uaa job from cf/207
The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.
Github source:
295db91d
or
master branch
Properties¶
domain
¶
The domain name for this CloudFoundry deploy
env
¶
http_proxy
¶The http_proxy accross the VMs
https_proxy
¶The https_proxy accross the VMs
no_proxy
¶Set No_Proxy accross the VMs
login
¶
ldap
¶
localPasswordCompare
¶See uaa.ldap.localPasswordCompare - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
"true"
passwordAttributeName
¶See uaa.ldap.passwordAttributeName - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
userPassword
passwordEncoder
¶See uaa.ldap.passwordEncoder - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator
profile_type
¶See uaa.ldap.profile_type - login.ldap prefix is used for backwards compatibility to enable ldap from login config
searchBase
¶See uaa.ldap.searchBase - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
""
searchFilter
¶See uaa.ldap.searchFilter - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
cn={0}
sslCertificate
¶See uaa.ldap.sslCertificate - login.ldap prefix is used for backwards compatibility to enable ldap from login config
sslCertificateAlias
¶See uaa.ldap.sslCertificateAlias - login.ldap prefix is used for backwards compatibility to enable ldap from login config
url
¶See uaa.ldap.url - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userDN
¶See uaa.ldap.userDN - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userDNPattern
¶See uaa.ldap.userDNPattern - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userPassword
¶See uaa.ldap.userPassword - login.ldap prefix is used for backwards compatibility to enable ldap from login config
protocol
¶The protocol that the Login Server uses. http/https
spring_profiles
¶See uaa.spring_profiles - login.spring_profiles is used for backwards compatibility to enable ldap from login config
nats
¶
machines
¶IP of each NATS cluster member.
password
¶Password for NATS login
port
¶TCP port of NATS server
user
¶User name for NATS login
networks
¶
apps
¶The App network name
uaa
¶
admin
¶
client_secret
¶
authentication
¶
policy
¶
countFailuresWithinSeconds
¶Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked
lockoutAfterFailures
¶Number of allowed failures before account is locked
lockoutPeriodSeconds
¶Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded
catalina_opts
¶
- Default
-Xmx768m -XX:MaxPermSize=256m
cc
¶
client_secret
¶
token_secret
¶
client
¶
autoapprove
¶
clients
¶
login
¶
secret
¶Login client secret - overrides uaa.login.client_secret
dump_requests
¶
issuer
¶The url to use as the issuer URI
jwt
¶
signing_key
¶
verification_key
¶
ldap
¶
enabled
¶Set to true to enable LDAP
- Default
false
groups
¶
autoAdd
¶Set to true when profile_type=groups_as_scopes to auto create scopes for a user. Ignored for other profiles.
- Default
"true"
groupRoleAttribute
¶Used with groups-as-scopes, defines the attribute that holds the scope name(s).
groupSearchFilter
¶Search query filter to find groups a user belongs to, or for a nested search, groups that a group belongs to
- Default
member={0}
maxSearchDepth
¶Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)
- Default
"1"
profile_type
¶What type of group integration should be used. Values are no-groups, groups-as-scopes and groups-map-to-scopes
- Default
no-groups
searchBase
¶Search start point for a user group membership search
- Default
""
searchSubtree
¶Boolean value, set to true to search below the search base
- Default
"true"
localPasswordCompare
¶Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server.
- Default
"true"
mailAttributeName
¶The name of the LDAP attribute that contains the users email address
- Default
mailSubstitute
¶Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
- Default
""
mailSubstituteOverridesLdap
¶Set to true if you wish to override an LDAP user email address with a generated one
- Default
false
passwordAttributeName
¶Used with search-and-compare only. The name of the password attribute in the LDAP directory
- Default
userPassword
passwordEncoder
¶Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory.
- Default
org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator
profile_type
¶The file to be used for configuring the LDAP authentication. options are simple-bind, search-and-bind and search-and-compare
- Default
search-and-bind
searchBase
¶Used with search-and-bind and search-and-compare. Define a base where the search starts at.
- Default
""
searchFilter
¶Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}
- Default
cn={0}
sslCertificate
¶Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection.
sslCertificateAlias
¶Used with ldaps:// URLs. The certificate alias, to be trusted by this connection and stored in the keystore.
url
¶The URL to the ldap server, must start with ldap:// or ldaps://
userDN
¶Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information.
userDNPattern
¶Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search.
userDNPatternDelimiter
¶The delimiter character in between user DN patterns for simple bind authentication
- Default
;
userPassword
¶Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
login
¶
client_secret
¶Deprecated. Default login client secret if no login client is defined
no_ssl
¶when true, uaa uses http, otherwise it uses https
- Default
false
openid
¶
fallbackToAuthcode
¶When using the hybrid flow to get a id_token, suppress the exception if the client doesn’t have the implicit grant. Defaults to false.
- Default
true
port
¶Port that uaa will accept connections on
- Default
8080
require_https
¶
restricted_ips_regex
¶A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server.
- Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
scim
¶
external_groups
¶A list of external group mappings. Pipe delimited. A value may look as ‘- internal.read|cn=developers,ou=scopes,dc=test,dc=com’
user
¶
override
¶
userids_enabled
¶
- Default
false
users
¶
spring_profiles
¶Deprecated. Use ‘uaa.ldap.enabled’. Sets the Spring profiles on the UAA web application. This gets combined with the ‘uaadb.db_scheme’ property if and only if the value is exactly ‘ldap’ in order to setup the database, for example ‘ldap,mysql’. If spring_profiles contains more than just ‘ldap’ it will be used to overwrite spring_profiles and db_scheme ignored. See uaa.yml.erb.
url
¶
user
¶
authorities
¶Contains a list of the default authorities/scopes assigned to a user.
- Default
- openid - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - password.write - uaa.user - approvals.me - oauth.approvals - notification_preferences.read - notification_preferences.write
uaadb
¶
address
¶The UAA database IP address
databases
¶The list of databases used in UAA database including tag/name
db_scheme
¶Database scheme for UAA DB
port
¶The UAA database Port
roles
¶The list of database Roles used in UAA database including tag/name/password
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/uaa/
directory
(learn more).
bin/dns_health_check
(fromdns_health_check.erb
)bin/install_crt
(frominstall_crt.erb
)bin/uaa_cf-registrar_ctl
(fromcf-registrar_ctl
)bin/uaa_ctl
(fromuaa_ctl.erb
)config/cf-registrar/config.yml
(fromcf-registrar.config.yml.erb
)config/ldap.crt
(fromldap.crt.erb
)config/log4j.properties
(fromlog4j.properties.erb
)config/tomcat/logging.properties
(fromtomcat.logging.properties
)config/tomcat/server.xml
(fromtomcat.server.xml.erb
)config/uaa.yml
(fromuaa.yml.erb
)config/varz.log4j.properties
(fromvarz.log4j.properties.erb
)config/varz.yml
(fromvarz.yml.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.