Skip to content

Commit 9930856

Browse files
GergGerg
authored
Update API docs for "UAA client" users (#4668)
- Assigning role to a UAA client has been possible for a long time and is well-supported by the cf CLI. - This is to support authenticating using the UAA "client_credentials" grant, and then using to make CAPI API requests. - This use case was present in the API docs, but was not emphasized, so it was easy to miss. [No AI Usage]
1 parent 9fcbac0 commit 9930856

File tree

4 files changed

+20
-11
lines changed

4 files changed

+20
-11
lines changed

docs/v3/source/includes/resources/roles/_create.md.erb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ To create a space role you must be an admin, an organization manager in the pare
8383

8484
For a user to be assigned a space role, the user must already have an organization role in the parent organization.
8585

86-
If the associated user is valid but does not exist in Cloud Controller's database, a user resource will be created automatically.
86+
If the associated user does not exist in Cloud Controller's database, a user resource will be created automatically. This user may correspond to a UAA user or client. See the [user resource](#users) for more details.
8787

8888
If CAPI property `cc.allow_user_creation_by_org_manager` is enabled, the organization role is being created by username + origin and the user does not exist in UAA yet, the user will be created.
8989
The origin must be different from `uaa` in this case.

docs/v3/source/includes/resources/users/_create.md.erb

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,10 @@
33
Creating a user requires one value, a GUID. This creates a user in the Cloud
44
Controller database.
55

6-
Generally, the GUID should match the GUID of an already-created user in the
7-
UAA database, though this is not required.
8-
Creating a user by guid is only permitted by admins.
6+
Generally, the GUID should match the ID of an already-created user in the UAA
7+
database, though this is not required. The GUID can also be a UAA client ID, to
8+
support the UAA `client_credentials` grant type. Creating a user by guid is
9+
only permitted by admins.
910

1011
If CAPI property `cc.allow_user_creation_by_org_manager` is enabled, a UAA user will be automatically created if it does not exist yet.
1112
The UAA user will be only created when `username` and `origin` have been provided instead of a guid. Additionally `origin` must be different from `uaa`.
@@ -69,7 +70,7 @@ Content-Type: application/json
6970

7071
Name | Type | Description
7172
------- | ------- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
72-
**guid** | _string_ | Unique identifier for the user. For UAA users this will match the user ID of an existing UAA user's GUID; in the case of UAA clients, this will match the UAA client ID |
73+
**guid** | _string_ | Unique identifier for the user. For UAA users this will match the UAA user ID; in the case of UAA clients, this will match the UAA client ID |
7374
**username** | _string_ | Username of the user to be created. This can only be provided together with `origin`. |
7475
**origin** | _string_ | Origin of the user to be created. This can only be provided together with `username` and cannot be `uaa`. |
7576
**metadata.labels** | [_label object_](#links) | Labels applied to the user |

docs/v3/source/includes/resources/users/_header.md

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,16 @@
11
## Users
22

3-
Every Cloud Foundry action (pushing an application, creating a space) requires a
4-
user. Each Cloud Foundry installation has one pre-installed user, admin, which
5-
can create subsequent users. Users can be assigned roles which give them
6-
privileges to perform actions. For example, the Space Developer role grants a
7-
user permission to manage apps and services in a space (to push apps, scale
3+
The user resource is used to manage access to organizations, spaces, and other
4+
resources within Cloud Foundry. Cloud Controller is not the ultimate authority
5+
on the users in the Cloud Foundry system; UAA and its configured identity
6+
providers determine which users are able to sign in to Cloud Foundry.
7+
8+
To be functional, Cloud Controller users must "shadow" a corresponding user or
9+
client in UAA. The Cloud Controller user resource's guid should match either a
10+
UAA user or a UAA client id. However, Cloud Controller does not enforce that
11+
a user's guid is a valid UAA user or client id.
12+
13+
Users can be assigned roles, which give them privileges to perform actions
14+
within a given context. For example, the Space Developer role grants a user
15+
permission to manage apps and services in a space (e.g. to push apps, scale
816
apps, delete apps).

docs/v3/source/includes/resources/users/_object.md.erb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ Example User object
99

1010
| Name | Type | Description |
1111
| -------------- | ------------------------ | ------------------------------------------------------ |
12-
| **guid** | _uuid_ | Unique identifier for the user |
12+
| **guid** | _uuid_ | Unique identifier for the user, matching either a UAA user id or client id |
1313
| **created_at** | _[timestamp](#timestamps)_ | The time with zone when the object was created |
1414
| **updated_at** | _[timestamp](#timestamps)_ | The time with zone when the object was last updated |
1515
| **username** | _string_ | The name registered in UAA; will be `null` for UAA clients and non-UAA users |

0 commit comments

Comments
 (0)