Get Started With the Tenant Management Service
Creating a UAA Service Instance
You can create multiple instances of the UAA service in your space.
About This Task
As a best practice, first delete any older unused instances before creating a new one.
Procedure
Results
Your UAA instance is created with the following specifications:
- A client identifier (
admin
).Note: Anadmin
client is required for bootstrap purposes. You can create additional clients to use with your application. - A client secret (that you specified while creating the service).
To retrieve additional details of your instance, you can bind an application to your instance.
Using the Command Line to Create a UAA Service Instance
Optional procedure for using the command line instead of the graphical user interface to create a UAA service instance.
About This Task
You can create up to 10 instances of UAA service in your space. If you need additional instances, you must delete an older unused instance and create a new one.
Procedure
Results
Your UAA instance is created with the following specification:
-
A client identifier (
admin
).Note: Anadmin
client is created for bootstrap purposes. You can create additional clients to use with your application. -
A client secret (that you specified while creating the service).
To retrieve additional details of your instance, you can bind an application to your instance.
Example
Create a predix-uaa service instance with client secret as admin and sub-domain as ge-digital:
cf cs predix-uaa tiered test-1 -c '{"adminClientSecret":"admin","subdomain":"ge-digital"}'
This is how it appears in VCAP SERVICES when using the cf env <app_name>
command:
"VCAP_SERVICES": {
"predix-uaa": [
{
"credentials": {
"dashboardUrl": "https://uaa-dashboard.run.asv-pr.ice.predix.io/#/login/04187eb1-e0cf-4874-8218-9fb77a8b4ed9",
"issuerId": "https://04187eb1-e0cf-4874-8218-9fb77a8b4ed9.predix-uaa.run.asv-pr.ice.predix.io/oauth/token",
"subdomain": "04187eb1-e0cf-4874-8218-9fb77a8b4ed9",
"uri": "https://04187eb1-e0cf-4874-8218-9fb77a8b4ed9.predix-uaa.run.asv-pr.ice.predix.io",
"zone": {
"http-header-name": "X-Identity-Zone-Id",
"http-header-value": "04187eb1-e0cf-4874-8218-9fb77a8b4ed9"
}
},
"label": "predix-uaa",
"name": "testuaa",
"plan": "Tiered",
"provider": null,
"syslog_drain_url": null,
"tags": [],
"volume_mounts": []
}
],
Creating a Tenant Management Service Instance
Procedure
Binding an Application to the Tenant Management Service Instance
About This Task
You must bind your application to the Tenant Management service instance to provision its connection details in the VCAP_SERVICES environment variable. Cloud Foundry runtime uses then VCAP_SERVICES environment variable to communicate with a deployed application about its environment.
-
A
tenant_management_service_instance_uri
for your instance. -
HTTP header information to access your Tenant Management service instance:
http-header-name
asPredix-Zone-Id
http-header-value
-
An
oauth-scope
for your instance. The scope is required in the end-user token to access a specific Tenant Management service instance.
Procedure
Creating an OAuth2 Client
You can create OAuth2 clients with specific permissions for your application to work with Predix Platform services. Often this is the first step after creating an instance of a service.
About This Task
When you create an instance of UAA, the UAA Dashboard is available for configuring that instance of UAA. You can use the Client Management tab in the UAA Dashboard to create the OAuth2 clients.
If you are prefer using the UAA command-line interface (UAAC) instead of UAA Dashboard to create an OAuth2 client, see uaas-managing-clients.html#task_sp2_zvk_rdb
Procedure
What To Do Next
uaas-managing-clients.html#task_k3h_k2c_1x for your service specific information.
Updating the OAuth2 Client for Services
To use an OAuth2 client for secure access to your Predix Platform service instance from your application, you must update your OAuth2 client to add additional authorities or scopes that are specific to each service.
About This Task
To enable your application to access a platform service, your JSON Web Token (JWT) must contain the scopes required for a platform service. For example, some of the scope required for Access Control service are acs.policies.read acs.policies.write
.
The OAuth2 client uses an authorization grant to request an access token. Based on the type of authorization grant that you have used, you must update your OAuth2 client to generate the required JWT. For more information on how the OAuth2 client is created, see Creating OAuth2 client.
If you use the UAA Dashboard to create additional clients, the client is created for the default client_credentials
grant type. Some required authorities and scopes are automatically added to the client. You must add additional authorities or scopes that are specific to each service.
In addition, the admin client is not assigned the default authority to change the user password. To change the user password, you must add the uaa.admin
authority to your admin client.
Use the following procedure to update the OAuth2 client.
Procedure
What To Do Next
You can complete the following additional tasks in UAA Dashboard:
- If you are using authorization grant type as Authorization Code, Implicit, or Resource Owner Password, you can manage users in UAA.
- You can create password policies for user passwords.
- You can set up external identity provider or use UAA as an identity provider. See Managing Identity Providers.
If you have completed your OAuth2 client setup, you can bind your application to your service instance.
Authorities or Scopes Required for Tenant Management Service
To enable applications to access the Tenant Management service, your JSON Web Token (JWT) must contain the following scopes:
tms.tenant.read
This is required for using the Tenant management service read APIs.
tms.tenant.write
This is required for using the Tenant Management service write APIs.
predix-tms.zones.<tms_instance_guid>.user
This value is generated in the VCAP_SERVICES environment variable as
oauth-scope
when you bind your application to your Tenant Management service instance.tms.tenant.credentials.admin
This is required for using the Tenant Management service API for storing, updating, and deleting client credentials.
tms.tenant.credentials.read
This is required for authentication when retrieving client credentials.
The Oauth2 client uses an authorization grant to request an access token. OAuth2 defines four grant types. Based on the type of authorization grant that you have used, you must update your Oauth2 client to generate the required JWT. For more information on how the OAuth2 client is created, see uaas-get-started.html#task_y1l_vms_2s.