uaa job from cf/225
The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.
Github source:
24c131a5
or
master branch
Properties¶
domain
¶
The domain name for this CloudFoundry deploy
env
¶
http_proxy
¶The http_proxy accross the VMs
https_proxy
¶The https_proxy accross the VMs
no_proxy
¶Set No_Proxy accross the VMs
login
¶
analytics
¶
code
¶Analytics code
domain
¶Analytics domain
asset_base_url
¶Base url for static assets, allows custom styling of the login server.
brand
¶The branding style to use with the web interface, account confirmation, and password reset emails.
- Default
oss
catalina_opts
¶
entity_id
¶Deprecated: Use login.saml.entityid
invitations_enabled
¶Allows users to send invitations to email addresses outside the system and invite them to create an account. Disabled by default.
ldap
¶
localPasswordCompare
¶See uaa.ldap.localPasswordCompare - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
"true"
passwordAttributeName
¶See uaa.ldap.passwordAttributeName - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
userPassword
passwordEncoder
¶See uaa.ldap.passwordEncoder - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator
profile_type
¶See uaa.ldap.profile_type - login.ldap prefix is used for backwards compatibility to enable ldap from login config
searchBase
¶See uaa.ldap.searchBase - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
""
searchFilter
¶See uaa.ldap.searchFilter - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
cn={0}
sslCertificate
¶See uaa.ldap.sslCertificate - login.ldap prefix is used for backwards compatibility to enable ldap from login config
sslCertificateAlias
¶See uaa.ldap.sslCertificateAlias - login.ldap prefix is used for backwards compatibility to enable ldap from login config
url
¶See uaa.ldap.url - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userDN
¶See uaa.ldap.userDN - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userDNPattern
¶See uaa.ldap.userDNPattern - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userPassword
¶See uaa.ldap.userPassword - login.ldap prefix is used for backwards compatibility to enable ldap from login config
links
¶A hash of home/passwd/signup URLS (see commented examples below)
passwd
¶URL for requesting password reset
signup
¶URL for requesting to signup/register for an account
logout
¶
redirect
¶
parameter
¶disable
¶When set to false, this allows an operator to leverage an open redirect on the UAA (/logout.do?redirect=google.com). Default value is true. No open redirect enabled
whitelist
¶A list of URLs. When this list is non null, including empty, and disable=false, logout redirects are allowed, but limited to the whitelist URLs. If a redirect parameter value is not white listed, redirect will be to the default URL.
url
¶The Location of the redirect header following a logout of the the UAA (/logout.do). Default value is back to login page (/login)
messages
¶A nested or flat hash of messages that the login server uses to display UI message This will be flattened into a java.util.Properties file. The example below will lead to four properties, where the key is the concatenated value delimited by dot, for example scope.tokens.read=message Nested example: messages: scope: tokens: read: View details of your approvals you have granted to this and other applications write: Cancel the approvals like this one that you have granted to this and other applications cloud_controller: read: View details of your applications and services write: Push applications to your account and create and bind services Flat example: messages: scope.tokens.read: View details of your approvals you have granted to this and other applications scope.tokens.write: Cancel the approvals like this one that you have granted to this and other applications scope.cloud_controller.read: View details of your applications and services scope.cloud_controller.write: Push applications to your account and create and bind services
notifications
¶
url
¶The url for the notifications service (configure to use Notifications Service instead of SMTP server)
port
¶
- Default
8080
prompt
¶
password
¶
text
¶The text used to prompt for a password during login
- Default
Password
username
¶
text
¶The text used to prompt for a username during login
- Default
protocol
¶Scheme to use for HTTP communication (http/https)
- Default
https
saml
¶
assertion_consumer_index
¶Deprecated: Use login.saml.providers list objects
- Default
1
entity_base_url
¶The URL for which SAML identity providers will post assertions to. If set it overrides the default of login.. This URL should NOT have the schema (http:// or https:// prefix in it) instead just the hostname. The schema is derived by login.protocol property. The default value is #{protocol}://login.#{properties.domain}
entityid
¶The ID to represent this server
idpEntityAlias
¶Deprecated: Use login.saml.providers list objects
idpMetadataURL
¶Deprecated: Use login.saml.providers list objects
idp_metadata_file
¶Deprecated: Use login.saml.providers list objects
keystore_key
¶Key name of the SAML login server keystore.
- Default
selfsigned
keystore_name
¶Name of the SAML login server keystore.
- Default
samlKeystore.jks
keystore_password
¶Key password to the SAML login server keystore.
- Default
password
metadataTrustCheck
¶Deprecated: Use login.saml.providers list objects
- Default
true
nameidFormat
¶Deprecated: Use login.saml.providers list objects
- Default
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
providers
¶Contains a hash of SAML Identity Providers, the key is the IDP Alias, followed by key/value pairs for idpMetadata, nameID, assertionConsumerIndex, metadataTrustCheck, showSamlLoginLink, linkText, iconUrl
serviceProviderCertificate
¶Service provider certificate.
serviceProviderKey
¶Private key for the service provider certificate.
serviceProviderKeyPassword
¶Password to protect the service provider private key.
signMetaData
¶Set to true, if you wish that the UAA signs its SAML metadata
- Default
true
signRequest
¶Set to true, if you wish the that the UAA signs all its SAML auth requests
- Default
true
socket
¶
connectionManagerTimeout
¶Timeout in milliseconds for connection pooling for SAML metadata HTTP requests
soTimeout
¶Read timeout in milliseconds for SAML metadata HTTP requests
self_service_links_enabled
¶Enable self-service account creation and password resets links.
signups_enabled
¶Enable account creation flow in the login server. Enabled by default.
smtp
¶SMTP server configuration, for password reset emails etc.
host
¶SMTP server host address
- Default
localhost
password
¶SMTP server password
port
¶SMTP server port
- Default
2525
user
¶SMTP server username
spring_profiles
¶See uaa.spring_profiles - login.spring_profiles is used for backwards compatibility to enable ldap from login config
tiles
¶A list of links to other services to show on the landing page after logging in and/or signing up, depending on whether login-link and/or signup-link is specified.
uaa_base
¶Location of the UAA.
uaa_certificate
¶Certificate to import if the UAA is using self-signed certificates
nats
¶
machines
¶IP of each NATS cluster member.
password
¶Password for NATS login
port
¶TCP port of NATS server
user
¶User name for NATS login
uaa
¶
admin
¶
client_secret
¶Secret of the admin client - a client named admin with uaa.admin as an authority
authentication
¶
policy
¶
countFailuresWithinSeconds
¶Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked
lockoutAfterFailures
¶Number of allowed failures before account is locked
lockoutPeriodSeconds
¶Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded
catalina_opts
¶
- Default
-Xmx768m -XX:MaxPermSize=256m
cc
¶
client_secret
¶
token_secret
¶
client
¶
autoapprove
¶
clients
¶
login
¶
secret
¶Login client secret - overrides uaa.login.client_secret
database
¶
abandoned_timeout
¶Timeout in seconds for the longest running queries. Take into DB migrations for this timeout as they may run during a long period of time.
- Default
300
case_insensitive
¶Set to true if you don’t want to be using LOWER() SQL functions in search queries/filters, because you know that your DB is case insensitive. If this property is null, then it will be set to true if the UAA DB is MySQL and false otherwise, but even on MySQL you can override it by setting it explicitly to false
log_abandoned
¶Should connections that are forcibly closed be logged.
- Default
true
max_connections
¶The max number of open connections to the DB from a running UAA instance
- Default
100
max_idle_connections
¶The max number of open idle connections to the DB from a running UAA instance
- Default
10
remove_abandoned
¶True if connections that are left open longer then abandoned_timeout seconds during a session(time between borrow and return from pool) should be forcibly closed
- Default
false
disableInternalAuth
¶Disables internal user authentication
- Default
false
disableInternalUserManagement
¶Disables UI and API for internal user management
- Default
false
dump_requests
¶
id_token
¶
disable
¶When set to true, requests to /oauth/authorize will ignore the response_type=id_token parameter
- Default
true
issuer
¶The url to use as the issuer URI
jwt
¶
signing_key
¶
verification_key
¶
ldap
¶
attributeMappings
¶Specifies how UAA user attributes map to LDAP attributes
emailDomain
¶Sets the whitelist of emails domains that the LDAP identity provider handles
enabled
¶Set to true to enable LDAP
- Default
false
groups
¶
autoAdd
¶Set to true when profile_type=groups_as_scopes to auto create scopes for a user. Ignored for other profiles.
- Default
"true"
groupRoleAttribute
¶Used with groups-as-scopes, defines the attribute that holds the scope name(s).
groupSearchFilter
¶Search query filter to find groups a user belongs to, or for a nested search, groups that a group belongs to
- Default
member={0}
maxSearchDepth
¶Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)
- Default
"1"
profile_type
¶What type of group integration should be used. Values are no-groups, groups-as-scopes and groups-map-to-scopes
- Default
no-groups
searchBase
¶Search start point for a user group membership search
- Default
""
searchSubtree
¶Boolean value, set to true to search below the search base
- Default
"true"
localPasswordCompare
¶Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server.
- Default
"true"
mailAttributeName
¶The name of the LDAP attribute that contains the users email address
- Default
mailSubstitute
¶Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
- Default
""
mailSubstituteOverridesLdap
¶Set to true if you wish to override an LDAP user email address with a generated one
- Default
false
passwordAttributeName
¶Used with search-and-compare only. The name of the password attribute in the LDAP directory
- Default
userPassword
passwordEncoder
¶Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory.
- Default
org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator
profile_type
¶The file to be used for configuring the LDAP authentication. options are simple-bind, search-and-bind and search-and-compare
- Default
search-and-bind
searchBase
¶Used with search-and-bind and search-and-compare. Define a base where the search starts at.
- Default
""
searchFilter
¶Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}
- Default
cn={0}
sslCertificate
¶Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection.
sslCertificateAlias
¶Used with ldaps:// URLs. The certificate alias, to be trusted by this connection and stored in the keystore.
url
¶The URL to the ldap server, must start with ldap:// or ldaps://
userDN
¶Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information.
userDNPattern
¶Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search.
userDNPatternDelimiter
¶The delimiter character in between user DN patterns for simple bind authentication
- Default
;
userPassword
¶Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
logging_level
¶Set UAA logging level. (e.g. TRACE, DEBUG, INFO)
- Default
DEBUG
logging_use_rfc3339
¶Sets the time format for log messages to be rfc3339 compatible.
- Default
false
login
¶
client_secret
¶Deprecated. Default login client secret if no login client is defined
newrelic
¶To enable newrelic monitoring, the sub element of this property will be placed in a configuration file called newrelic.yml in the jobs config directory. The syntax that must adhere to documentation in https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file The JVM option -javaagent:/path/to/newrelic.jar will be added to Apache Tomcat’s startup script The enablement of the NewRelic agent in the UAA is triggered by the property uaa.newrelic.common.license_key The property uaa.newrelic.common.license_key must be set!
no_ssl
¶when true, uaa uses http, otherwise it uses https
- Default
false
password
¶
policy
¶
expirePasswordInMonths
¶Number of months after which current password expires
- Default
0
maxLength
¶Maximum number of characters required for password to be considered valid
- Default
255
minLength
¶Minimum number of characters required for password to be considered valid
- Default
0
requireDigit
¶Minimum number of digits required for password to be considered valid
- Default
0
requireLowerCaseCharacter
¶Minimum number of lowercase characters required for password to be considered valid
- Default
0
requireSpecialCharacter
¶Minimum number of special characters required for password to be considered valid
- Default
0
requireUpperCaseCharacter
¶Minimum number of uppercase characters required for password to be considered valid
- Default
0
port
¶Port that uaa will accept connections on
- Default
8080
proxy
¶
servers
¶Array of the router IPs acting as the first group of HTTP/TCP backends. These will be added to the proxy_ips_regex as exact matches. When using spiff, these will be router_z1 and router_z2 static IPs from cf-jobs.yml
- Default
[]
proxy_ips_regex
¶A pipe delimited set of regular expressions of IP addresses that are considered reverse proxies. When a request from these IP addresses come in, the x-forwarded-for and x-forwarded-proto headers will be respected. If the uaa.restricted_ips_regex is set, it will be appended to this list for backwards compatibility purposes If spiff has been used and includes templates/cf-jobs.yml to generate the manifest. This list will automatically contain the Router IP addresses
- Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
require_https
¶
restricted_ips_regex
¶[Not Currently Used] A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server.
scim
¶
external_groups
¶A list of external group mappings. Pipe delimited. A value may look as ‘- internal.read|cn=developers,ou=scopes,dc=test,dc=com’
groups
¶Comma separated list of groups that should be added to the UAA db, but not assigned to a user by default.
user
¶
override
¶
- Default
true
userids_enabled
¶
- Default
true
users
¶
spring_profiles
¶Deprecated. Use ‘uaa.ldap.enabled’. Sets the Spring profiles on the UAA web application. This gets combined with the ‘uaadb.db_scheme’ property if and only if the value is exactly ‘ldap’ in order to setup the database, for example ‘ldap,mysql’. If spring_profiles contains more than just ‘ldap’ it will be used to overwrite spring_profiles and db_scheme ignored. See uaa.yml.erb.
url
¶
user
¶
authorities
¶Contains a list of the default authorities/scopes assigned to a user.
- Default
- openid - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - password.write - uaa.user - approvals.me - oauth.approvals - notification_preferences.read - notification_preferences.write - profile - roles - user_attributes
zones
¶
internal
¶
hostnames
¶A list of hostnames that are routed to the UAA, specifically the default zone in the UAA. The UAA will reject any Host headers that it doesn’t recognize. By default the UAA recognizes uaa. - the default UAA route login. - the login-server route that the UAA now also serves. localhost - in order to accept health checks Any hostnames added as a list are additive to the default hostnames allowed. Example uaa: zones: internal: hostnames: - hostname1 - hostname2.localhost - hostname3.example.com
- Default
- uaa.service.cf.internal
uaadb
¶
address
¶The UAA database IP address
databases
¶The list of databases used in UAA database including tag/name
db_scheme
¶Database scheme for UAA DB
port
¶The UAA database Port
roles
¶The list of database Roles used in UAA database including tag/name/password
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/uaa/
directory
(learn more).
bin/dns_health_check
(fromdns_health_check.erb
)bin/install_crt
(frominstall_crt.erb
)bin/uaa_ctl
(fromuaa_ctl.erb
)config/ldap.crt
(fromldap.crt.erb
)config/log4j.properties
(fromlog4j.properties.erb
)config/login.yml
(fromlogin.yml.erb
)config/messages.properties
(frommessages.properties.erb
)config/newrelic.yml
(fromnewrelic.yml.erb
)config/tomcat/logging.properties
(fromtomcat.logging.properties
)config/tomcat/server.xml
(fromtomcat.server.xml.erb
)config/uaa.yml
(fromuaa.yml.erb
)config/varz.log4j.properties
(fromvarz.log4j.properties.erb
)config/varz.yml
(fromvarz.yml.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.