cf-dev@lists.cloudfoundry.org | Assigning Role to Group

Home Messages Hashtags Subgroups

Date Date 1 - 6 of 6

Assigning Role to Group

Zakharov Alexey <alexey.zakharov@...> #848 Hi guys! Sorry if my question is newbie or it was discussed before. I want to use LDAP for users authentication/authorisation. And I’ve successfully bound CF to LDAP, and managed to configure uaac group mappings. But then I realised, that there are no way to assign a Role to that group. 'cf set-org-role’ accepts only usernames as parameter, but not groups. I think assigning Developer role to group is more flexible than assigning is to every particular user. Are you going to add this feature later? Or maybe there is an another way to do group binding? Have you looked at the `uaac` tool? I'm not quite sure I understand what you're trying to do, but you can map an LDAP group DN to a UAA group with `uaac`. Then if a user in that LDAP group logs in, they'll have that uaa group. Is that what you're looking to do? Ex: uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME" Or are you asking about mapping LDAP groups to CF org & space roles? i.e. user in ldap group X is automatically given the OrgManager role in org Y. Dan Hi Dan! Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’. And now I want to bind group members to Organizations and Spaces. Is it possible to do? --- Alexey Zakharov \| CloudFoundry Team \| Altoros Tel: (617) 841-2121 ext. 5704 \| Toll free: 855-ALTOROS Fax: (866) 201-3646 \| Skype: alexey.zakharov.a www.altoros.com<http://www.altoros.com> \| blog.altoros.com<http://blog.altoros.com> \| twitter.com/altoros<http://twitter.com/altoros> attachment.html attachment.html
More All Messages By This Member
Daniel Mikusa #856 On Wed, Jul 22, 2015 at 3:27 AM, Zakharov Alexey < alexey.zakharov(a)altoros.com> wrote: >* Hi guys! > Sorry if my question is newbie or it was discussed before. > I want to use LDAP for users authentication/authorisation. And I’ve > successfully bound CF to LDAP, and managed to configure uaac group mappings. > But then I realised, that there are no way to assign a Role to that group. > 'cf set-org-role’ accepts only usernames as parameter, but not groups. I > think assigning Developer role to group is more flexible than assigning is > to every particular user. > Are you going to add this feature later? Or maybe there is an another way > to do group binding? *> Have you looked at the `uaac` tool? I'm not quite sure I understand what you're trying to do, but you can map an LDAP group DN to a UAA group with `uaac`. Then if a user in that LDAP group logs in, they'll have that uaa group. Is that what you're looking to do? Ex: uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME" Or are you asking about mapping LDAP groups to CF org & space roles? i.e. user in ldap group X is automatically given the OrgManager role in org Y. Dan Hi Dan! Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’. And now I want to bind group members to Organizations and Spaces. Is it possible to do? Sorry, missed that in your original post. Last I heard no you couldn't do this mapping, but that was a while ago though. Maybe someone on the Identity team could confirm. Dan attachment.html attachment.html
More All Messages By This Member
Sree Tummidi #858 This support is not yet available Thanks, Sree Sent from my iPad toggle quoted message Show quoted text On Jul 22, 2015, at 4:35 AM, Daniel Mikusa <dmikusa(a)pivotal.io> wrote: On Wed, Jul 22, 2015 at 3:27 AM, Zakharov Alexey <alexey.zakharov(a)altoros.com> wrote: Hi guys! Sorry if my question is newbie or it was discussed before. I want to use LDAP for users authentication/authorisation. And I’ve successfully bound CF to LDAP, and managed to configure uaac group mappings. But then I realised, that there are no way to assign a Role to that group. 'cf set-org-role’ accepts only usernames as parameter, but not groups. I think assigning Developer role to group is more flexible than assigning is to every particular user. Are you going to add this feature later? Or maybe there is an another way to do group binding? Have you looked at the `uaac` tool? I'm not quite sure I understand what you're trying to do, but you can map an LDAP group DN to a UAA group with `uaac`. Then if a user in that LDAP group logs in, they'll have that uaa group. Is that what you're looking to do? Ex: uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME" Or are you asking about mapping LDAP groups to CF org & space roles? i.e. user in ldap group X is automatically given the OrgManager role in org Y. Dan Hi Dan! Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’. And now I want to bind group members to Organizations and Spaces. Is it possible to do? Sorry, missed that in your original post. Last I heard no you couldn't do this mapping, but that was a while ago though. Maybe someone on the Identity team could confirm. Dan _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev attachment.html attachment.html
More All Messages By This Member
Filip Hanik #859 To elaborate a bit more, at this time the cloud controller maintains its own roles and ACLs in the CC database. Filip toggle quoted message Show quoted text On Wednesday, July 22, 2015, Sree Tummidi <stummidi(a)pivotal.io> wrote: This support is not yet available Thanks, Sree Sent from my iPad On Jul 22, 2015, at 4:35 AM, Daniel Mikusa <dmikusa(a)pivotal.io <javascript:_e(%7B%7D,'cvml','dmikusa(a)pivotal.io');>> wrote: On Wed, Jul 22, 2015 at 3:27 AM, Zakharov Alexey < alexey.zakharov(a)altoros.com <javascript:_e(%7B%7D,'cvml','alexey.zakharov(a)altoros.com');>> wrote: >* Hi guys! > Sorry if my question is newbie or it was discussed before. > I want to use LDAP for users authentication/authorisation. And I’ve > successfully bound CF to LDAP, and managed to configure uaac group mappings. > But then I realised, that there are no way to assign a Role to that group. > 'cf set-org-role’ accepts only usernames as parameter, but not groups. I > think assigning Developer role to group is more flexible than assigning is > to every particular user. > Are you going to add this feature later? Or maybe there is an another way > to do group binding? *> Have you looked at the `uaac` tool? I'm not quite sure I understand what you're trying to do, but you can map an LDAP group DN to a UAA group with `uaac`. Then if a user in that LDAP group logs in, they'll have that uaa group. Is that what you're looking to do? Ex: uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME" Or are you asking about mapping LDAP groups to CF org & space roles? i.e. user in ldap group X is automatically given the OrgManager role in org Y. Dan Hi Dan! Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’. And now I want to bind group members to Organizations and Spaces. Is it possible to do? Sorry, missed that in your original post. Last I heard no you couldn't do this mapping, but that was a while ago though. Maybe someone on the Identity team could confirm. Dan _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org <javascript:_e(%7B%7D,'cvml','cf-dev(a)lists.cloudfoundry.org');> https://lists.cloudfoundry.org/mailman/listinfo/cf-dev attachment.html attachment.html
More All Messages By This Member
Zakharov Alexey <alexey.zakharov@...> #883 Is there any plans to implement ORGs to LDAP groups binding later? When I list group mappings, I can see a default mapping, which forces me to think you are planning to do something like that: $ uaac group mappings resources: - organizations.acme: cn=test_org,ou=people,o=springsource,o=org --- Alexey Zakharov \| CloudFoundry Team \| Altoros Tel: (617) 841-2121 ext. 5704 \| Toll free: 855-ALTOROS Fax: (866) 201-3646 \| Skype: alexey.zakharov.a www.altoros.com<http://www.altoros.com> \| blog.altoros.com<http://blog.altoros.com> \| twitter.com/altoros<http://twitter.com/altoros> toggle quoted message Show quoted text On Jul 22, 2015, at 18:05, Filip Hanik <fhanik(a)pivotal.io<mailto:fhanik(a)pivotal.io>> wrote: To elaborate a bit more, at this time the cloud controller maintains its own roles and ACLs in the CC database. Filip On Wednesday, July 22, 2015, Sree Tummidi <stummidi(a)pivotal.io<mailto:stummidi(a)pivotal.io>> wrote: This support is not yet available Thanks, Sree Sent from my iPad On Jul 22, 2015, at 4:35 AM, Daniel Mikusa <dmikusa(a)pivotal.io<javascript:_e(%7B%7D,'cvml','dmikusa(a)pivotal.io');>> wrote: On Wed, Jul 22, 2015 at 3:27 AM, Zakharov Alexey <alexey.zakharov(a)altoros.com<javascript:_e(%7B%7D,'cvml','alexey.zakharov(a)altoros.com');>> wrote: Hi guys! Sorry if my question is newbie or it was discussed before. I want to use LDAP for users authentication/authorisation. And I’ve successfully bound CF to LDAP, and managed to configure uaac group mappings. But then I realised, that there are no way to assign a Role to that group. 'cf set-org-role’ accepts only usernames as parameter, but not groups. I think assigning Developer role to group is more flexible than assigning is to every particular user. Are you going to add this feature later? Or maybe there is an another way to do group binding? Have you looked at the `uaac` tool? I'm not quite sure I understand what you're trying to do, but you can map an LDAP group DN to a UAA group with `uaac`. Then if a user in that LDAP group logs in, they'll have that uaa group. Is that what you're looking to do? Ex: uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME" Or are you asking about mapping LDAP groups to CF org & space roles? i.e. user in ldap group X is automatically given the OrgManager role in org Y. Dan Hi Dan! Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’. And now I want to bind group members to Organizations and Spaces. Is it possible to do? Sorry, missed that in your original post. Last I heard no you couldn't do this mapping, but that was a while ago though. Maybe someone on the Identity team could confirm. Dan _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org<javascript:_e(%7B%7D,'cvml','cf-dev(a)lists.cloudfoundry.org');> https://lists.cloudfoundry.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org> https://lists.cloudfoundry.org/mailman/listinfo/cf-dev attachment.html attachment.html
More All Messages By This Member
Sree Tummidi #886 Yes, we do plan on mapping ORG & Space Roles to Groups in LDAP or via SAML. At this time , the only scope that can be mapped is cloud_controller.admin as its defined as an OAuth scope for Cloud Controller. -Sree On Thu, Jul 23, 2015 at 5:48 AM, Zakharov Alexey < alexey.zakharov(a)altoros.com> wrote: Is there any plans to implement ORGs to LDAP groups binding later? When I list group mappings, I can see a default mapping, which forces me to think you are planning to do something like that: $ uaac group mappings resources: - organizations.acme: cn=test_org,ou=people,o=springsource,o=org --- Alexey Zakharov \| CloudFoundry Team \| Altoros Tel: (617) 841-2121 ext. 5704 \| Toll free: 855-ALTOROS Fax: (866) 201-3646 \| Skype: alexey.zakharov.a www.altoros.com \| blog.altoros.com \| twitter.com/altoros On Jul 22, 2015, at 18:05, Filip Hanik <fhanik(a)pivotal.io> wrote: To elaborate a bit more, at this time the cloud controller maintains its own roles and ACLs in the CC database. Filip On Wednesday, July 22, 2015, Sree Tummidi <stummidi(a)pivotal.io> wrote: This support is not yet available Thanks, Sree Sent from my iPad On Jul 22, 2015, at 4:35 AM, Daniel Mikusa <dmikusa(a)pivotal.io> wrote: On Wed, Jul 22, 2015 at 3:27 AM, Zakharov Alexey < alexey.zakharov(a)altoros.com> wrote: >* Hi guys! > Sorry if my question is newbie or it was discussed before. > I want to use LDAP for users authentication/authorisation. And I’ve > successfully bound CF to LDAP, and managed to configure uaac group mappings. > But then I realised, that there are no way to assign a Role to that group. > 'cf set-org-role’ accepts only usernames as parameter, but not groups. I > think assigning Developer role to group is more flexible than assigning is > to every particular user. > Are you going to add this feature later? Or maybe there is an another way > to do group binding? *> Have you looked at the `uaac` tool? I'm not quite sure I understand what you're trying to do, but you can map an LDAP group DN to a UAA group with `uaac`. Then if a user in that LDAP group logs in, they'll have that uaa group. Is that what you're looking to do? Ex: uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME" Or are you asking about mapping LDAP groups to CF org & space roles? i.e. user in ldap group X is automatically given the OrgManager role in org Y. Dan Hi Dan! Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’. And now I want to bind group members to Organizations and Spaces. Is it possible to do? Sorry, missed that in your original post. Last I heard no you couldn't do this mapping, but that was a while ago though. Maybe someone on the Identity team could confirm. Dan _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev attachment.html attachment.html
More All Messages By This Member

1 - 6 of 6

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms