We are using CloudFoundry UAA for user authentication and authorization.As i understand, we can set user as active and inactive.But we have a requirement to expire a user account after a given time.How can we achieve time base user account expiration using UAA?
Asked
Active
Viewed 431 times
1 Answers
3
It might not be exactly what you are looking for, but you can use a password expiration feature for that purpose. It allows for setting expiration time in month for all users belonging to a specific Zone, which means that the smallest period of time is one month.
If you show yourself an Identity Provider for the Zone, you’ll find the ‘expirePasswordInMonths’ attribute in a config:
{
"type": "uaa",
"config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"passwordPolicy\":{\"minLength\":0,\"maxLength\":255,\"requireUpperCaseCharacter\":0,\"requireLowerCaseCharacter\":0,\"requireDigit\":0,\"requireSpecialCharacter\":0,\"expirePasswordInMonths\":1},\"lockoutPolicy\":{\"lockoutPeriodSeconds\":300,\"lockoutAfterFailures\":5,\"countFailuresWithin\":3600},\"disableInternalUserManagement\":false}",
"id": "fe5d0b8d-4d65-4090-b65a-3c17682bec7e",
"originKey": "uaa",
"name": "uaa",
"version": 2,
"created": 946684800000,
"last_modified": 1473569982108,
"active": true,
"identityZoneId": "uaa"
}
That’s the attribute that needs to be changed. But suprisingly it’s not that easy to get there.
First you have to obtain access token with two additional scopes: “zones.read” and “zones.{zone id}.admin”, where {zone id} is a name of zone - ‘uaa’ for a default one.
For example if you work with uaac on a client called ‘admin’ you can add the scopes this way:
$ uaac client update admin --authorities "EXISTING-PERMISSIONS zones.read zones.uaa.admin"
Remember to renew access token after the permissions have been changed:
$ uaac token client get admin -s <password_here>
Once we have all required priviledges, we can update password policy using ‘curl’ subcommand:
uaac curl -k /identity-providers/fe5d0b8d-4d65-4090-b65a-3c17682bec7e -X PUT -H "Content-Type: application/json" \
-d '{ "type": "uaa", "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"passwordPolicy\":{\"minLength\":0,\"maxLength\":255,\"requireUpperCaseCharacter\":0,\"requireLowerCaseCharacter\":0,\"requireDigit\":0,\"requireSpecialCharacter\":0,\"expirePasswordInMonths\":1},\"lockoutPolicy\":{\"lockoutPeriodSeconds\":300,\"lockoutAfterFailures\":5,\"countFailuresWithin\":3600},\"disableInternalUserManagement\":false}", "id": "fe5d0b8d-4d65-4090-b65a-3c17682bec7e", "originKey": "uaa", "name": "uaa", "version": 2, "created": 946684800000, "last_modified": 1473569982108, "active": true, "identityZoneId": "uaa"}'
I know, it’s a bit cumbersome, that’s probably why in a Pivotal’s version of Cloudfoundry you get a nice web form for managing password policy:
https://docs.pivotal.io/pivotalcf/1-7/opsguide/pw-policy.html
Bear in mind that this feature is available only when using ‘internal’ Identity Provider. If, on the other hand, your UAA relies on an external authentication source like LDAP, you’ll probably need to use another mechanism specific to this external system.
More about Identity Providers management in UAA doc:
JGT
- 46
- 3
-
Thank you so much for the response. This is very helpful for us to expire user in months.But we also have a requirement to disable user account within hours or days e.g. 3 hours, 15 days etc. It seems like we wont be able to achieve through "expirepasswordinmonths". Could you please guide how we can achieve it? would we need to write custom code in UAA? – Pallavi Ramicetty Sep 16 '16 at 04:28