Re: CF Application Runtime PMC: UAA Project Lead Call for Nominations
Hi, everyone,
VMware is nominating Jeremy Morony for the UAA Project Lead in the Application Runtime PMC.
Jeremy is a software engineer and manager at VMware who has been working with the UAA team since February 2019. He has 20 years of programming, facilitation, coaching, and mentoring experience at both startups and larger companies.
Please send any other nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.
Thanks,
Eric MalmFrom: cf-dev@... <cf-dev@...> on behalf of Eric Malm via lists.cloudfoundry.org <emalm=vmware.com@...>
Sent: Friday, September 11, 2020 3:22 PM To: cf-dev@... <cf-dev@...> Subject: [cf-dev] CF Application Runtime PMC: UAA Project Lead Call for Nominations
Hi, everyone,
Pablo Schuhmacher, the Project Lead for the UAA team within the Application Runtime PMC, is stepping down from the project, as he is now focusing on product management responsibilities inside of VMware. We thank him for his service.
The UAA team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday,
September 25, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead
|
||||||||||
|
||||||||||
CF Application Runtime PMC: Diego Project Lead Call for Nominations
Hi, everyone,
Josh Collins is stepping down from his role as the Diego project lead, as he is currently focused primarily on activities with the CF CLI team.
The Diego team now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead
|
||||||||||
|
||||||||||
CF Application Runtime PMC: UAA Project Lead Call for Nominations
Hi, everyone,
Pablo Schuhmacher, the Project Lead for the UAA team within the Application Runtime PMC, is stepping down from the project, as he is now focusing on product management responsibilities inside of VMware. We thank him for his service.
The UAA team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday,
September 25, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead
|
||||||||||
|
||||||||||
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Shetty, Viraj S [CTR]
Jeremy,
I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? Thanks, Viraj
|
||||||||||
|
||||||||||
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Shetty, Viraj S [CTR]
Hi Jeremy,
Thanks for taklng the time to respond. Really appreciate it. I have double checked this many times. From Postman, I saw the request that is being sent and checked the bearer token to see the token scopes. The token contains the following (i added uaa.admin just as a test later) "scope": [
"uaa.resource",
"uaa.admin"
], "grant_type": "client_credentials",
The request looks all fine. Is there any configuration needed at the endpoints? I see the following configuration for /introspect from resource-endpoints.xml <http name="introspectSecurity" pattern="/introspect" create-session="stateless"
entry-point-ref="basicAuthenticationEntryPoint"
authentication-manager-ref="clientAuthenticationManager" use-expressions="true"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/**" access="hasAuthority('uaa.resource')"/>
<anonymous enabled="false"/>
<custom-filter ref="oauthWithoutResourceAuthenticationFilter" position="PRE_AUTH_FILTER"/>
<custom-filter ref="clientAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
<expression-handler ref="oauthWebExpressionHandler"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
As per the API docs for 74.14.0,
Thanks, Viraj
|
||||||||||
|
||||||||||
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Jeremy Morony
Hi Viraj,
From the details provided it looks like the call to /introspect might be using the user's token in the authorize header instead of a client token.
A successful curl request looks like:
curl -X POST http://uaa.example.com/instropect - H "Authorization: bearer client-token" -d "token=user-token"
Hope this helps. Jeremy.
From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Thursday, September 10, 2020 2:58 PM To: cf-dev@... <cf-dev@...> Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean?
09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.743] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@2e8b9cef: Principal:
7dafcb10-ca4b-4470-ae97-f632553a180d; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token,
profile, roles, user_attributes, uaa.user
2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityCo
|
||||||||||
|
||||||||||
Re: UAA api /introspect does not seem to be workign as expected
#uaa
I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean?
09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityCo
|
||||||||||
|
||||||||||
UAA api /introspect does not seem to be workign as expected
#uaa
Shetty, Viraj S [CTR]
Hi All,
We are using UAA version 74.14.0 We have a UAA installation for our internal applications in cloudfoundry environment. We have been having a problem in verifying the oauth token (JWT token) using the /introspect token, but cannot seem to see the reason. I tried a test using postman. 1. created a client with authority uaa.resource. See properties below. It has the uaa.resource authority. scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
access_token_validity: 300
authorities: uaa.resource
2. Generate a token for a user to test verification. 3. Using postman, I tried to call /introspect api with the "Authorization: Basic ..." (this is deprecated). But this call worked fine and I was able to see the token in returned json. 4. Using postman, I tried to call /introspect api with the "Authorization: Bearer {token}". This call failed with an error {
"error": "access_denied",
"error_description": "Access is denied"
}
I checked the bearer token and made sure that the scope has uaa.resource in there "scope": [ "uaa.resource" ], It looks like the /introspect call succeeds with "Authorization: basic .." but not "Authorization: bearer ..". Let me know what I am missing. I followed the API docs and I dont think I am missing any other authorithy for the client. Any help is appreciated. Thanks, Viraj
|
||||||||||
|
||||||||||
Re: CF Application Runtime PMC: Release Integration Project Lead Call for Nominations
Hi, everyone,
VMware is nominating Paul Warren for the Release Integration project lead in the Application Runtime PMC.
Paul has worked on Cloud Foundry since 2015, serving as an engineer on UAA, the anchor on Volume Services and, most recently, as an engineer on Release Integration.
Prior to joining VMware, Paul has spent 20 years serving in various roles from Engineer to Architect to Product Manager across DellEMC, EMC, Documentum, and SSA, primarily focused on developers and developer tooling.
Please send any other nominations directly to me or in reply to this message no later than 11:59 PM PDT on Tuesday, September 22, 2020.
Thanks,
Eric MalmFrom: cf-dev@... <cf-dev@...> on behalf of Eric Malm via lists.cloudfoundry.org <emalm=vmware.com@...>
Sent: Tuesday, September 8, 2020 3:47 PM To: cf-dev@... <cf-dev@...> Subject: [cf-dev] CF Application Runtime PMC: Release Integration Project Lead Call for Nominations
Hi, everyone,
Saikiran Yerram, the lead for the Release Integration project within the Application Runtime PMC, is stepping down. We thank him for his tremendous service in leading the cf-for-k8s and cf-deployment projects over the past year and a half.
The Release Integration team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59
PM PDT on Tuesday, September 22, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead
|
||||||||||
|
||||||||||
CF Application Runtime PMC: Release Integration Project Lead Call for Nominations
Hi, everyone,
Saikiran Yerram, the lead for the Release Integration project within the Application Runtime PMC, is stepping down. We thank him for his tremendous service in leading the cf-for-k8s and cf-deployment projects over the past year and a half.
The Release Integration team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59
PM PDT on Tuesday, September 22, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead
|
||||||||||
|
||||||||||
IMPORTANT NOTICE: [go-buildpack] End of Support for golang versions 1.13.x after 2020-10-02
Kashyap Vedurmudi <kvedurmudi@...>
The first release of the Go buildpack after October 2, 2020 will no longer include Go versions 1.13.x. These Go versions will no longer be supported upstream.[1] Please migrate your Go apps to supported versions of Go before that time. Note: As 1.13.x is the current default version of Go in the buildpack, the default Go version will be updated to 1.15.x as a part of this removal. If you’d like to use a different Go version, please configure your application to select that version[2]. As always, the buildpacks team is happy to answer questions you may have about this deprecation in the #buildpacks Slack channel. [1] - https://golang.org/doc/devel/release.html#policy [2] - https://docs.cloudfoundry.org/buildpacks/go/index.html Thanks, Kashyap Vedurmudi, Buildpacks PM
|
||||||||||
|
||||||||||
Cloud Foundry Summit Europe 2020 CFP Co-Chair Voting Form
Paige O'Connor <poconnor@...>
|
||||||||||
|
||||||||||
Re: Routing release 0.207.0
Dieu Cao
That's so cool!
Thanks Toby Lorne for the Pull Request to add this capability!
-Dieu
From: cf-dev@... <cf-dev@...> on behalf of Josh Russett via lists.cloudfoundry.org <jrussett=vmware.com@...>
Sent: Tuesday, September 1, 2020 4:19 PM To: cf-dev@... <cf-dev@...> Subject: [cf-dev] Routing release 0.207.0 Hey cf-dev!
Routing release 0.207.0 is now available.
Release Highlights
Manifest Property Changes
Regards, CloudFoundry Networking Program
|
||||||||||
|
||||||||||
Routing release 0.207.0
Josh Russett
Hey cf-dev!
Routing release 0.207.0 is now available.
Release Highlights
Manifest Property Changes
Regards, CloudFoundry Networking Program
|
||||||||||
|
||||||||||
Re: Seeking track co-chair nominations for Cloud Foundry EU Summit
Dieu Cao
The past selection processes have not been blind, although it is possible to ignore the columns that include the names of submitters. Not sure what the process will be this time around.
I'll note that I don't think a completely blind review and selection process is the answer. I think we'd want to encourage new speakers, who might not have as polished an abstract/title, as well as experienced speakers, for example. In addition, I think we'd
want to ensure that if there are groups or perspectives that is under-represented among the submissions, that co-chairs are able to see that and can solicit/source additional talks from those groups for consideration alongside other submissions.
My 2 cents on that.
-Dieu
From: cf-dev@... <cf-dev@...> on behalf of Daniel Jones via lists.cloudfoundry.org <daniel.jones=engineerbetter.com@...>
Sent: Tuesday, September 1, 2020 9:17 AM To: Discussions about Cloud Foundry projects and the system overall. <cf-dev@...> Cc: cf-users@... <cf-users@...>; Foundation Staff <foundation-staff@...> Subject: Re: [cf-dev] Seeking track co-chair nominations for Cloud Foundry EU Summit Hi folks,
Is the talk-selection process blind? As in, can we appraise talks without knowing the identity of the speaker?
Regards,
Daniel 'Deejay' Jones - CEO
+44 (0)79 8000 9153
EngineerBetter
Ltd - More than cloud platform specialists
On Thu, 27 Aug 2020 at 17:30, Paige O'Connor <poconnor@...> wrote:
|
||||||||||
|
||||||||||
Re: Seeking track co-chair nominations for Cloud Foundry EU Summit
Daniel Jones
Hi folks, Is the talk-selection process blind? As in, can we appraise talks without knowing the identity of the speaker? Regards, Daniel 'Deejay' Jones - CEO +44 (0)79 8000 9153 EngineerBetter Ltd - More than cloud platform specialists
On Thu, 27 Aug 2020 at 17:30, Paige O'Connor <poconnor@...> wrote:
|
||||||||||
|
||||||||||
Sunset of SAP's https://github.com/SAP/ipsec-release
Lay, Stefan
Hello community,
We would like to sunset the bosh-release for ipsec [1] which we contributed around 4 years ago.
Please contact us if you have any objections.
Kind regards,
[1] https://github.com/SAP/ipsec-release [2] http://ipsec-tools.sourceforge.net/
|
||||||||||
|
||||||||||
Announcing the cf CLI v6.52.0 Release
Josh Collins
Good Morning, Good Afternoon, and Good Evening,
The cf CLI team
has released v6.52.0 of
the cf CLI yesterday afternoon.
This v6 release includes the final feature functionality updates that we will be making to the v6 line outside
of the most severe blocking bugs and/or CVE patches.
Highlights:
- Legacy plugins use Log Cache - [story]
**NOTE:** We bumped the config as part of the implementation. CLI users that had targeted and logged into their foundations prior to updating to this CLI version may be required to to
re-login & target to initialize the updated config.
- Add logic to revoke tokens on CLI logout when revocable flag for UAA is present
- Improved redaction in UAA verbose logging
- If UAA provides standard prompts (Email, Password) then the CLI can translate
them into the user's locale; else will display the prompt provided by UAA platform
operator.
- Thanks @frodenas for PR'ing the sample translation for Spanish
- Provide localized prompt if sso is misconfigured - [story]
Shameless Plug:
Please join the cf CLI App-Dev Collective! - what's that? Read about it in our
blog post.
Bug Fixes: - Lowercase hostname in `map-route` - [story]
- Correct an issue with the update-service command where command was removing the tags on service when no tags were provided.
Contributors:
James Palmer, Nick Webb, Jenna Goldstrich, Alexander Berezovsky, Steve Taylor, Josh Collins, Andrew Crump, Olivier Lechevalier, Xinhu Liu, Lisa Burns, Sebastian Vidrio
Note: The
minimum version of the CC API this CF CLI release is compatible with is CC API v2.100.0 (3.35). - See our
minimum supported version policy for more information.
And as always,
we really would love to hear from you so please feel free to respond to this email or find us in the Cloud
Foundry Slack #cli channel
any time.
Thank you very much,
The cf CLI Team
|
||||||||||
|
||||||||||
Seeking track co-chair nominations for Cloud Foundry EU Summit
Paige O'Connor <poconnor@...>
|
||||||||||
|
||||||||||
Cloud Foundry Summit Europe 2020 CFP Co-Chair Nomination Form
Paige O'Connor <poconnor@...>
|
||||||||||
|