Feature Narrative: Fine-granular & custom platform roles for Cloud Foundry
Hi CF,
Here is a feature narrative and it is called "Fine-granular & custom platform roles for Cloud Foundry".
https://docs.google.com/document/d/1isfsSWvF8xDU0G69k4MqB3o5c2vB0P3Vbi79W0yvqFQ/edit?usp=sharing
This proposal is the result of direct feedback we have received from many CF users. It addresses the problem that every space developer can delete a service. And there may be important data attached to this service. Oops.
Comments, feedback, suggestions, and questions very welcome and appreciated!
Regards,
Stephan
The service accounts are way too over-powered using the Developer role, so this is a great step to scoping deployer accounts to, well, deployments in a CD system. However, I think the Operator account is too restrictive for any real human operator, and too expansive for a CI deployer account.
Hi CF,
Here is a feature narrative and it is called "Fine-granular & custom platform roles for Cloud Foundry".
https://docs.google.com/document/d/1isfsSWvF8xDU0G69k4MqB3o5c2vB0P3Vbi79W0yvqFQ/edit?usp=sharing
This proposal is the result of direct feedback we have received from many CF users. It addresses the problem that every space developer can delete a service. And there may be important data attached to this service. Oops.
Comments, feedback, suggestions, and questions very welcome and appreciated!
Regards,
Stephan
--
I’m all for anything which gives finer grained control. At present customers like RBS wrap the cf api with their own tooling in order to limit who can do what – which is obviously not optimal.
Shame we never implemented the ability to define custom roles in the database rather than have them hard-coded.
D
From:
cf-dev@... <cf-dev@...>
Date: Wednesday, December 2, 2020 at 5:29 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] Feature Narrative: Fine-granular & custom platform roles for Cloud Foundry
This is really a promising step.
cloud.gov uses "service accounts",
https://cloud.gov/docs/services/cloud-gov-service-account/, which are implemented with:
https://github.com/cloudfoundry-community/uaa-credentials-broker. Usually these are used in CI/CD systems for deployments.
The service accounts are way too over-powered using the Developer role, so this is a great step to scoping deployer accounts to, well, deployments in a CD system. However, I think the Operator account is too restrictive for any real human operator, and too
expansive for a CI deployer account.
I'd like to see Operator renamed to Deployer and have some further rights removed, like viewing other spaces or or other users and roles, perhaps.
Or if there's a real need for the Operator role, then maybe add yet another role for Deployers (but that seems to be getting into IAM-level scope creep).
--Peter
Hi CF,
Here is a feature narrative and it is called "Fine-granular & custom platform roles for Cloud Foundry".
https://docs.google.com/document/d/1isfsSWvF8xDU0G69k4MqB3o5c2vB0P3Vbi79W0yvqFQ/edit?usp=sharing
This proposal is the result of direct feedback we have received from many CF users. It addresses the problem that every space developer can delete a service. And there may be important data attached to this service. Oops.
Comments, feedback, suggestions, and questions very welcome and appreciated!
Regards,
Stephan
--
-
Peter Burkholder | cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters
Guillaume.
Hi CF,
Here is a feature narrative and it is called "Fine-granular & custom platform roles for Cloud Foundry".
https://docs.google.com/document/d/1isfsSWvF8xDU0G69k4MqB3o5c2vB0P3Vbi79W0yvqFQ/edit?usp=sharing
This proposal is the result of direct feedback we have received from many CF users. It addresses the problem that every space developer can delete a service. And there may be important data attached to this service. Oops.
Comments, feedback, suggestions, and questions very welcome and appreciated!
Regards,
Stephan