{"id":9460,"date":"2016-04-04T18:11:31","date_gmt":"2016-04-04T15:11:31","guid":{"rendered":"http:\/\/blog.altoros.com\/?p=9460"},"modified":"2019-06-20T03:26:11","modified_gmt":"2019-06-20T00:26:11","slug":"cloud-foundry-security-bosh-user-roles-and-the-uaa-service","status":"publish","type":"post","link":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/","title":{"rendered":"Cloud Foundry Security: BOSH User Roles and the UAA Service"},"content":{"rendered":"<p><center><small>Featured image: The BOSH architecture (<a href=\"https:\/\/bosh.io\/docs\/\/bosh-components\/\" rel=\"noopener noreferrer\" target=\"_blank\">credit<\/a>)<\/small><\/center><\/p>\n<p>&nbsp;<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_79_2 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#Deploying_with_BOSH\" >Deploying with BOSH<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#One_user\" >One user<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#Preconfigured_users\" >Preconfigured users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#UAA_for_BOSH%E2%80%94%E2%80%9Dread-only%E2%80%9D_users\" >UAA for BOSH\u2014&#8221;read-only&#8221; users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#Further_reading\" >Further reading<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Deploying_with_BOSH\"><\/span>Deploying with BOSH<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-uaa-logo.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-uaa-logo.png\" alt=\"bosh-uaa-logo\" width=\"230\" style=\"margin: 0px 0px 20px 20px\" class=\"alignright size-full wp-image-26998\" \/><\/a><a href=\"https:\/\/github.com\/cloudfoundry\/bosh\">BOSH<\/a> is a versatile tool that combines features for building releases, deploying, monitoring, updating, and otherwise managing life cycle of cloud software. In most cases, it is BOSH that controls and watches over the VMs where all Cloud Foundry components reside. Doesn\u2019t it mean that BOSH operators have access to everything inside the deployment?<\/p>\n<p>The answer is &#8220;It depends.&#8221; From this post, you will learn what information and access rights are available to BOSH operators and how to make BOSH and Cloud Foundry deployments more secure, using the <a href=\"https:\/\/docs.cloudfoundry.org\/concepts\/architecture\/uaa.html\" target=\"_blank\" rel=\"noopener noreferrer\">UAA<\/a> identity management service and BOSH\u2019s own internal capabilities.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"One_user\"><\/span>One user<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Historically, BOSH only had one user with unlimited rights, but there are usually many operators in real production deployments. So, everyone was forced to use the same account to perform ongoing BOSH tasks. While you should trust your engineers, having only one account for everything creates certain risks:<\/p>\n<ul>\n<li>Any BOSH operator, regardless of their role and experience, has full control over hosts, applications, and environments.<\/li>\n<li>The environments sometimes contain sensitive data, such as endpoints and credentials to services (e.g., databases). BOSH operators have access to all this data, too.<\/li>\n<li>WIth one account, there is no way to tell who killed that router at 4 am today. In the logs, all actions appear to be performed by &#8220;admin.&#8221;<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Preconfigured_users\"><\/span>Preconfigured users<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Starting with <em>bosh-release v177+<\/em> (1.2999.0), the BOSH Director got a very simple built-in user management system that can authenticate operators. This is what most deployments use today. The list of operators can be defined in the manifest before the BOSH Director is deployed, like this:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">properties:\r\n  director:\r\n    user_management:\r\n      provider: local\r\n      local:\r\n        users:\r\n        - {name: admin, password: &lt;PASSWORD&gt;}\r\n        - {name: hm, password: &lt;PASSWORD&gt;}\r\n        - {name: alex, password: &lt;PASSWORD&gt;}<\/pre>\n<p><\/p>\n<p>The possibility to have different admin accounts on one BOSH Director solved the who-killed-that-router issue, but all these accounts still have unlimited access to everything. There is a serious tradeoff though\u2014adding new users\/changing passwords causes BOSH to be re-deployed. That is bad news for many production deployments.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"UAA_for_BOSH%E2%80%94%E2%80%9Dread-only%E2%80%9D_users\"><\/span>UAA for BOSH\u2014&#8221;read-only&#8221; users<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><em>bosh-release v209+<\/em> (1.3088.0) finally gave us a way to limit operator rights by colocating the BOSH Director with its own <a href=\"https:\/\/github.com\/cloudfoundry\/uaa\">UAA server<\/a>. The UAA is the standard OAuth2 identity management service in Cloud Foundry. Like BOSH, it is sometimes used as a standalone authorization and authentication tool.<\/p>\n<p>While you do not have to install the UAA service for BOSH, there are several important advantages of doing so:<\/p>\n<ul>\n<li>Users and rights can be added and removed through the UAA CLI without the need to re-deploy the BOSH Director.<\/li>\n<li>Users can be grouped and each group can have its own permissions.<\/li>\n<li>If there are several BOSH Directors, some users can be limited to access only one BOSH Director defined by its UUID.<\/li>\n<li>The UAA can be integrated with LDAP and other enterprise services.<\/li>\n<\/ul>\n<p>On the downside, the permissions are far from being fine-grained. Only two roles are available:<\/p>\n<ul>\n<li><strong>Admin.<\/strong> These accounts can access all resources and commands.<\/li>\n<li><strong>Read-only.<\/strong> These accounts are limited to five CLI commands (see the table).<\/li>\n<\/ul>\n<p><center><\/p>\n<style type=\"text\/css\">\n<!--\n.myTable { background-color:white; border-collapse:collapse; }\n.myTable th { background-color:#E0E0E0; color:black; }\n.myTable td, .myTable th { padding:5px; border:1px solid #989898; }\n.myTable tbody tr td:nth-of-type(2) { text-align: left; }\n.myTable tbody tr td:nth-of-type(1) { text-align: left; font-style: italic; }\n-->\n<\/style>\n<table class=\"myTable\" width=\"90%\" >\n<thead>\n<tr>\n<th><center><small>Command<\/center><\/small><\/th>\n<th><center><small>Description<\/center><\/small><\/th>\n<\/tr>\n<\/thead>\n<tr>\n<td><small>bosh deployments<\/small><\/td>\n<td><small>Shows the list of available deployments.<\/small><\/td>\n<\/tr>\n<tr>\n<td><small>bosh releases<\/small><\/td>\n<td><small>Shows the list of available releases.<\/small><\/td>\n<\/tr>\n<tr>\n<td><small>bosh stemcells<\/small><\/td>\n<td><small>Shows the list of available stemcells.<\/small><\/td>\n<\/tr>\n<tr>\n<td><small>bosh vms<\/small><\/td>\n<td><small>Lists all VMs in a deployment.<\/small><\/td>\n<\/tr>\n<tr>\n<td><small>bosh tasks<\/small><\/td>\n<td><small>Shows running tasks, including task descriptions without access to debug logs.<\/small><\/td>\n<\/tr>\n<\/table>\n<p><\/center><\/p>\n<p>Unauthenticated users may only use the &#8220;<em>bosh status<\/em>&#8221; command on a deployment to get information about the BOSH Director. You can find more details on how to set up a UAA server for BOSH <a href=\"https:\/\/bosh.io\/docs\/\/director-users-uaa.html\">here<\/a>.<\/p>\n<p>Summing it up, two roles is not much, but I believe it is a start. We can expect more UAA scopes to be added in BOSH soon\u2014e.g., a way to allow or deny SSH to VMs.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Further_reading\"><\/span>Further reading<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-overview\/\">Cloud Foundry Security Overview<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-do-containers-contain\/\">Cloud Foundry Security: Do Containers Contain?<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-achieving-pci-dss-compliance\/\">Cloud Foundry Security: Achieving PCI DSS Compliance<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/how-to-configure-ssl-encryption-for-custom-domains-on-pivotal-cf\/\">How to Configure SSL Encryption for Custom Domains on Pivotal CF<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Featured image: The BOSH architecture (credit)<\/p>\n<p>&nbsp;<\/p>\n<p>Deploying with BOSH<\/p>\n<p>BOSH is a versatile tool that combines features for building releases, deploying, monitoring, updating, and otherwise managing life cycle of cloud software. In most cases, it is BOSH that controls and watches over the VMs where all Cloud Foundry components reside. Doesn\u2019t it [&#8230;]<\/p>\n","protected":false},"author":39,"featured_media":44455,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[214],"tags":[873,206],"class_list":["post-9460","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","tag-cloud-native","tag-oss-cloud-foundry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cloud Foundry Security: BOSH User Roles and the UAA Service | Altoros<\/title>\n<meta name=\"description\" content=\"Learn what permissions are available to BOSH operators and how to make Cloud Foundry deployments more secure.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cloud Foundry Security: BOSH User Roles and the UAA Service | Altoros\" \/>\n<meta property=\"og:description\" content=\"Featured image: The BOSH architecture (credit) &nbsp; Deploying with BOSH BOSH is a versatile tool that combines features for building releases, deploying, monitoring, updating, and otherwise managing life cycle of cloud software. In most cases, it is BOSH that controls and watches over the VMs where all Cloud Foundry components reside. Doesn\u2019t it [...]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/\" \/>\n<meta property=\"og:site_name\" content=\"Altoros\" \/>\n<meta property=\"article:published_time\" content=\"2016-04-04T15:11:31+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-06-20T00:26:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-architecture.png\" \/>\n\t<meta property=\"og:image:width\" content=\"573\" \/>\n\t<meta property=\"og:image:height\" content=\"592\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Aliaksandr Prysmakou\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Aliaksandr Prysmakou\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/\",\"url\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/\",\"name\":\"Cloud Foundry Security: BOSH User Roles and the UAA Service | Altoros\",\"isPartOf\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-architecture.png\",\"datePublished\":\"2016-04-04T15:11:31+00:00\",\"dateModified\":\"2019-06-20T00:26:11+00:00\",\"author\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/7ca769005f4d785a1f0c791313254262\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#primaryimage\",\"url\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-architecture.png\",\"contentUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-architecture.png\",\"width\":573,\"height\":592},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.altoros.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cloud Foundry Security: BOSH User Roles and the UAA Service\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#website\",\"url\":\"https:\/\/www.altoros.com\/blog\/\",\"name\":\"Altoros\",\"description\":\"Insight\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.altoros.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/7ca769005f4d785a1f0c791313254262\",\"name\":\"Aliaksandr Prysmakou\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7a200d186ae9316c7d174cf2290417a7bab1f5cffb9e880f7c3b0ea5eed08898?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7a200d186ae9316c7d174cf2290417a7bab1f5cffb9e880f7c3b0ea5eed08898?s=96&d=mm&r=g\",\"caption\":\"Aliaksandr Prysmakou\"},\"description\":\"Aliaksandr Prysmakou is a Cloud Foundry DevOps Engineer at Altoros. He is an expert in cloud automation and virtualization. As a member of a joint team formed by Canonical, Pivotal, and Altoros, Alex worked on automating Cloud Foundry deployment with the Juju orchestration platform. He also contributed to extending BOSH to support new cloud providers. Previously, Alex designed templates to automate management of Microsoft solutions on the RightScale platform and provided fault tolerance for Microsoft SQL Server.\",\"url\":\"https:\/\/www.altoros.com\/blog\/author\/alex-prismakov\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cloud Foundry Security: BOSH User Roles and the UAA Service | Altoros","description":"Learn what permissions are available to BOSH operators and how to make Cloud Foundry deployments more secure.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/","og_locale":"en_US","og_type":"article","og_title":"Cloud Foundry Security: BOSH User Roles and the UAA Service | Altoros","og_description":"Featured image: The BOSH architecture (credit) &nbsp; Deploying with BOSH BOSH is a versatile tool that combines features for building releases, deploying, monitoring, updating, and otherwise managing life cycle of cloud software. In most cases, it is BOSH that controls and watches over the VMs where all Cloud Foundry components reside. Doesn\u2019t it [...]","og_url":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/","og_site_name":"Altoros","article_published_time":"2016-04-04T15:11:31+00:00","article_modified_time":"2019-06-20T00:26:11+00:00","og_image":[{"width":573,"height":592,"url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-architecture.png","type":"image\/png"}],"author":"Aliaksandr Prysmakou","twitter_misc":{"Written by":"Aliaksandr Prysmakou","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/","url":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/","name":"Cloud Foundry Security: BOSH User Roles and the UAA Service | Altoros","isPartOf":{"@id":"https:\/\/www.altoros.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#primaryimage"},"image":{"@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#primaryimage"},"thumbnailUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-architecture.png","datePublished":"2016-04-04T15:11:31+00:00","dateModified":"2019-06-20T00:26:11+00:00","author":{"@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/7ca769005f4d785a1f0c791313254262"},"breadcrumb":{"@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#primaryimage","url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-architecture.png","contentUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/04\/bosh-architecture.png","width":573,"height":592},{"@type":"BreadcrumbList","@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-bosh-user-roles-and-the-uaa-service\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.altoros.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Cloud Foundry Security: BOSH User Roles and the UAA Service"}]},{"@type":"WebSite","@id":"https:\/\/www.altoros.com\/blog\/#website","url":"https:\/\/www.altoros.com\/blog\/","name":"Altoros","description":"Insight","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.altoros.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/7ca769005f4d785a1f0c791313254262","name":"Aliaksandr Prysmakou","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7a200d186ae9316c7d174cf2290417a7bab1f5cffb9e880f7c3b0ea5eed08898?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7a200d186ae9316c7d174cf2290417a7bab1f5cffb9e880f7c3b0ea5eed08898?s=96&d=mm&r=g","caption":"Aliaksandr Prysmakou"},"description":"Aliaksandr Prysmakou is a Cloud Foundry DevOps Engineer at Altoros. He is an expert in cloud automation and virtualization. As a member of a joint team formed by Canonical, Pivotal, and Altoros, Alex worked on automating Cloud Foundry deployment with the Juju orchestration platform. He also contributed to extending BOSH to support new cloud providers. Previously, Alex designed templates to automate management of Microsoft solutions on the RightScale platform and provided fault tolerance for Microsoft SQL Server.","url":"https:\/\/www.altoros.com\/blog\/author\/alex-prismakov\/"}]}},"_links":{"self":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/9460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/comments?post=9460"}],"version-history":[{"count":22,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/9460\/revisions"}],"predecessor-version":[{"id":44458,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/9460\/revisions\/44458"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/media\/44455"}],"wp:attachment":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/media?parent=9460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/categories?post=9460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/tags?post=9460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}