Re: Usage retrieval authorization was: Re: [abacus] Usage submission authorization


Jean-Sebastien Delfino
 

Hi Piotr,

A resource provider or another system component can present a client token
with abacus.usage.read to read back the usage submitted to Abacus.

I wouldn't recommend giving that scope to users of the Abacus reporting
service as it'll give them too much power and visibility on usage from all
orgs.

The reporting service does not require the abacus.usage.read scope. Instead
it delegates the authorization to get a report for a particular org to the
account service (which you're responsible for implementing, as an
integrator of Abacus). Any user token from the report request is passed to
your account service, giving you a way to check that user's membership to
the org and any groups you've defined in that org and the roles that user
is entitled to.

HTH

- Jean-Sebastien

- Jean-Sebastien

On Mon, Oct 19, 2015 at 12:53 PM, Piotr Przybylski <piotrp(a)us.ibm.com>
wrote:

Does the user who would like to see their usage (e.g. services in the
organization they own) need to have 'abacus.usage.read' scope as discussed
below?

Piotr


-----Saravanakumar A Srinivasan/Burlingame/IBM(a)IBMUS wrote: -----
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
From: Saravanakumar A Srinivasan/Burlingame/IBM(a)IBMUS
Date: 10/15/2015 10:20PM
Subject: [cf-dev] Re: Re: Re: Re: Re: Re: Re: [cf-dev][abacus] Usage
submission authorization

what will be the scope for securing internal Abacus pipeline that Assk
describes as system token ?

It is 'abacus.usage.write'.

Updated my previous statements to make it more specific:

We have enabled scope based authorization for REST endpoints at usage
collector and usage reporting service. While we are working on using system
OAuth bearer access token at internal Abacus pipeline, Submitting usage to
a secured Abacus needs a OAuth bearer access token with
'abacus.usage.write' system scope in addition to the resource provider
specific scope(s) - 'abacus.usage.<resource_id>.write'.

Thanks,
Saravanakumar Srinivasan (Assk),


-----Piotr Przybylski/Burlingame/IBM(a)IBMUS wrote: -----
To: cf-dev(a)lists.cloudfoundry.org
From: Piotr Przybylski/Burlingame/IBM(a)IBMUS
Date: 10/15/2015 09:50PM
Subject: [cf-dev] Re: Re: Re: Re: Re: Re: [cf-dev][abacus] Usage
submission authorization

Makes sense, and just to complete - what will be the scope for securing
internal Abacus pipeline that Assk describes as system token ?

Piotr



----- Original message -----
From: Jean-Sebastien Delfino <jsdelfino(a)gmail.com>
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Cc:
Subject: [cf-dev] Re: Re: Re: Re: Re: [cf-dev][abacus] Usage submission
authorization
Date: Thu, Oct 15, 2015 9:11 PM

Hey Piotr,

To read usage I believe you'll need 'abacus.usage.read', as
'abacus.usage.write' is for, well... writing.

P.S. That reminds me of a period of my life long time ago when I was a
contractor for some big company and they had hired me to write code for
them but had not given me the authorization to read the confidential code I
was writing :)

- Jean-Sebastien

On Thu, Oct 15, 2015 at 7:28 PM, Piotr Przybylski <piotrp(a)us.ibm.com>
wrote:

Assk,
can you confirm that the same scope (abacus.usage.write) is sufficient to
retrieve usage ?

Piotr

< ... snip ...>




Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.