UAA 如何创建身份区域管理员

Question

我们正在为我们的客户使用 UAA 的多租户功能。 因此，我们需要为每个客户创建一个身份区域来管理各个客户的信息。

但是，根据文档，我无法找到如何创建 identity zone admin 范围为 zone.<zoneid>.admin 并获取此管理员令牌。

Name    Description
Authorization   Access token with scim.write or uaa.admin scope required
X-Identity-Zone-Id  May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain   If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Create User API Reference Link

是否有任何我们可以参考的指南或指导？

谢谢

Answer 1

步骤如下：

以管理员客户端的身份定位并获取令牌

uaac target http://localhost:8080/uaa    
uaac token client get admin -s adminsecret

更新您的管理客户端

这是为了确保它具有正确的范围，您只需执行一次。

uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.write"

然后获取一个新的令牌，它将具有刚刚添加的范围。

uaac token client get admin -s adminsecret

创建区域并将管理客户端添加到区域：

uaac -t curl -X POST -H "Content-Type:application/json" -H "Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones
uaac -t curl -H "X-Identity-Zone-Id:testzone1" -X POST -H "Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients

定位该区域并获得一个令牌作为该区域中的管理员客户端：

uaac target http://testzone1.localhost:8080/uaa    
uaac token client get admin -s adminsecret
uaac token decode

参考：https://github.com/cloudfoundry/uaa/blob/develop/docs/UAA-APIs.rst#sequential-example-of-creating-a-zone-and-creating-an-admin-client-in-that-zone