Missing user management from custom IdZ to CC #2505
Assignees
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186133317 The labels on this github issue will be updated when the story is started. |
philippthun
added a commit
to sap-contributions/cloud_controller_ng
that referenced
this issue
Oct 11, 2023
While working on the "Support UAA identity zones in CC" PoC [1], I did some refactoring that I would like to keep although the PoC is not going to get implemented (see [2]). [1] cloudfoundry#3341 [2] cloudfoundry/uaa#2505
This was referenced Oct 11, 2023
rroberts2222
pushed a commit
to loggregator/cloud_controller_ng
that referenced
this issue
Dec 19, 2023
While working on the "Support UAA identity zones in CC" PoC [1], I did some refactoring that I would like to keep although the PoC is not going to get implemented (see [2]). [1] cloudfoundry#3341 [2] cloudfoundry/uaa#2505 Co-authored-by: Andrew Crump <crumpan@vmware.com>
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186718998 The labels on this github issue will be updated when the story is started. |
This was referenced Mar 5, 2024
|
@klaus-sap @strehle @adrianhoelzl-sap Are there further PRs expected for this issue? |
Yes, there will be at least two more:
|
This was
linked to
pull requests
Jun 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User Management in CF UAA from Multiple Identity Zones
Context
This issue proposes enhancing UAA to support user management from multiple identity zones. Customers will be able to manage their user accounts from own identity zones. These user accounts will be copied to the default identity zone for access at runtime.
Proposal
To address the operational and security requirements outlined above, this issue proposes enhancing CF UAA to support user management from multiple identity zones. This requires changes to UAA as outlined below.
To implement the requirements mentioned above, we propose to enhance UAA user accounts with optional attributes “alias_id” and “alias_zid”. If these attributes are set, user accounts will be copied from the custom identity zone to the default zone (or vice versa in case of migration of existing users). We propose copying users instead of creating references, because we want to create separate user records in default and custom identity zone. With separate user records, we can continue to use simple SQL queries for all database operations.
Certainly, user administrators must not be able to freely choose alias_ids. Instead, the alias_id is set to the user id of the corresponding alias user.
In the same way, identity providers may be copied from the custom identity zone to the default identity zone (or vice versa). The origin attribute of each user account must be present as identity provider in the same identity zone.
Zone independent administrative scopes like “uaa.admin” or “cloud_controller.admin” must not be assigned to any user from custom identity zones. However, we may assign zone specific scopes like “zones.(zid).scim.write” to user administrators in custom identity zones. To prevent the assignment of zone independent admin scopes to users from custom identity zones, we propose to enhance identity zone definitions with optional blocklists of groups. The groups from a blocklist must not be created in the corresponding identity zone.
The text was updated successfully, but these errors were encountered: