I think it is looking at VCAP Services. It partially configured the url correct (The random Username, Password and DB Name are correct) without me doing anything other than activating the mysql profile.

I have also disabled the Auto Config as per the docs

http://i.imgur.com/ncaafT6.png

Hi John / Eitan,

We have a couple tracks of work planned for the new V3 Cloud Foundry API:

Zero-downtime deployment - Diego to support changing an application
specification of a running LRP in a zero-downtime manner:
https://www.pivotaltracker.com/story/show/111166678

Native support for advanced deployment strategies like blue-green
deployment: https://www.pivotaltracker.com/story/show/124264941


The V3 API is still experimental, but we are working diligently to get to
general availability. Feel free to follow along in our Tracker, read the
docs, and visit us in Slack!

https://www.pivotaltracker.com/n/projects/966314
http://v3-apidocs.cloudfoundry.org/version/release-candidate/index.html
https://cloudfoundry.slack.com/messages/capi/


Thanks,

Nick

--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.

I don't believe thats the case. It should be set in UAA.yml

Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry

I don't think this is related to PWS. In this case UAA is just another app
running on CF, so it's really an issue about how UAA is loading it's
database configuration. From the instructions here [1], it seems that you
need to disable the Java build pack's auto reconfiguration. Unless UAA is
looking at VCAP_SERVICES for you then you'd need to configure the DB
manually. Have you tried configuring the DB settings in uaa.yml?

Sree - does UAA look at VCAP_SERVICES?

Dan

[1] - https://github.com/cloudfoundry/uaa#deploy-to-cloud-foundry

For PWS issues, you can create a support ticket on run.pivotal.io

Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Fri, Jul 1, 2016 at 10:02 AM, Bryan Perino <Bryan.Perino(a)gmail.com>
wrote:

I cross posted this to StackOverflow:


http://stackoverflow.com/questions/38150593/uaa-in-cloud-foundry-sqlexception

I was not sure if this was a PWS issue or Cloud Foundry. If it's a PWS
issue, this is the wrong place right?

i know that the cf autopilot plugin does this (
https://github.com/concourse/autopilot ).

this other plugin:
https://github.com/bluemixgaragelondon/cf-blue-green-deploy
may also be worth checking out.

i haven't used either enough to really vet them out, but i like this idea
of plugging in a suite of smoke tests to control proceeding with vs
aborting a deployment.

/ eitan

Hi

Is there already a built-in, out of the box solution for blue-green
deployment in CF now without having the need of deploying an app with a
different name and then working with map-route manually? If not, I find
having blue-green out of the box would be great. Right now, CF would switch
automatically at the end of the deployment (with a small downtime tradeoff)
by replacing the existing containers with the new one's.

Thanks.

John

I cross posted this to StackOverflow:

http://stackoverflow.com/questions/38150593/uaa-in-cloud-foundry-sqlexception

I was not sure if this was a PWS issue or Cloud Foundry. If it's a PWS issue, this is the wrong place right?

Hi Dies,

Congrats - great release (as usual)!

With respect to the CLI, I came across a question yesterday I couldn’t answer: Is there a way to list all orgs/spaces that are associated with a particular quota plan?

The best I could come up with was (for orgs):
for o in $(cf orgs); do cf org $o | grep -C 3 my_quota; done

Of course, with a long list of orgs this is running for quite some time. I also checked the Cloud Controller API pages to see if I can come up with something using `cf curl` but couldn’t find anything there.

Any suggestions on how to answer the above question more easily?

Thanks in advance,
Bernd

From: "Koper, Dies" <diesk(a)fast.au.fujitsu.com>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Thursday 30 June 2016 at 02:40
To: "cf-dev(a)lists.cloudfoundry.org" <cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] CF CLI v6.20.0 Released Today

The CF CLI team just cut 6.20.0. Binaries and link to release notes are available at:

https://github.com/cloudfoundry/cli#downloads

Route Services and Routes with Paths

Route services can now be bound to routes with paths.

Binding Security Groups to All Spaces of an Org

Security groups can now be bound to all spaces of an org in one command call.

Fixed Regressions

* Plug-in failures
Some plug-ins failed since cf CLI 6.17.0 due to an unintended change to the response of the CliCommandWithoutTerminalOutput function (#866<https://github.com/cloudfoundry/cli/issues/866>)
* .* in .cfignore
While cf CLI 6.13.0 correctly interprets pattern .* in .cfignore to mean ignore all files starting with a period, cf CLI 6.14.0 and greater ignores all files and fails to push the app.
This has been corrected. (#870<https://github.com/cloudfoundry/cli/issues/870>)
* cf copy-source with non-existing target app produces confusing error message
While cf CLI 6.17.1 correctly fails with a message that the target app could not be found, cf CLI 6.18.1 fails saying the target space could not be found.
This is addressed, and the command's help has been improved to clarify that the target app has to exist. (#849<https://github.com/cloudfoundry/cli/issues/849>)
* Negative WaitGroup Counter Panic
The cf CLI could panic when pushing an app when the noaa library the CLI uses to retrieve logs does a retry. (#850<https://github.com/cloudfoundry/cli/issues/850>)

Updated Commands

* bind-route-service and unbind-route-service now accept a route path
* bind-security-group now allows the space name to be omitted, binding the security group to all spaces of the org

New & Updated Community Plugins

* Copy Env v1.0.0: https://github.com/jthomas/copyenv
* Usage Report v1.3.1: https://github.com/krujos/usagereport-plugin
* Antifreeze v0.3.0: https://github.com/odlp/antifreeze

Enjoy!

Regards,
Dies Koper
Cloud Foundry CLI PM

Hello All,

I have pushed UAA to my Pivotal Web Services account and bound it to the ClearDB MySQL Database service. I have set the environment variables to activate the default and mysql profiles. Unfortunately, the UAA app is throwing a SQLException on startup and won't display the login page.

java.sql.SQLException: Driver:org.mariadb.jdbc.Driver(a)6da45c52 returned null for URL:mysql2://<user>:<password>@us-cdbr-iron-east-04.cleardb.net:3306/<database>?reconnect=true

I have confirmed that this information is almost correct as per the service credentials. The only difference is the mysql2 in the connection URL. The service defines the connection URL as:

mysql://<user>:<password>@us-cdbr-iron-east-04.cleardb.net:3306/<database>?reconnect=true

For some reason, mysql gets replaced with mysql2. Here is the deployment manifest.yml:

https://gist.github.com/bryantp/ebb96e7b3d5208278c9d289f1d9951d9

Here is the full log from the browser:

https://gist.github.com/bryantp/75f500026d9b5bebb572c43b5f87563d

Do I have to do anything for UAA to pick this up? I was under the assumption that it would detect the bound service and then apply the correct information (Which it seems it did)

Thanks for any assistance.

Figured it out. I needed to define more information in my application.yml. Namely, the client information

security:
oauth2:
client:
clientId: myId
clientSecret: my-secret
resource:
userInfoUri: http://localhost:8080/uaa/userinfo
tokenInfoUri: http://localhost:8080/uaa/check_token
preferTokenInfo: true

I am trying to manage my list subscription settings, but when I log into
lists.cloudfoundry.org, it doesn't say I am subscribed to any lists. I know
I am because I am getting emails ;). I was subscribed to some lists before
they were moved to being managed by the Linux Foundation so maybe that has
something to do with it? Can you advise how I should manage my list
subscriptions?

Here is the YML file configuration for Spring OAuth as well as the code that makes the POST call:

YML: https://gist.github.com/bryantp/fbf2f5a46aa883588b6f5230cae5248f

Code: https://gist.github.com/bryantp/70bf538626661a623f5099b704872938

Returns a 404

CVE-2016-4468 UAA SQL Injection Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v237 and earlier versions
-

UAA release v3.4.0 and earlier versions
-

UAA release V12 and earlier versions

Description

There is the potential for a SQL injection attack in UAA for authenticated
users.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:


-

Upgrade to Cloud Foundry v238 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.4.0, please upgrade to UAA
Release to v3.3.0.2 [3] or v3.4.1 [4]
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.4 [2]
-

For users using UAA-Release (UAA bosh release), please upgrade to
UAA-Release v12.2 [5] if upgrading to v3.4.1 [4] or v11.2 [6] if
upgrading
to v3.3.0.2 [3]


Credit

Graham Viski, Digital Transformation Office, Australian Government
References

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v238

[2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.4

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.2

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.4.1

[5] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=12.2

[6] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=11.2

History

2016-06-30: Initial vulnerability report published

Here is the UAA log file.

https://gist.github.com/bryantp/75286fca304d9a0b3913ea05e293645a

Hi Nikhil,

Generally the way to prevent individuals from reading VCAP_SERVICES is to
give them a non-SpaceDeveloper role in that space, like SpaceAuditor. A
SpaceDeveloper is the only role that can read or set those values, and
generally you'd want them to be able to manage them.

So, say a developer pushed code to QA, they'd have SpaceDeveloper access to
a QA space, and could read/write VCAP_SERVICES.

Pushing to production you'd have a different person with SpaceDeveloper
access to a Prod space. Or, more commonly, you'd prod access to a secured
CI/CD tool like Jenkins or Concourse that governed SpaceDeveloper access to
Prod.

Cheers
Stu


On Wed, Jun 29, 2016 at 3:28 PM, Nikhil Katre <nikhil.katre(a)appdynamics.com>
wrote:

Hi,

I have a service that is supported on Cloud Foundry through Java Buildpack.
I am trying to make the values of my service in VCAP_SERVICES json hidden
or private, so that its invisible using the command cf env.
Does anyone know how to achieve this in Cloud Foundry or PCF platform ?

--

Stuart Charlton

Pivotal Software | Platform Architecture

Mobile: 403-671-9778 | Email: scharlton(a)pivotal.io

On Thu, Jun 30, 2016 at 1:43 AM, Bryan Perino <Bryan.Perino(a)gmail.com>
wrote:

Hello All,

I am using Spring Cloud Security with OAuth2 and am having an issue
related to it not passing the scopes around. I believe that I need to
define an endpoint to retrieve information about a given token (Including
its scopes). However, I am getting an error stating that it is
unauthorized.:

I have defined this endpoint for the token info:
http://localhost:8080/uaa/check_token

Here is the error:

https://gist.github.com/bryantp/eb81d46b7beac9ee5011e5eca33a7a5c

Do you have logs from UAA? The UAA logs will sometimes tell you more about
the response you received.

Dan

I noticed that it is making a request to the endpoint, and the verbiage is
correct. I am not sure what it could be sending wrong. This is related to
this issue I found for Spring Boot and has to deal with Authorization on a
per-method basis.

https://github.com/spring-projects/spring-boot/issues/5096

Thanks for any help.

Hello All,

I am using Spring Cloud Security with OAuth2 and am having an issue related to it not passing the scopes around. I believe that I need to define an endpoint to retrieve information about a given token (Including its scopes). However, I am getting an error stating that it is unauthorized.:

I have defined this endpoint for the token info: http://localhost:8080/uaa/check_token

Here is the error:

https://gist.github.com/bryantp/eb81d46b7beac9ee5011e5eca33a7a5c

I noticed that it is making a request to the endpoint, and the verbiage is correct. I am not sure what it could be sending wrong. This is related to this issue I found for Spring Boot and has to deal with Authorization on a per-method basis.

https://github.com/spring-projects/spring-boot/issues/5096

Thanks for any help.

The request to /oauth/authorize takes in a scope parameter where you can
specify which scopes you want in your access token. That is what adding the
scope in application.yml did. If you don't specify any scope parameter to
that request you get all the scopes that both the client and user have in
common. So in your case,

http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2

and

http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&state=QUHpO2
<http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2>


will end up with the same result.

The reason why uaa.admin does not show up on the authorization page in both
cases is because the UAA ignores scopes with a prefix of `uaa.` when asking
the user to authorize the scopes.

On Wed, Jun 29, 2016 at 3:04 PM, Bryan Perino <Bryan.Perino(a)gmail.com>
wrote:

Thanks! I am not sure if it makes a difference, but I can also specify the
scope in the client config:


https://gist.github.com/bryantp/4b3dadb17c620d301109859fd92c4539#file-application-yml-L16

The request URL then becomes:


http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2

Full HAR file:

https://dl.dropboxusercontent.com/u/4177525/request-with-scopes.har

However, I still only get the OpenID auth/scope on the UAA auth page.

The CF CLI team just cut 6.20.0. Binaries and link to release notes are available at:

https://github.com/cloudfoundry/cli#downloads

Route Services and Routes with Paths

Route services can now be bound to routes with paths.

Binding Security Groups to All Spaces of an Org

Security groups can now be bound to all spaces of an org in one command call.

Fixed Regressions

* Plug-in failures
Some plug-ins failed since cf CLI 6.17.0 due to an unintended change to the response of the CliCommandWithoutTerminalOutput function (#866<https://github.com/cloudfoundry/cli/issues/866>)
* .* in .cfignore
While cf CLI 6.13.0 correctly interprets pattern .* in .cfignore to mean ignore all files starting with a period, cf CLI 6.14.0 and greater ignores all files and fails to push the app.
This has been corrected. (#870<https://github.com/cloudfoundry/cli/issues/870>)
* cf copy-source with non-existing target app produces confusing error message
While cf CLI 6.17.1 correctly fails with a message that the target app could not be found, cf CLI 6.18.1 fails saying the target space could not be found.
This is addressed, and the command's help has been improved to clarify that the target app has to exist. (#849<https://github.com/cloudfoundry/cli/issues/849>)
* Negative WaitGroup Counter Panic
The cf CLI could panic when pushing an app when the noaa library the CLI uses to retrieve logs does a retry. (#850<https://github.com/cloudfoundry/cli/issues/850>)

Updated Commands

* bind-route-service and unbind-route-service now accept a route path
* bind-security-group now allows the space name to be omitted, binding the security group to all spaces of the org

New & Updated Community Plugins

* Copy Env v1.0.0: https://github.com/jthomas/copyenv
* Usage Report v1.3.1: https://github.com/krujos/usagereport-plugin
* Antifreeze v0.3.0: https://github.com/odlp/antifreeze

Enjoy!

Regards,
Dies Koper
Cloud Foundry CLI PM