uaa的配置文件是uaa.yml。war包中的uaa.yml不需要改动,一般通过指定环境变量:$CLOUDFOUNDRY_CONFIG_PATH,指定运行时外部uaa.yml路径。
具体配置项如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
name: uaa # 组件名称
database: # 数据库配置
url: jdbc:postgresql:
//192.168.1.63:5524/uaadb # !数据库连接URL
username: uaaadmin # !数据库用户名
password:
"c1oudc0w"
# !数据库密码
spring_profiles: postgresql # 激活postgresql的spring配置
logging: # 日志配置
config: /home/vagrant/programs/apache-tomcat-
7.0
.
52
/webapps/uaa/WEB-INF/classes/log4j.properties # 日志配置文件路径
jwt: # JSON Web Token
token:
signing-key: | # 对token签名的密钥,如果用对称加密算法,那么signing-key和verification-key要相同
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDHFr+KICms+tuT1OXJwhCUmR2dKVy7psa8xzElSyzqx7oJyfJ1
JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMXqHxf+ZH9BL1gk9Y6kCnbM5R6
0gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBugspULZVNRxq7veq/fzwIDAQAB
AoGBAJ8dRTQFhIllbHx4GLbpTQsWXJ6w4hZvskJKCLM/o8R4n+0W45pQ1xEiYKdA
Z/DRcnjltylRImBD8XuLL8iYOQSZXNMb1h3g5/UGbUXLmCgQLOUUlnYt34QOQm+
0
KvUqfMSFBbKMsYBAoQmNdTHBaz3dZa8ON9hh/f5TT8u0OWNRAkEA5opzsIXv+52J
duc1VGyX3SwlxiE2dStW8wZqGiuLH142n6MKnkLU4ctNLiclw6BZePXFZYIK+AkE
xQ+k16je5QJBAN0TIKMPWIbbHVr5rkdUqOyezlFFWYOwnMmw/BKa1d3zp54VP/P8
+5aQ2d4sMoKEOfdWH7UqMe3FszfYFvSu5KMCQFMYeFaaEEP7Jn8rGzfQ5HQd44ek
lQJqmq6CE2BXbY/i34FuvPcKU70HEEygY6Y9d8J3o6zQ0K9SYNu+pcXt4lkCQA3h
jJQQe5uEGJTExqed7jllQ0khFJzLMx0K6tj0NeeIzAaGCQz13oo2sCdeGRHO4aDh
HH6Qlq/6UOV5wP8+GAcCQFgRCcB+hrje8hfEEefHcFpyKH+5g1Eu1k0mLrxK2zd+
4SlotYRHgPCEubokb2S1zfZDWIXW3HmggnGgM949TlY=
-----END RSA PRIVATE KEY-----
verification-key: |
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHFr+KICms+tuT1OXJwhCUmR2d
KVy7psa8xzElSyzqx7oJyfJ1JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMX
qHxf+ZH9BL1gk9Y6kCnbM5R60gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBug
spULZVNRxq7veq/fzwIDAQAB
-----END PUBLIC KEY-----
issuer.uri: http:
//192.168.1.167:18080/uaa # uaa的token发布地址
oauth:
authorize:
ssl:
true
# 是否启用ssl
client:
autoapprove: # 自动允许的客户端,用户无需显示的被询问是否授权,如:是否允许cf客户端获得操作cc的权限
- cf
- login
- developer_console
- support-signon
clients: # 默认受信任的客户端,即:不在数据库中存在也能获取access token的客户端
admin: # 名称
authorized-grant-types: client_credentials # 授权方式,client_credentials意思是:直接由Client向Authorization Server即:uaa,请求access token(提供client的credentials,即:client_id, cilent_secret),无需用户(Resource Owner)的授权
authorities: clients.read,clients.write,clients.secret,uaa.admin,scim.read,password.write # 用来定义默认的用户允许的操作范围,即客户端默认拥有的权限,不需要用户授权,且用户有没有该权限不影响
id: admin
secret:
"c1oudc0w"
# 共享密钥,认证该客户端
cloud_controller:
authorized-grant-types: client_credentials
authorities: scim.read,scim.write,password.write
id: cloud_controller
secret:
"c1oudc0w"
access-token-validity:
604800
cf:
id: cf
override:
true
# 是否覆盖数据库里的客户端配置
authorized-grant-types: implicit,password,refresh_token # 授权方式,这里是:隐式授权方式(不需要client的密码),需要用户的密码
scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write # 用户可以要求client代表自己操作的权限范围
authorities: uaa.none
access-token-validity:
600
refresh-token-validity:
2592000
login:
id: login
override:
true
secret:
""
authorized-grant-types: authorization_code,client_credentials,refresh_token # 授权方式,authorization_code是:显示授权方式,不会拿到用户的密码,client_credentials,表示需要提供client的credentials
authorities: oauth.login
scope: openid,oauth.approvals
redirect-uri: https:
//login.10.0.2.15.xip.io
scim:
userids_enabled:
false
user.override:
true
users: # 开发测试时用户
- admin|c1oudc0w|scim.write,scim.read,openid,cloud_controller.admin # 从左到右依次是:登陆用户名|密码|用户组
|
注意:其中打感叹号的地方,一般需要配置