We will prepare a PR. Thanks Nicholas and Noburou for the pointers.

Best regards,
Stephan

From: Nicholas Calugar [mailto:ncalugar(a)pivotal.io]
Sent: Freitag, 11. November 2016 00:50
To: Noburou TANIGUCHI <dev(a)nota.m001.jp>; Discussions about Cloud Foundry projects and the system overall. <cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Re: Re: Enable/disable ssh access

Your assessment is correct. It seems like we could use another configuration, like default_app_ssh_access that would be added to the line you linked:

https://github.com/cloudfoundry/cloud_controller_ng/blob/f2b4118fb23665d8f021ef2f82de9952c563cddd/app/models/runtime/app.rb#L274


Would anyone be willing to submit a PR for this?

--
Nicholas Calugar


On November 10, 2016 at 10:07:25 AM, Noburou TANIGUCHI (dev(a)nota.m001.jp<mailto:dev(a)nota.m001.jp>) wrote:
It seems that, with the current implementation, there's no way to disable ssh
by default while configuring `cc.allow_app_ssh_access` as true.

It is since the default value of `allow_ssh` for a space is true [1], and
the value of `enable_ssh` for an app becomes true if it is nil
and`cc.allow_app_ssh_access`and space.allow_ssh` is true [2].

[1]
https://github.com/cloudfoundry/cloud_controller_ng/blob/f2b4118fb23665d8f021ef2f82de9952c563cddd/app/controllers/runtime/spaces_controller.rb#L12
[2]
https://github.com/cloudfoundry/cloud_controller_ng/blob/f2b4118fb23665d8f021ef2f82de9952c563cddd/app/models/runtime/app.rb#L274



Grifalconi, Michael wrote

Hi, I sent the same question (in a less formal way) a couple of days ago
:)


(attached)

no answer yet


From: "Merker, Stephan" &lt;

stephan.merker@

&gt;
Reply-To: "Discussions about Cloud Foundry projects and the system
overall." &lt;

cf-dev(a).cloudfoundry<mailto:cf-dev(a).cloudfoundry>

&gt;
Date: Thursday, 10 November 2016 at 14:38
To: "

cf-dev(a).cloudfoundry<mailto:cf-dev(a).cloudfoundry>

" &lt;

cf-dev(a).cloudfoundry<mailto:cf-dev(a).cloudfoundry>

&gt;
Subject: [cf-dev] Enable/disable ssh access

Hello,

according to
https://docs.cloudfoundry.org/devguide/deploy-apps/app-ssh-overview.html#ssh-access-control-hierarchy
there are 3 levels of configuration to enable/disable ssh access to apps
running on Diego:


- Entire deployment: I guess this translates to the configuration
property cc.allow_app_ssh_access [1]

- Space: cf allow-space-ssh/disallow-space-ssh

- Application: cf enable-ssh/disable-ssh

When cc.allow_app_ssh_access=true, is there a way to configure the default
value for enable-ssh on space and application level? My observation is
that ssh is always enabled by default. I would like to have ssh disabled
by default so that space admins and developers have to enable it
explicitly.

Best regards,
Stephan


[1]
https://github.com/cloudfoundry/cloud_controller_ng/blob/654e39c6d22f99e75ba0833236c5e6a3f12ad967/bosh/jobs/cloud_controller_ng/spec#L522


Hello all,



We would like to enable Diego SSH as an option that can be set by the
developer on his application but currently it is enabled by default and
the developer have to take action to disable the service for his
application with the command `cf enable-ssh|disable-ssh`.



Is it possible to change the default to ‘disabled’ and still allow
developer to enable it?



Thanks



Best,

Michael

-----
I'm not a ...
Noburou TANIGUCHI
--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-Enable-disable-ssh-access-tp6088p6091.html
Sent from the CF Dev mailing list archive at Nabble.com.