cf-dev@lists.cloudfoundry.org | Usage retrieval authorization was: Re: [abacus] Usage submission authorization

Home Messages Hashtags Subgroups

Date Date 1 - 2 of 2

Usage retrieval authorization was: Re: [abacus] Usage submission authorization

Piotr Przybylski <piotrp@...> #2332 Does the user who would like to see their usage (e.g. services in the organization they own) need to have 'abacus.usage.read' scope as discussed below? Piotr -----Saravanakumar A Srinivasan/Burlingame/IBM@IBMUS wrote: ----- To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev@...> From: Saravanakumar A Srinivasan/Burlingame/IBM@IBMUS Date: 10/15/2015 10:20PM Subject: [cf-dev] Re: Re: Re: Re: Re: Re: Re: [cf-dev][abacus] Usage submission authorization > what will be the scope for securing internal Abacus pipeline that Assk describes as system token ? It is 'abacus.usage.write'. Updated my previous statements to make it more specific: We have enabled scope based authorization for REST endpoints at usage collector and usage reporting service. While we are working on using system OAuth bearer access token at internal Abacus pipeline, Submitting usage to a secured Abacus needs a OAuth bearer access token with 'abacus.usage.write' system scope in addition to the resource provider specific scope(s) - 'abacus.usage.<resource_id>.write'. Thanks, Saravanakumar Srinivasan (Assk), -----Piotr Przybylski/Burlingame/IBM@IBMUS wrote: ----- To: cf-dev@... From: Piotr Przybylski/Burlingame/IBM@IBMUS Date: 10/15/2015 09:50PM Subject: [cf-dev] Re: Re: Re: Re: Re: Re: [cf-dev][abacus] Usage submission authorization Makes sense, and just to complete - what will be the scope for securing internal Abacus pipeline that Assk describes as system token ? Piotr toggle quoted message Show quoted text ----- Original message ----- From: Jean-Sebastien Delfino <jsdelfino@...> To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev@...> Cc: Subject: [cf-dev] Re: Re: Re: Re: Re: [cf-dev][abacus] Usage submission authorization Date: Thu, Oct 15, 2015 9:11 PM Hey Piotr, To read usage I believe you'll need 'abacus.usage.read', as 'abacus.usage.write' is for, well... writing. P.S. That reminds me of a period of my life long time ago when I was a contractor for some big company and they had hired me to write code for them but had not given me the authorization to read the confidential code I was writing :) - Jean-Sebastien On Thu, Oct 15, 2015 at 7:28 PM, Piotr Przybylski <piotrp@...> wrote: Assk, can you confirm that the same scope (abacus.usage.write) is sufficient to retrieve usage ? Piotr < ... snip ...>
More All Messages By This Member
Jean-Sebastien Delfino #2333 Hi Piotr, A resource provider or another system component can present a client token with abacus.usage.read to read back the usage submitted to Abacus. I wouldn't recommend giving that scope to users of the Abacus reporting service as it'll give them too much power and visibility on usage from all orgs. The reporting service does not require the abacus.usage.read scope. Instead it delegates the authorization to get a report for a particular org to the account service (which you're responsible for implementing, as an integrator of Abacus). Any user token from the report request is passed to your account service, giving you a way to check that user's membership to the org and any groups you've defined in that org and the roles that user is entitled to. HTH - Jean-Sebastien - Jean-Sebastien On Mon, Oct 19, 2015 at 12:53 PM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote: Does the user who would like to see their usage (e.g. services in the organization they own) need to have 'abacus.usage.read' scope as discussed below? Piotr -----Saravanakumar A Srinivasan/Burlingame/IBM(a)IBMUS wrote: ----- To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> From: Saravanakumar A Srinivasan/Burlingame/IBM(a)IBMUS Date: 10/15/2015 10:20PM Subject: [cf-dev] Re: Re: Re: Re: Re: Re: Re: [cf-dev][abacus] Usage submission authorization what will be the scope for securing internal Abacus pipeline that Assk describes as system token ? It is 'abacus.usage.write'. Updated my previous statements to make it more specific: We have enabled scope based authorization for REST endpoints at usage collector and usage reporting service. While we are working on using system OAuth bearer access token at internal Abacus pipeline, Submitting usage to a secured Abacus needs a OAuth bearer access token with 'abacus.usage.write' system scope in addition to the resource provider specific scope(s) - 'abacus.usage.<resource_id>.write'. Thanks, Saravanakumar Srinivasan (Assk), -----Piotr Przybylski/Burlingame/IBM(a)IBMUS wrote: ----- To: cf-dev(a)lists.cloudfoundry.org From: Piotr Przybylski/Burlingame/IBM(a)IBMUS Date: 10/15/2015 09:50PM Subject: [cf-dev] Re: Re: Re: Re: Re: Re: [cf-dev][abacus] Usage submission authorization Makes sense, and just to complete - what will be the scope for securing internal Abacus pipeline that Assk describes as system token ? Piotr ----- Original message ----- From: Jean-Sebastien Delfino <jsdelfino(a)gmail.com> To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> Cc: Subject: [cf-dev] Re: Re: Re: Re: Re: [cf-dev][abacus] Usage submission authorization Date: Thu, Oct 15, 2015 9:11 PM Hey Piotr, To read usage I believe you'll need 'abacus.usage.read', as 'abacus.usage.write' is for, well... writing. P.S. That reminds me of a period of my life long time ago when I was a contractor for some big company and they had hired me to write code for them but had not given me the authorization to read the confidential code I was writing :) - Jean-Sebastien On Thu, Oct 15, 2015 at 7:28 PM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote: Assk, can you confirm that the same scope (abacus.usage.write) is sufficient to retrieve usage ? Piotr < ... snip ...> attachment.html
More All Messages By This Member

1 - 2 of 2

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms