search

ECSTeam / cloudfoundry-top-plugin

Cloud Foundry CF cli plugin - show top stats
Apache License 2.0
73 stars 21 forks source link

Non-admin user sees grayed out list of all apps in all spaces #9

Open deanhouseholder opened 7 years ago

deanhouseholder commented 7 years ago

Currently non-admin users see a the stats for the apps in the targeted space and see a grayed out list of all apps in all spaces they have access to see.

I would like the ability for non-admin users to see the same list that admin users see with all the stats available for all apps in all spaces.

kkellner commented 7 years ago

A clarification on your statement above. Cf top does not use the "currently targeted org/space" information when displaying stats. For non-admin users it grabs the first 50 apps that the /v2/apps API returns (which is normally the oldest 50 applications deployed to the platform for which the user has visibility). Any applications over 50 are displayed as grayed out.

Back to your request -- if by non-admin you mean a specific group of users (e.g., cloud foundry operators) that are logged in with their own login and not the "admin" user but want to run cf top -- that is possible. If on the other hand you are talking about normal developers that should not have admin like permissions - this is not possible.

Cloud Foundry through uaa and the cloud controller will only allow a user to see applications in orgs and spaces that the user has been given access to either directly or indirectly (via scopes). That access is not something that cf top can override.

If a user or set of users (e.g., cloud foundry operators) need access to run cf top you can assign the appropriate scopes. But be careful as giving cloud_controller.admin can give a user a lot of power. See instructions in link below.

https://github.com/ECSTeam/cloudfoundry-top-plugin#assign-scope-if-privileged-mode-is-needed

deanhouseholder commented 7 years ago

Thanks for clarifying the current behavior. My scenario is this:

I'm not a CF admin, but instead manage the production instances for a few hundred apps. I'm a space and org manager, but not an admin. I see the problem of >50 apps are grayed out.

I would like to see everything I should have access to see.

kkellner commented 7 years ago

Your only option is to request the following two scopes be added to your login id:

cloud_controller.admin doppler.firehose

However this will give you access to everything running on the platform, not just the few hundred apps you are responsible for -- unless it's the same list. i.e., you are responsible for all applications on the platform.

The reason cf top caps at 50 applications for non-admins is that a websocket must be opened for each application that is monitored. 50 persistent socket connections is a lot for 1 application / user. If it wasn't capped we could open 100s of websockets which would not be good on the platform. When you are an admin, all events can be streamed through 1 websocket, although cf top opens 2 by default to help ensure fast event processing.

kinjelom commented 4 years ago

@kkellner @deanhouseholder take a look at this https://github.com/ECSTeam/cloudfoundry-top-plugin/pull/15