Pivotal Knowledge Base

Follow

How to add a Read-Only BOSH user

Environment

 Product  Version
 Pivotal Cloud Foundry  1.7 and above

Purpose

This article shows you how to add a read-only Bosh user who has read access on the director but does not have admin access for deployments. Read access prevents users from managing VMs, creating or updating deployments, running errands, etc.

Procedure

Every time you do a Bosh login, the Bosh CLI uses the bosh_cli client. By default, the bosh_cli scopes are set and contain Bosh.admin. Here are the steps to create a user with read-only authorities: 

1. Create a client that has read-only authorities

ubuntu@pivotal-ops-manager:~$ uaac client add readonly-new --name readonly-new --authorities "bosh.read bosh.*.read" --scope "uaa.none" --authorized_grant_types "client_credentials"
New client secret:  changeme
Verify new client secret:  changeme
  scope: uaa.none
  client_id: readonly-new
  resource_ids: none
  authorized_grant_types: client_credentials
  autoapprove: 
  authorities: bosh.read bosh.*.read
  name: readonly-new
  lastmodified: 1487733329676
  id: readonly-new

2. You can then use these instructions to do a client login with Bosh

ubuntu@pivotal-ops-manager:~$ export BOSH_CLIENT=readonly-new
ubuntu@pivotal-ops-manager:~$ export BOSH_CLIENT_SECRET=changeme
ubuntu@pivotal-ops-manager:~$ bosh status
Config
             /home/ubuntu/.bosh_config

Director
  Name       p-bosh
  URL        https://10.193.70.11:25555
  Version    260.0.0 (00000000)
  User       readonly-new
  UUID       f795f65a-ac8f-40a4-a8b9-e9f14d898578
  CPI        vsphere_cpi
  dns        disabled
  compiled_package_cache disabled
  snapshots  disabled

Deployment
  Manifest   /home/ubuntu/p-mysql-2b77233f801ee90f2e19.yml

3. Confirm it works by trying to restart a VM

ubuntu@pivotal-ops-manager:~$ bosh restart mysql 0 
Acting as client 'readonly-new' on deployment 'p-mysql-2b77233f801ee90f2e19' on 'p-bosh'
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
You are about to restart mysql/0

Detecting deployment changes
----------------------------
Restart mysql/0? (type 'yes' to continue): yes

Performing 'restart mysql/0'...
Error 600000: Require one of the scopes: bosh.admin, bosh.f795f65a-ac8f-40a4-a8b9-e9f14d898578.admin
ubuntu@pivotal-ops-manager:~$  

Additional Information

For more information on the scope of the read-only user and admin user, please see UAA Permissions [1].

1. https://bosh.io/docs/director-users-uaa-perms.html

Comments

Powered by Zendesk