Hi Sebastien,

That OAuth token should include:
- a user id uniquely identifying that resource provider;
- an OAuth scope named like abacus.usage.<resource_id>.write

What kind of customization of the above do you plan to expose? In some
cases it may not be possible or viable to create new scope for each
resource id e.g. short lived resources. The ability to either configure
scope to use for validation or provide scope 'mapping' would help to adapt
it to existing deployments. Some flexibility would also help to accommodate
changes related to grouping resources by type as discussed in [1].

[1] - https://github.com/cloudfoundry-incubator/cf-abacus/issues/38


Piotr





From: Jean-Sebastien Delfino <jsdelfino(a)gmail.com>
To: "Discussions about Cloud Foundry projects and the system
overall." <cf-dev(a)lists.cloudfoundry.org>
Date: 10/07/2015 12:30 AM
Subject: [cf-dev] Re: [abacus] Usage submission authorization



Hi Piotr,

what kind of authorization is required to submit usage to Abacus ?
Is the oauth token used for submission [1] required to have particular

scope, specific to resource or resource provider ?

A resource provider is expected to present an OAuth token with the usage it
submits for a (service or runtime) resource.

That OAuth token should include:
- a user id uniquely identifying that resource provider;
- an OAuth scope named like abacus.usage.<resource_id>.write.

The precise naming syntax for that scope may still evolve in the next few
days as we progress with the implementation of user story 101703426 [1].

Is there a different scope required to submit runtimes usage (like cf

bridge) versus other services or its possible to use single scope for all
the submissions

I'd like to handle runtimes and services consistently as they're basically
just different types of resources, i.e. one scope per 'service' resource,
one scope per 'runtime' resource.

We're still working on the detailed design and implementation, but I'm not
sure we'd want to share scopes across (service and runtime) resource
providers as that'd allow a resource provider to submit usage for resources
owned by another...

@assk / @sasrin, anything I missed? Thoughts?

-- Jean-Sebastien


On Tue, Oct 6, 2015 at 6:29 PM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote:
Hi,
what kind of authorization is required to submit usage to Abacus ?
Is the oauth token used for submission [1] required to have particular
scope, specific to resource or resource provider ? Is there a different
scope required to submit runtimes usage (like cf bridge) versus other
services or its possible to use single scope for all the submissions ?


[1] - https://www.pivotaltracker.com/story/show/101703426

Piotr