Re: BOSH role-based authentication and session limit

Dmitriy Kalinin


On Wed, Jul 8, 2015 at 1:20 AM, lexsys <aleksey.zalesov(a)> wrote:


1. Does BOSH has role-based authentication?

The case is single bosh director managing multiple deployments. Some of
deployments are in prod state, and some are PoC. I want to limit user for
only specific deployment or group of deployments.
currently bosh users are managed by the director. we just finished
implementing uaa integration in the director which will move user
management into uaa. we are waiting for uaa team to finish creating an
official uaa release so it can be collocated with the director. once that's
done you will be able to configure director to use uaa and will be able to
limit users to be an admin or a readonly user. so that's a start in terms
of permissions.

we did discuss deployment permissions before; however, have not scheduled
to implement it yet. with uaa it will be possible to add certain checks to
the director to limit deployment visibility based on scopes. see for more info:

* Users can modify certain deployments that already exist and new ones that
they create (i.e. tagged deployments)
- covered by `bosh.<DIRECTOR-UUID>.deployments-tag.<TAG>.admin`
- Example: service broker is given a client id/secret and a tag. service
broker will create deployments with tag X and would like to view and update

2. How can I limit session time for bosh director login?

For example, ask bosh director password during 15 min of inactivity.
when director is configured to use uaa it uses uaa tokens for auth. tokens
in uaa expire after certain period of time and then bosh cli asks to
re-login. so this is also pending release of uaa release.

Alex Zalesov,
DevOps @ Altoros

View this message in context:
Sent from the CF BOSH mailing list archive at
cf-bosh mailing list

Join to automatically receive all group messages.