I am attempting to deploy spring-cloud-data-flow-server on cloud foundry, and to use role-mapping to map the default roles to my own scopes.
In order to do so, I'm following https://docs.spring.io/spring-cloud-dataflow/docs/2.3.0.BUILD-SNAPSHOT/reference/htmlsingle/#configuration-security-role-mapping which states map-oauth-scopes is to be set to true and afterwards all 7 Spring Cloud Data Flow roles should be mapped to scopes.
I've noticed you can configure said properties using the manifest.yml, under the env object, with some modifications to the key. As stated in https://github.com/spring-cloud/spring-cloud-dataflow/blob/master/spring-cloud-dataflow-docs/src/main/asciidoc/configuration-cloudfoundry.adoc this hierarchy:
spring:
cloud:
dataflow:
security:
authorization:
map-oauth-scopes: true
role-mappings:
ROLE_CREATE: dataflow.create
ROLE_DEPLOY: dataflow.deploy
ROLE_DESTROY: dataflow.destoy
ROLE_MANAGE: dataflow.manage
ROLE_MODIFY: dataflow.modify
ROLE_SCHEDULE: dataflow.schedule
ROLE_VIEW: dataflow.view
Can be represented like so in manifest.yml:
- env:
SPRING_CLOUD_DATAFLOW_SECURITY_AUTHORIZATION_MAP-OAUTH-SCOPES: true
SPRING_CLOUD_DATAFLOW_SECURITY_AUTHORIZATION_ROLE-MAPPINGS_ROLE_CREATE: <my-scope>
...
map-oauth-scopes is properly set, however the role mapping isn't. I suspect is has something to do with the underscore in the role prefix (e.g ROLE_CREATE), since the 'translation' to the env format requires underscores as hierarchy.
What am I missing? How can I set the role mapping using the manifest.yml?
Thanks in advance!
Okay, so not sure if this is how you're suppose to do it, however it works and easily set up.
in the manifest.yml, add a SPRING_APPLICATION_JSON entry and pass the mapping as json.
applications:
- env:
...
SPRING_PROFILES_DEFAULT: cloud
SPRING_APPLICATION_JSON: |-
{
"spring.cloud.dataflow.security.authorization": {
"map-oauth-scopes": true,
"role-mappings": {
"ROLE_CREATE": "my.scope.for.create",
"ROLE_DEPLOY": "my.scope.for.deploy",
"ROLE_DESTROY": "my.scope.for.destroy",
"ROLE_MANAGE": "my.scope.for.manage",
"ROLE_MODIFY": "my.scope.for.modify",
"ROLE_SCHEDULE": "my.scope.for.schedule",
"ROLE_VIEW": "my.scope.for.view"
}
}
}
Obviously, scopes can be the same for all roles or differ by role, your choice based on business logic. Only make sure you login with a user that has the scopes.