uaa job from cf/211
The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.
              Github source:
              48c88357 or
              master branch
            
Properties¶
domain¶
  
    
      The domain name for this CloudFoundry deploy
env¶
  
  
    
http_proxy¶The http_proxy accross the VMs
https_proxy¶The https_proxy accross the VMs
no_proxy¶Set No_Proxy accross the VMs
login¶
  
  
    
analytics¶
code¶Analytics code
domain¶Analytics domain
asset_base_url¶Base url for static assets, allows custom styling of the login server. Use ‘/resources/pivotal’ for Pivotal style.
brand¶The brand to use for the reset password emails, available values are oss and pivotal
- Default
oss
catalina_opts¶
entity_id¶Deprecated: Use login.saml.entityid
invitations_enabled¶Allows users to send invitations to email addresses outside the system and invite them to create an account. Disabled by default.
ldap¶
localPasswordCompare¶See uaa.ldap.localPasswordCompare - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
"true"
passwordAttributeName¶See uaa.ldap.passwordAttributeName - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
userPassword
passwordEncoder¶See uaa.ldap.passwordEncoder - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator
profile_type¶See uaa.ldap.profile_type - login.ldap prefix is used for backwards compatibility to enable ldap from login config
searchBase¶See uaa.ldap.searchBase - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
""
searchFilter¶See uaa.ldap.searchFilter - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
cn={0}
sslCertificate¶See uaa.ldap.sslCertificate - login.ldap prefix is used for backwards compatibility to enable ldap from login config
sslCertificateAlias¶See uaa.ldap.sslCertificateAlias - login.ldap prefix is used for backwards compatibility to enable ldap from login config
url¶See uaa.ldap.url - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userDN¶See uaa.ldap.userDN - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userDNPattern¶See uaa.ldap.userDNPattern - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userPassword¶See uaa.ldap.userPassword - login.ldap prefix is used for backwards compatibility to enable ldap from login config
links¶A hash of home/passwd/signup URLS (see commented examples below)
home¶URL for primary console/dashboard for users
- Default
https://console.run.pivotal.io
network¶URL for Pivotal Network
- Default
https://network.gopivotal.com/login
passwd¶URL for requesting password reset
- Default
https://console.run.pivotal.io/password_resets/new
signup¶URL for requesting to signup/register for an account
- Default
https://console.run.pivotal.io/register
signup-network¶URL for requesting to signup/register for an account at Pivotal Network
- Default
https://network.gopivotal.com/registrations/new
logout¶
redirect¶
parameter¶disable¶When set to false, this allows an operator to leverage an open redirect on the UAA (/logout.do?redirect=google.com). Default value is true. No open redirect enabled
whitelist¶A list of URLs. When this list is non null, including empty, and disable=false, logout redirects are allowed, but limited to the whitelist URLs. If a redirect parameter value is not white listed, redirect will be to the default URL.
url¶The Location of the redirect header following a logout of the the UAA (/logout.do). Default value is back to login page (/login)
messages¶A nested or flat hash of messages that the login server uses to display UI message This will be flattened into a java.util.Properties file. The example below will lead to four properties, where the key is the concatenated value delimited by dot, for example scope.tokens.read=message Nested example: messages: scope: tokens: read: View details of your approvals you have granted to this and other applications write: Cancel the approvals like this one that you have granted to this and other applications cloud_controller: read: View details of your applications and services write: Push applications to your account and create and bind services Flat example: messages: scope.tokens.read: View details of your approvals you have granted to this and other applications scope.tokens.write: Cancel the approvals like this one that you have granted to this and other applications scope.cloud_controller.read: View details of your applications and services scope.cloud_controller.write: Push applications to your account and create and bind services
notifications¶
url¶The url for the notifications service (configure to use Notifications Service instead of SMTP server)
port¶
- Default
8080
protocol¶Scheme to use for HTTP communication (http/https)
saml¶
assertion_consumer_index¶Deprecated: Use login.saml.providers list objects
- Default
1
entityid¶The ID to represent this server
idpEntityAlias¶Deprecated: Use login.saml.providers list objects
idpMetadataURL¶Deprecated: Use login.saml.providers list objects
idp_metadata_file¶Deprecated: Use login.saml.providers list objects
keystore_key¶Key name of the SAML login server keystore.
- Default
selfsigned
keystore_name¶Name of the SAML login server keystore.
- Default
samlKeystore.jks
keystore_password¶Key password to the SAML login server keystore.
- Default
password
metadataTrustCheck¶Deprecated: Use login.saml.providers list objects
- Default
true
nameidFormat¶Deprecated: Use login.saml.providers list objects
- Default
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
providers¶Contains a hash of SAML Identity Providers, the key is the IDP Alias, followed by key/value pairs for idpMetadata, nameID, assertionConsumerIndex, metadataTrustCheck, showSamlLoginLink, linkText, iconUrl
serviceProviderCertificate¶Service provider certificate.
serviceProviderKey¶Private key for the service provider certificate.
serviceProviderKeyPassword¶Password to protect the service provider private key.
socket¶
connectionManagerTimeout¶Timeout in milliseconds for connection pooling for SAML metadata HTTP requests
soTimeout¶Read timeout in milliseconds for SAML metadata HTTP requests
signups_enabled¶Enable account creation flow in the login server. Enabled by default.
smtp¶SMTP server configuration, for password reset emails etc.
host¶SMTP server host address
- Default
localhost
password¶SMTP server password
port¶SMTP server port
- Default
2525
user¶SMTP server username
spring_profiles¶See uaa.spring_profiles - login.spring_profiles is used for backwards compatibility to enable ldap from login config
tiles¶A list of links to other services to show on the landing page after logging in and/or signing up, depending on whether login-link and/or signup-link is specified.
uaa_base¶Location of the UAA.
uaa_certificate¶Certificate to import if the UAA is using self-signed certificates
nats¶
  
  
    
machines¶IP of each NATS cluster member.
password¶Password for NATS login
port¶TCP port of NATS server
user¶User name for NATS login
networks¶
  
  
    
apps¶The App network name
uaa¶
  
  
    
admin¶
client_secret¶Secret of the admin client - a client named admin with uaa.admin as an authority
authentication¶
policy¶
countFailuresWithinSeconds¶Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked
lockoutAfterFailures¶Number of allowed failures before account is locked
lockoutPeriodSeconds¶Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded
catalina_opts¶
- Default
-Xmx768m -XX:MaxPermSize=256m
cc¶
client_secret¶
token_secret¶
client¶
autoapprove¶
clients¶
login¶
secret¶Login client secret - overrides uaa.login.client_secret
database¶
abandoned_timeout¶Timeout in seconds for the longest running queries. Take into DB migrations for this timeout as they may run during a long period of time.
- Default
300
log_abandoned¶Should connections that are forcibly closed be logged.
- Default
true
max_connections¶The max number of open connections to the DB from a running UAA instance
- Default
100
max_idle_connections¶The max number of open idle connections to the DB from a running UAA instance
- Default
10
remove_abandoned¶True if connections that are left open longer then abandoned_timeout seconds during a session(time between borrow and return from pool) should be forcibly closed
- Default
false
dump_requests¶
issuer¶The url to use as the issuer URI
jwt¶
signing_key¶
verification_key¶
ldap¶
enabled¶Set to true to enable LDAP
- Default
false
groups¶
autoAdd¶Set to true when profile_type=groups_as_scopes to auto create scopes for a user. Ignored for other profiles.
- Default
"true"
groupRoleAttribute¶Used with groups-as-scopes, defines the attribute that holds the scope name(s).
groupSearchFilter¶Search query filter to find groups a user belongs to, or for a nested search, groups that a group belongs to
- Default
member={0}
maxSearchDepth¶Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)
- Default
"1"
profile_type¶What type of group integration should be used. Values are no-groups, groups-as-scopes and groups-map-to-scopes
- Default
no-groups
searchBase¶Search start point for a user group membership search
- Default
""
searchSubtree¶Boolean value, set to true to search below the search base
- Default
"true"
localPasswordCompare¶Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server.
- Default
"true"
mailAttributeName¶The name of the LDAP attribute that contains the users email address
- Default
mailSubstitute¶Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
- Default
""
mailSubstituteOverridesLdap¶Set to true if you wish to override an LDAP user email address with a generated one
- Default
false
passwordAttributeName¶Used with search-and-compare only. The name of the password attribute in the LDAP directory
- Default
userPassword
passwordEncoder¶Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory.
- Default
org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator
profile_type¶The file to be used for configuring the LDAP authentication. options are simple-bind, search-and-bind and search-and-compare
- Default
search-and-bind
searchBase¶Used with search-and-bind and search-and-compare. Define a base where the search starts at.
- Default
""
searchFilter¶Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}
- Default
cn={0}
sslCertificate¶Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection.
sslCertificateAlias¶Used with ldaps:// URLs. The certificate alias, to be trusted by this connection and stored in the keystore.
url¶The URL to the ldap server, must start with ldap:// or ldaps://
userDN¶Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information.
userDNPattern¶Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search.
userDNPatternDelimiter¶The delimiter character in between user DN patterns for simple bind authentication
- Default
;
userPassword¶Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
login¶
client_secret¶Deprecated. Default login client secret if no login client is defined
newrelic¶To enable newrelic monitoring, the sub element of this property will be placed in a configuration file called newrelic.yml in the jobs config directory. The syntax that must adhere to documentation in https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file The JVM option -javaagent:/path/to/newrelic.jar will be added to Apache Tomcat’s startup script The enablement of the NewRelic agent in the UAA is triggered by the property uaa.newrelic.common.license_key The property uaa.newrelic.common.license_key must be set!
no_ssl¶when true, uaa uses http, otherwise it uses https
- Default
false
openid¶
fallbackToAuthcode¶When using the hybrid flow to get a id_token, suppress the exception if the client doesn’t have the implicit grant.
- Default
true
port¶Port that uaa will accept connections on
- Default
8080
require_https¶
restricted_ips_regex¶A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server.
- Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
scim¶
external_groups¶A list of external group mappings. Pipe delimited. A value may look as ‘- internal.read|cn=developers,ou=scopes,dc=test,dc=com’
user¶
override¶
userids_enabled¶
- Default
false
users¶
spring_profiles¶Deprecated. Use ‘uaa.ldap.enabled’. Sets the Spring profiles on the UAA web application. This gets combined with the ‘uaadb.db_scheme’ property if and only if the value is exactly ‘ldap’ in order to setup the database, for example ‘ldap,mysql’. If spring_profiles contains more than just ‘ldap’ it will be used to overwrite spring_profiles and db_scheme ignored. See uaa.yml.erb.
url¶
user¶
authorities¶Contains a list of the default authorities/scopes assigned to a user.
- Default
- openid - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - password.write - uaa.user - approvals.me - oauth.approvals - notification_preferences.read - notification_preferences.write
zones¶
internal¶
hostnames¶A list of hostnames that are routed to the UAA, specifically the default zone in the UAA. The UAA will reject any Host headers that it doesn’t recognize. By default the UAA recognizes uaa. - the default UAA route login. - the login-server route that the UAA now also serves. localhost - in order to accept health checks Any hostnames added as a list are additive to the default hostnames allowed. Example uaa: zones: internal: hostnames: - hostname1 - hostname2.localhost - hostname3.example.com
- Default
- uaa.service.consul
uaadb¶
  
  
    
address¶The UAA database IP address
databases¶The list of databases used in UAA database including tag/name
db_scheme¶Database scheme for UAA DB
port¶The UAA database Port
roles¶The list of database Roles used in UAA database including tag/name/password
Templates¶
            Templates are rendered and placed onto corresponding
            instances during the deployment process. This job's templates
            will be placed into /var/vcap/jobs/uaa/ directory
            (learn more).
          
- bin/dns_health_check(from- dns_health_check.erb)
- bin/install_crt(from- install_crt.erb)
- bin/uaa_cf-registrar_ctl(from- cf-registrar_ctl)
- bin/uaa_ctl(from- uaa_ctl.erb)
- config/cf-registrar/config.yml(from- cf-registrar.config.yml.erb)
- config/ldap.crt(from- ldap.crt.erb)
- config/log4j.properties(from- log4j.properties.erb)
- config/login.yml(from- login.yml.erb)
- config/messages.properties(from- messages.properties.erb)
- config/newrelic.yml(from- newrelic.yml.erb)
- config/tomcat/logging.properties(from- tomcat.logging.properties)
- config/tomcat/server.xml(from- tomcat.server.xml.erb)
- config/uaa.yml(from- uaa.yml.erb)
- config/varz.log4j.properties(from- varz.log4j.properties.erb)
- config/varz.yml(from- varz.yml.erb)
Packages¶
            Packages are compiled and placed onto corresponding
            instances during the deployment process. Packages will be
            placed into /var/vcap/packages/ directory.