-bundled.git
cd uaa-bundled
./mvnw clean install
java -jar target/uaa-bundled-1.0.0.BUILD-SNAPSHOT.jar

Setup UAA

#!/bin/sh

uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac client add dataflow \
  --name dataflow \
  --scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,foo.create,foo.view \
  --authorized_grant_types password,authorization_code,client_credentials,refresh_token \
  --authorities uaa.resource,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view,foo.view,foo.create\
  --redirect_uri http://localhost:9393/login \
  --autoapprove openid \
  --secret dataflow \
  
uaac group add "foo.view"
uaac group add "foo.create"

uaac user add cartman -p mysecret --emails [email protected]
uaac user add mrviewer -p mysecret --emails [email protected]

uaac member add "foo.view" cartman
uaac member add "foo.create" cartman

uaac member add "foo.view" mrviewer

Dataflow Setup

Start Skipper

#!/bin/sh

git clone https://github.com/spring-cloud/spring-cloud-skipper.git
cd spring-cloud/spring-cloud-skipper
./mvnw clean package -DskipTests=true
java -jar spring-cloud-skipper-server/target/spring-cloud-skipper-server-2.2.0.BUILD-SNAPSHOT.jar

Start Data Flow

#!/bin/sh
git clone https://github.com/spring-cloud/spring-cloud-dataflow.git
cd spring-cloud-dataflow
./mvnw clean package -DskipTests=true
cd ..

Data Flow 2.2.x

Create a yaml file scdf.yml with the following contents:

spring:
  cloud:
    dataflow:
      security:
        authorization:
          map-oauth-scopes: true
          role-mappings:
            ROLE_CREATE: foo.create
            ROLE_DEPLOY: foo.create
            ROLE_DESTROY: foo.create
            ROLE_MANAGE: foo.create
            ROLE_MODIFY: foo.create
            ROLE_SCHEDULE: foo.create
            ROLE_VIEW: foo.view
security:
  oauth2:
    client:
      client-id: dataflow
      client-secret: dataflow
      scope: openid,foo.create,foo.view
      access-token-uri: http://dataflow.local:8080/uaa/oauth/token
      user-authorization-uri: http://dataflow.local:8080/uaa/oauth/authorize
    resource:
      user-info-uri: http://dataflow.local:8080/uaa/userinfo
      token-info-uri: http://dataflow.local:8080/uaa/check_token

Data Flow 2.3.x

spring:
  cloud:
    dataflow:
      security:
        authorization:
          provider-role-mappings:
            uaa:
              map-oauth-scopes: true
              role-mappings:
                ROLE_CREATE: foo.create
                ROLE_DEPLOY: foo.create
                ROLE_DESTROY: foo.create
                ROLE_MANAGE: foo.create
                ROLE_MODIFY: foo.create
                ROLE_SCHEDULE: foo.create
                ROLE_VIEW: foo.view
            facebook:
              map-oauth-scopes: false
            okta:
              map-oauth-scopes: false
  security:
    oauth2:
      client:
        registration:
          facebook:
            client-id: xxxx
            client-secret: xxxx
          okta:
            client-id: xxxx
            client-secret: xxxx
          uaa:
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
            authorization-grant-type: authorization_code
            client-id: dataflow
            client-secret: dataflow
            scope:
            - openid
            - foo.create
            - foo.view
        provider:
          uaa:
            jwk-set-uri: http://dataflow.local:8080/uaa/token_keys
            token-uri: http://dataflow.local:8080/uaa/oauth/token
            user-info-uri: http://dataflow.local:8080/uaa/userinfo
            user-name-attribute: user_name
            authorization-uri: http://dataflow.local:8080/uaa/oauth/authorize
          facebook:
            user-name-attribute: name
          okta:
            authorization-uri: https://dev-264812.oktapreview.com/oauth2/v1/authorize
            token-uri: https://dev-264812.oktapreview.com/oauth2/v1/token
            user-info-uri: https://dev-264812.oktapreview.com/oauth2/v1/userinfo
            user-name-attribute: name
            jwk-set-uri: https://dev-264812.oktapreview.com/oauth2/v1/keys
      resourceserver:
        opaquetoken:
          introspection-uri: http://dataflow.local:8080/uaa/introspect
          client-id: dataflow
          client-secret: dataflow

Startup

#!/bin/sh
java -jar spring-cloud-dataflow/spring-cloud-dataflow-server/target/spring-cloud-dataflow-server-2.3.0.BUILD-SNAPSHOT.jar --spring.config.additional-location=scdf.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment