uaa配置详解

uaa的配置文件是uaa.yml。war包中的uaa.yml不需要改动，一般通过指定环境变量：$CLOUDFOUNDRY_CONFIG_PATH，指定运行时外部uaa.yml路径。

具体配置项如下：

name: uaa # 组件名称
database: # 数据库配置
url: jdbc:postgresql://192.168.1.63:5524/uaadb # ！数据库连接URL
username: uaaadmin # ！数据库用户名
password: "c1oudc0w" # ！数据库密码
 
spring_profiles: postgresql # 激活postgresql的spring配置
 
logging: # 日志配置
config: /home/vagrant/programs/apache-tomcat-7.0.52/webapps/uaa/WEB-INF/classes/log4j.properties # 日志配置文件路径
 
jwt: # JSON Web Token
token:
signing-key: | # 对token签名的密钥，如果用对称加密算法，那么signing-key和verification-key要相同
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDHFr+KICms+tuT1OXJwhCUmR2dKVy7psa8xzElSyzqx7oJyfJ1
JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMXqHxf+ZH9BL1gk9Y6kCnbM5R6
0gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBugspULZVNRxq7veq/fzwIDAQAB
AoGBAJ8dRTQFhIllbHx4GLbpTQsWXJ6w4hZvskJKCLM/o8R4n+0W45pQ1xEiYKdA
Z/DRcnjltylRImBD8XuLL8iYOQSZXNMb1h3g5/UGbUXLmCgQLOUUlnYt34QOQm+0
KvUqfMSFBbKMsYBAoQmNdTHBaz3dZa8ON9hh/f5TT8u0OWNRAkEA5opzsIXv+52J
duc1VGyX3SwlxiE2dStW8wZqGiuLH142n6MKnkLU4ctNLiclw6BZePXFZYIK+AkE
xQ+k16je5QJBAN0TIKMPWIbbHVr5rkdUqOyezlFFWYOwnMmw/BKa1d3zp54VP/P8
+5aQ2d4sMoKEOfdWH7UqMe3FszfYFvSu5KMCQFMYeFaaEEP7Jn8rGzfQ5HQd44ek
lQJqmq6CE2BXbY/i34FuvPcKU70HEEygY6Y9d8J3o6zQ0K9SYNu+pcXt4lkCQA3h
jJQQe5uEGJTExqed7jllQ0khFJzLMx0K6tj0NeeIzAaGCQz13oo2sCdeGRHO4aDh
HH6Qlq/6UOV5wP8+GAcCQFgRCcB+hrje8hfEEefHcFpyKH+5g1Eu1k0mLrxK2zd+
4SlotYRHgPCEubokb2S1zfZDWIXW3HmggnGgM949TlY=
-----END RSA PRIVATE KEY-----
 
    verification-key: |
        -----BEGIN PUBLIC KEY-----
        MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHFr+KICms+tuT1OXJwhCUmR2d
        KVy7psa8xzElSyzqx7oJyfJ1JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMX
        qHxf+ZH9BL1gk9Y6kCnbM5R60gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBug
        spULZVNRxq7veq/fzwIDAQAB
        -----END PUBLIC KEY-----
         
 
issuer.uri: http://192.168.1.167:18080/uaa  # uaa的token发布地址
oauth:
   
  authorize:
    ssl: true # 是否启用ssl
   
  client:
   
    autoapprove: # 自动允许的客户端，用户无需显示的被询问是否授权，如：是否允许cf客户端获得操作cc的权限
      - cf
      - login
      - developer_console
      - support-signon
   
  clients: # 默认受信任的客户端，即：不在数据库中存在也能获取access token的客户端
    admin: # 名称
      authorized-grant-types: client_credentials # 授权方式，client_credentials意思是：直接由Client向Authorization Server即：uaa，请求access token，无需用户（Resource Owner）的授权
      authorities: clients.read,clients.write,clients.secret,uaa.admin,scim.read,password.write # 用来定义默认的用户允许的操作范围，即客户端默认拥有的权限，不需要用户授权，且用户有没有该权限不影响
      id: admin
      secret: "c1oudc0w" # 共享密钥，认证该客户端
    cloud_controller:
      authorized-grant-types: client_credentials
      authorities: scim.read,scim.write,password.write
      id: cloud_controller
      secret: "c1oudc0w"
      access-token-validity: 604800
    cf:
      id: cf
      override: true # 是否覆盖数据库里的客户端配置
      authorized-grant-types: implicit,password,refresh_token # 授权方式，这里是：隐式的，用户密码
      scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write # 用户可以要求client代表自己操作的权限范围
      authorities: uaa.none 
      access-token-validity: 600
      refresh-token-validity: 2592000
 
    login:
      id: login
      override: true
      secret: ""
      authorized-grant-types: authorization_code,client_credentials,refresh_token
      authorities: oauth.login
      scope: openid,oauth.approvals
      redirect-uri: https://login.10.0.2.15.xip.io
 
scim:
  userids_enabled: false
  user.override: true
  users: # 开发测试时用户
    - admin|c1oudc0w|scim.write,scim.read,openid,cloud_controller.admin # 从左到右依次是：登陆用户名|密码|用户组

 

注意：其中打感叹号的地方，一般需要配置