Users¶
When we deployed our UAA we observed that an admin
user was created for us and were able to login as admin
within the web UI. Ideally, no one would use this pre-existing admin
user; rather one user account would be created for each person in your organization.
Fortunately it is very easy to create new users with the uaa
CLI.
User Directories
You do not need to explicitly create nor configure UAA users at all if you've linked your UAA with a pre-existing user directory such as Microsoft Active Directory. We will investigate this later.
Continuing as the uaa_admin
client, we can create new users and also look up the personal details of all users.
uaa create-user drnic \
--email drnic@starkandwayne.com \
--givenName "Dr Nic" \
--familyName "Williams" \
--password drnic_secret
Once created, we can lookup the user with their username:
uaa get-user drnic
The JSON output might be similar to:
{
"id": "87fde4a5-17f3-4667-a5e2-fff62220c73e",
"meta": {
"created": "2018-06-22T09:27:10.655Z",
"lastModified": "2018-06-22T09:27:10.655Z"
},
"userName": "drnic",
"name": {
"familyName": "Williams",
"givenName": "Dr Nic"
},
"emails": [
{
"value": "drnic@starkandwayne.com",
"primary": false
}
],
"groups": [
{
"value": "5a201c79-3265-46a8-873d-8631facdb2a1",
"display": "user_attributes",
"type": "DIRECT"
},
{
"value": "b07d8fda-aaba-4f3e-9f5c-dca9f7c99e9f",
"display": "roles",
"type": "DIRECT"
},
User Assigned Groups¶
Newly created users are automatically added to a set of groups whose purpose will be introduced soon.
For simple view of the groups of our new drnic
user:
uaa get-user drnic | jq -r ".groups[].display" | sort
The output might look similar to:
approvals.me
cloud_controller.read
cloud_controller.write
cloud_controller_service_permissions.read
notification_preferences.read
notification_preferences.write
oauth.approvals
openid
password.write
profile
roles
scim.me
uaa.offline_token
uaa.user
user_attributes
These groups are the same as our existing admin
user. The following command will show there are no differences between the groups of users admin
and drnic
:
diff <(uaa get-user drnic | jq -r ".groups[].display" | sort) \
<(uaa get-user admin | jq -r ".groups[].display" | sort)
Stop Using Admin User¶
Now that we've created our first user for a human, we can log out from the UAA UI as admin
and switch to drnic
.
Visit the UAA web UI, look to the top right of the window to logout from admin
user, and then login as drnic
:
User Authorized Clients¶
The top right corner now changes to the newly logged in user account drnic
. Click the username to see a dropdown menu. Select "Account Settings".
You can observe that the new user has not yet granted any third-party client applications permission to access their UAA account:
As mentioned before, when the drnic
user logs into the UAA web site it is directly interacting with the UAA itself. The login process is drnic
's way of identifying who they believe they are (username: drnic
) and proving that they are indeed drnic
via their password (this is called authentication).