-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] User Creation by Org Managers #946
base: main
Are you sure you want to change the base?
Conversation
Allow Org Managers to create users in UAA in order to improve the onboarding procedure for larger developer groups into multi-tenant Cloud Foundry foundations. [Preview](https://github.com/cloudfoundry/community/blob/rfc-cfapiv2-eol/toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md)
FYI: @cloudfoundry/toc , @cloudfoundry/wg-app-runtime-interfaces-capi-approvers |
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
In this workflow, who or what is granting the user the Org Manager role? Could the Org Manager also be granted an appropriate scope to create users in UAA, instead of CC creating users on their behalf? |
cc @cloudfoundry/wg-foundational-infrastructure-identity-and-auth-uaa-approvers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, I'm a bit wary of adding a POST request to UAA nested inside of a synchronous CC request. We'd have to contend with issues of timeouts, error handling, audit-ability, etc.
Ideally, we could get the Org Manager users sufficient permissions to create the user in UAA themselves, maybe with the facilitation of the CLI?
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Show resolved
Hide resolved
- origin=uaa is not allowed - included suggestions by reviewers
The initial Org Manager role is assigned by an external onboarding process that uses a technical CF admin user. From then on, the initial Org Manager can grant Org Manager role to additional users using CF CLI or any other CF API client (e.g. terraform).
That's a valid point. But on the other hand, |
We discussed this during the TOC meeting on 01.10.2024 and decided to start the FCP with the goal to accept it during the next TOC meeting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still nervous about nesting a synchronous POST request to UAA inside a CC request, but I understand the use case this RFC is trying to solve. I'm fine with this idea as long as it is off by default in cf-d.
I left a couple comments on details that I think should be addressed prior to acceptance.
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Show resolved
Hide resolved
... and add it as possible future work.
- clarify that an extra UAA client cloud_controller_shadow_user_creation shall be used instead of adding scopes to existing ones - the new function shall be enabled by an cf-deployment ops file
Allow Org Managers to create users in UAA in order to improve the onboarding procedure for larger developer groups into multi-tenant Cloud Foundry foundations.
Preview