I get this question often from customers. Pivotal Cloud Foundry has just been installed and the API endpoint to target the instance is working fine. In short we want to do the following before we get developers onto the platform to ensure we no longer using the UAA server admin login details from the CLI or Apps Manager UI.
- Create a new ADMIN user which will be used to configure Apps Manager ORGS and spaces for the developers
- Create an ORG
- Create at least one Quota maybe more to control memory limit and application instances within an ORG
- Assign the quota to your ORG
Steps
--> Create a new ADMIN user which will be used to configure Apps Manager ORGS and spaces for the developers
1. Login to Ops Manager VM using SSH for example
2. Target the UAA server as shown below
Eg: $ uaac target uaa.YOUR-DOMAIN
ubuntu@opsmanager-pcf:~$ uaac target uaa.system.YYYY --skip-ssl-validation
Unknown key: Max-Age = 2592000
Target: https://uaa.system.YYYY
3. Authenticate and obtain an access token for the admin client from the UAA server
Note: Record the uaa:admin:client_secret from your deployment manifest
ubuntu@opsmanager-pcf:~$ uaac token client get admin -s PASSWD
Successfully fetched token via client credentials grant.
Target: https://uaa.system.YYYY
Context: admin, from client admin
4. Use the uaac contexts command to display the users and applications authorized by the UAA server, and the permissions granted to each user and application. Ensure in the "scope" field that "scim.write" exists
ubuntu@opsmanager-pcf:~$ uaac contexts
[0]*[https://uaa.system.YYYY]
skip_ssl_validation: true
[0]*[admin]
client_id: admin
access_token: .....
token_type: bearer
expires_in: 43199
scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
jti: b1bf094a5c4640dbac4abc5f3bf15b08
5. Run the following command to create an admin user
ubuntu@opsmanager-pcf:~$ uaac user add apples -p PASSWD --emails papicella@pivotal.io
user account successfully added
6. Run uaac member add GROUP NEW-ADMIN-USERNAME to add the new admin to the groups cloud_controller.admin, uaa.admin, scim.read, and scim.write
ubuntu@opsmanager-pcf:~$ uaac member add cloud_controller.admin apples
success
ubuntu@opsmanager-pcf:~$ uaac member add uaa.admin apples
success
ubuntu@opsmanager-pcf:~$ uaac member add scim.read apples
success
ubuntu@opsmanager-pcf:~$ uaac member add scim.write apples
success
--> Create an ORG
1. Login using the new admin user "apples"
pasapicella@pas-macbook:~$ cf login -u apples -p PASSWD -o system -s system
API endpoint: https://api.system.YYYY
Authenticating...
OK
Targeted org system
Targeted space system
API endpoint: https://api.system.YYYY (API version: 2.94.0)
User: papicella@pivotal.io
Org: system
Space: system
2. Create an ORG as follows
pasapicella@pas-macbook:~$ cf create-org myfirst-org
Creating org myfirst-org as apples...
OK
Assigning role OrgManager to user apples in org myfirst-org ...
OK
TIP: Use 'cf target -o "myfirst-org"' to target new org
--> Create at least one Quota maybe more to control memory limit and application instances within an ORG
1. Here we create what I call a medium-quota which allows 20G of memory, 2 service instances, each application instance can be no more then 1G of memory and only 20 Application Instances can be created using this quota.
pasapicella@pas-macbook:~$ cf create-quota medium-quota -m 20G -i 1G -a 20 -s 2 -r 1000 --allow-paid-service-plans
Creating quota medium-quota as apples...
OK
pasapicella@pas-macbook:~$ cf quota medium-quota
Getting quota medium-quota info as apples...
OK
Total Memory 20G
Instance Memory 1G
Routes 1000
Services 2
Paid service plans allowed
App instance limit 20
Reserved Route Ports 0
--> Assign the quota to your ORG
1. Assign the newly created quota to the ORG we created above
pasapicella@pas-macbook:~$ cf set-quota myfirst-org medium-quota
Setting quota medium-quota to org myfirst-org as apples...
OK
pasapicella@pas-macbook:~$ cf org myfirst-org
Getting info for org myfirst-org as apples...
name: myfirst-org
domains: apps.pas-apples.online
quota: medium-quota
spaces:
isolation segments:
Finally we can add a space to the ORG and assign privileges to a user called "pas" as shown below
- Set OrgManager role to the user "pas"
pasapicella@pas-macbook:~$ cf set-org-role pas myfirst-org OrgManager
Assigning role OrgManager to user pas in org myfirst-org as apples...
OK
- Logout as "apples" admin user as "pas" can now do his own admin for the ORG " myfirst-org"
pasapicella@pas-macbook:~$ cf logout
Logging out...
OK
- Login as pas and target the ORG
pasapicella@pas-macbook:~$ cf login -u pas -p PASSWD -o myfirst-org
API endpoint: https://api.system.YYYY
Authenticating...
OK
Targeted org myfirst-org
API endpoint: https://api.system.YYYY (API version: 2.94.0)
User: pas
Org: myfirst-org
Space: No space targeted, use 'cf target -s SPACE'
- Create a space which will set space roles for the user "pas"
pasapicella@pas-macbook:~$ cf create-space dev
Creating space dev in org myfirst-org as pas...
OK
Assigning role RoleSpaceManager to user pas in org myfirst-org / space dev as pas...
OK
Assigning role RoleSpaceDeveloper to user pas in org myfirst-org / space dev as pas...
OK
TIP: Use 'cf target -o "myfirst-org" -s "dev"' to target new space
- Target the new space
pasapicella@pas-macbook:~$ cf target -o myfirst-org -s dev
api endpoint: https://api.system.pas-apples.online
api version: 2.94.0
user: pas
org: myfirst-org
space: dev
Typically we would assign other users to the spaces using "cf set-space-role .."
pasapicella@pas-macbook:~$ cf set-space-role --help
NAME:
set-space-role - Assign a space role to a user
USAGE:
cf set-space-role USERNAME ORG SPACE ROLE
ROLES:
'SpaceManager' - Invite and manage users, and enable features for a given space
'SpaceDeveloper' - Create and manage apps and services, and see logs and reports
'SpaceAuditor' - View logs, reports, and settings on this space
SEE ALSO:
space-users
More Information
Creating and Managing Users with the UAA CLI (UAAC)
https://docs.pivotal.io/pivotalcf/1-12/uaa/uaa-user-management.html
Creating and Managing Users with the cf CLI
https://docs.pivotal.io/pivotalcf/1-12/adminguide/cli-user-management.html