Cloud Foundry Cloud Foundry Summit Silicon Valley 2017, 23 Jun 2017

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Source of Truth: Auto-Populating Your G-Suite Users and Permissions in Cloud Foundry

Description

Source of Truth: Auto-Populating Your G-Suite Users and Permissions in Cloud Foundry [I] - Colleen Briant, Google

Managing your GSuite and Cloud Foundry users has never been so easy! With the development of a new integration from Google, GSuite users and their permissions are automatically propagated to your Cloud Foundry foundation. This talk will show you how to integrate your GSuite users and groups into your Cloud Foundry auth and permissions structure, including best practices for using LDAP groups and SSO.

A

Hi guys I'm Colleen I'm from Google I've, been with Google for exactly one year in one day. Actually, yesterday was my anniversary. Thank you and I work on a team that specializes in open source integrations with Google cloud platform, so you might have seen my work on the GCP service broker, but today I'm here to talk to you about a new integration that we're exploring. This is under development, but still very much in flux. Still looking for a lot of feedback in terms of is this a product?

A

That's going to be useful and helpful to you what features what you need! What direction would you want it to go?

A

So definitely looking for a lot of feedback at the end of this session, but so we're going to talk about the work, that's planned and and started right now, integrating G suite or which you might also know as Google for work with Cloud, Foundry authentication and permissions, so I'm, just gonna level set on some acronyms just to start with, so you a as user accounts and authorization sonication authentication, and this is a default- that ships with Cloud Foundry for managing your user logins.

A

However, in terms of most of the permissions that your user, your Cloud Foundry developers are going to use day-to-day, those are managed through the cloud controller api's, which is commonly abbreviated as capi. So these are two distinct systems. You add a user through UA as well as through copy, but then managing the different sets of permissions or different pieces of information. You have to go from one system to the other, so it's does pose some limitations and may can make some things a little more difficult to administer.

A

So, having worked in an enterprise organization before we know that onboarding and just permissions day-to-day can be hard and complex. So there's a situation that I thought some of you might be able to relate to so, let's say: Nancy's a new developer at your company, so your HR person will add an entry for her in his tool, which is usually synchronized to another system so that she can get her G suite account all set up.

A

So she hits an email address and logs for those actions will go into his tool and into G suite and then you're gonna have a sysadmin who's. Gonna use a different system, probably to add Nancy to some LDAP groups, because you might have other health and benefits systems that are connected.

A

That'll pull that information in so then logs for that action will just go into the LDAP server and you know during onboarding you get that document that says how's the checklist of everything that you should have permission to, that you should set up your system with so during her onboarding Nancy is gonna, find oh I need to have a Cloud Foundry account made for me, and I need to have access to these orgs and spaces that my team's gonna work on. So then Nancy will probably go to her p.m.

A

and her PM will create her an account and maybe I, add her to everything that Nancy requests. But those documents are never complete. So a few weeks later and Nancy's gonna find something that was left out and she's. Probably at this point, just gonna go to her team lead and her team lead will be able to give her access directly through Kathy to whatever spaces or orgs. She was missing and again these logs are continuing to be kind of scattered across the disparate systems.

A

So the logs that went into Kathy are only there and then the logs from the team leaves actions might need to go into both systems and then say a year later in Nancy switches projects. So she doesn't want to get the spam from her old team Google Groups anymore.

A

So her old PM removes her and her new PM goes through the and team Lee go through the same set of actions, so they're kind of adding things in different places, but it's very reasonable to think that somebody might forget to remove her access to her old orgs and spaces. So you're kind of left with the logs are scattered across these different systems.

A

The actions are very disparate, and so it can just be kind of hard to track what's going on and where and make sure that the permission structure is as it should be and gets propagated through all areas of the system.

A

So you tried to come up with a workflow that would be more consistent, so it starts in the same place. Steve still adds Nancy to the HR tool and that propagates did you tweet.

A

This diagram, I, know kind of looks complicated, so I'm I'm gonna walk through it. So we've added a couple things here.

A

There is something known as google cloud directory sync, that's the box to the right of the LDAP box, and so that's gonna, pull from the LDAP server and propagate LDAP groups as Google Groups into G suite, and then the application that I'm working on is simply labeled sink next to G. Suite and that's gonna do a very similar thing: pull from G suite and propagate to both Kathy and UA a so this step to where Nancy sysadmin adds her to the LDAP server, actually kind of takes care of some of the other steps.

A

So her PM no longer needs to create her an account and add her to orgs and spaces. Now the LDAP groups will take care of that themselves. Excel gets synced into G suite and then synced into both system and then the logs for that will be consistent because they'll be both available in the sync applications, as well as in each of the individual systems.

A

So if you're looking for a complete set of actions, you can go straight to the sync system to look for everything together and then again, when the permissions need to be updated, you don't have to go into the individual systems at Nancy's p.m. can just add her to a new google group and that'll. Take that same set of actions to add her to the appropriate orgs and spaces, or give her the appropriate permissions in copy or UAE or both.

A

And then you get the nice consistency of when Nancy switches teens. Her p.m. removes her from the Google Groups that correspondent to her old team and that'll propagate that set of permissions through, so that you can be sure that only the people who are supposed to have access to those orcs and spaces are the ones that do.

A

So, as I said, because the solutions this is the sink that is under active development, pulling from gee suite into UAA and Cappy and all in a second walk through that in a little bit more depth, and then these I included just because they are so common, but they are kind of optional add-ons.

A

So single sign-on by Open, ID Connect is available right now with UA. So that makes a lot of sense to add, and then this go cloud directory, sync kind of gives you the full workflow from LDAP to single sign-on and all these permissions it propagated throughout your system, with consistency.

A

So the way that you would use this application is you just do a config before the application runs to create a mapping of your Google Groups to a set of roles, orgs and spaces within Cloud Foundry. So, for example, you could have a like finance, dove's group, that maps to you should have space developer in the finance org and a finance DEP space, or something.

A

And then, when the application first starts, it's going to read that mapping and do a sync both to make sure that it's caught up on users and groups that exist within Google and to make sure that it's caught up on that config. So it's gonna read everything from Google diff it with everything in Cloud, Foundry and then apply the appropriate transformations and then just during the course of normal application, running, there's gonna be a listener.

A

So it'll listen for actions taken in G, sweet things like adding members to groups disabling somebody's access and then transform those into individual actions to apply to Cloud Foundry.

A

So I just have a quick demo of the user import functionality, so I have a G suite account set up and you can see. I have two users there, but in my Cloud Foundry users list there is only one entry and that's my admin user, so I'm just gonna surround the program, so you can see it's pulling users from Google and it found these two right here pulled in their information. Hold users from Cloud Foundry only found one, which was the admin user.

A

So it knows that it's missing these two users I needs to add them to Cloud Foundry. So if I come back out and get my users list again now, I have that admin user, but I also have my Coleen user and Dana somewhere in there. I have three total results now.

A

So this is a pretty quick talk. To be honest, this is all that I have to present to you right now, so I would love to take any questions now or I'll just stick around afterwards. If this sounds interesting again, this is very much up to the community to see what kind of features you would need so come talk to me.

A

Does anybody want to ask any questions now: okay, I'm, just gonna hang out over here, Thanks.