Custom Scopes for Spring Cloud Data Flow using Env Variables

0
votes

I am attempting to deploy spring-cloud-data-flow-server on cloud foundry, and to use role-mapping to map the default roles to my own scopes.

In order to do so, I'm following https://docs.spring.io/spring-cloud-dataflow/docs/2.3.0.BUILD-SNAPSHOT/reference/htmlsingle/#configuration-security-role-mapping which states map-oauth-scopes is to be set to true and afterwards all 7 Spring Cloud Data Flow roles should be mapped to scopes.

I've noticed you can configure said properties using the manifest.yml, under the env object, with some modifications to the key. As stated in https://github.com/spring-cloud/spring-cloud-dataflow/blob/master/spring-cloud-dataflow-docs/src/main/asciidoc/configuration-cloudfoundry.adoc this hierarchy:

spring:
  cloud:
    dataflow:
      security:
        authorization:
          map-oauth-scopes: true                                    
          role-mappings:
            ROLE_CREATE: dataflow.create                            
            ROLE_DEPLOY: dataflow.deploy
            ROLE_DESTROY: dataflow.destoy
            ROLE_MANAGE: dataflow.manage
            ROLE_MODIFY: dataflow.modify
            ROLE_SCHEDULE: dataflow.schedule
            ROLE_VIEW: dataflow.view

Can be represented like so in manifest.yml:

- env:
  SPRING_CLOUD_DATAFLOW_SECURITY_AUTHORIZATION_MAP-OAUTH-SCOPES: true
  SPRING_CLOUD_DATAFLOW_SECURITY_AUTHORIZATION_ROLE-MAPPINGS_ROLE_CREATE: <my-scope>
  ...

map-oauth-scopes is properly set, however the role mapping isn't. I suspect is has something to do with the underscore in the role prefix (e.g ROLE_CREATE), since the 'translation' to the env format requires underscores as hierarchy.

What am I missing? How can I set the role mapping using the manifest.yml?

Thanks in advance!

1
yamlspring-security-oauth2spring-cloud-dataflowscopes

1 Answers

0
votes

Okay, so not sure if this is how you're suppose to do it, however it works and easily set up.

in the manifest.yml, add a SPRING_APPLICATION_JSON entry and pass the mapping as json.

applications:
- env:
   ...
    SPRING_PROFILES_DEFAULT: cloud
    SPRING_APPLICATION_JSON: |-
        {
           "spring.cloud.dataflow.security.authorization": {
               "map-oauth-scopes": true,                                  
               "role-mappings": {
                  "ROLE_CREATE": "my.scope.for.create",                        
                  "ROLE_DEPLOY": "my.scope.for.deploy",
                  "ROLE_DESTROY": "my.scope.for.destroy",
                  "ROLE_MANAGE": "my.scope.for.manage",
                  "ROLE_MODIFY": "my.scope.for.modify",
                  "ROLE_SCHEDULE": "my.scope.for.schedule",
                  "ROLE_VIEW": "my.scope.for.view"
               }
            }
        }

Obviously, scopes can be the same for all roles or differ by role, your choice based on business logic. Only make sure you login with a user that has the scopes.