[RFC] User Creation by Org Managers #946
Conversation
Allow Org Managers to create users in UAA in order to improve the onboarding procedure for larger developer groups into multi-tenant Cloud Foundry foundations. [Preview](https://github.com/cloudfoundry/community/blob/rfc-cfapiv2-eol/toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md)
stephanme
requested review from
Gerg,
a team,
beyhan,
ameowlia and
ChrisMcGowan
and removed request for
a team
|
FYI: @cloudfoundry/toc , @cloudfoundry/wg-app-runtime-interfaces-capi-approvers |
beyhan
requested review from
a team and
rkoster
and removed request for
a team
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
|
In this workflow, who or what is granting the user the Org Manager role? Could the Org Manager also be granted an appropriate scope to create users in UAA, instead of CC creating users on their behalf? |
|
cc @cloudfoundry/wg-foundational-infrastructure-identity-and-auth-uaa-approvers |
There was a problem hiding this comment.
Overall, I'm a bit wary of adding a POST request to UAA nested inside of a synchronous CC request. We'd have to contend with issues of timeouts, error handling, audit-ability, etc.
Ideally, we could get the Org Manager users sufficient permissions to create the user in UAA themselves, maybe with the facilitation of the CLI?
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Show resolved
Hide resolved
- origin=uaa is not allowed - included suggestions by reviewers
The initial Org Manager role is assigned by an external onboarding process that uses a technical CF admin user. From then on, the initial Org Manager can grant Org Manager role to additional users using CF CLI or any other CF API client (e.g. terraform).
That's a valid point. But on the other hand, |
|
We discussed this during the TOC meeting on 01.10.2024 and decided to start the FCP with the goal to accept it during the next TOC meeting. |
There was a problem hiding this comment.
I'm still nervous about nesting a synchronous POST request to UAA inside a CC request, but I understand the use case this RFC is trying to solve. I'm fine with this idea as long as it is off by default in cf-d.
I left a couple comments on details that I think should be addressed prior to acceptance.
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Outdated
Show resolved
Hide resolved
toc/rfc/app-runtime-interfaces/rfc-draft-user-creation-by-org-managers.md
Show resolved
Hide resolved
... and add it as possible future work.
- clarify that an extra UAA client cloud_controller_shadow_user_creation shall be used instead of adding scopes to existing ones - the new function shall be enabled by an cf-deployment ops file
Allow Org Managers to create users in UAA in order to improve the onboarding procedure for larger developer groups into multi-tenant Cloud Foundry foundations.
Preview