我们正在为我们的客户使用UAA的多租户功能。 因此,我们需要为每个客户创建一个身份区域来管理各个客户的信息。
但是,根据文档,我无法找到如何创建范围为zone.<zoneid>.admin的identity zone admin并获取此管理员令牌。
Name Description
Authorization Access token with scim.write or uaa.admin scope required
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.
创建用户 API 参考链接
是否有任何我们可以参考的指南或指导?
谢谢
以下是步骤:
定位并获取令牌作为管理客户端
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
更新您的管理员客户端
这是为了确保它具有正确的范围,您只需执行此操作一次。
uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.write"
然后获取一个新令牌,该令牌将具有刚刚添加的范围。
uaac token client get admin -s adminsecret
创建区域并将管理客户端添加到区域:
uaac -t curl -X POST -H "Content-Type:application/json" -H "Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones
uaac -t curl -H "X-Identity-Zone-Id:testzone1" -X POST -H "Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients
以区域为目标并获取令牌作为该区域中的管理客户端:
uaac target http://testzone1.localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac token decode
参考: https://github.com/cloudfoundry/uaa/blob/develop/docs/UAA-APIs.rst#sequential-example-of-creating-a-zone-and-creating-an-admin-client-in-that-zone