 That's fine. It's always good to know who the expert is so you can go and ask questions later. Having said that, I'm not the expert on this topic. What a segue. We are going to talk about the UAE. I did not write the UAE. It is possibly older than I am. Hopefully I'm old enough that that's an obvious joke. It is one of the oldest parts of Cloud Foundry and one of the parts that hasn't been replaced. There's no UAV2, so to speak, where it got to rewrite as far as I know. And as such, it's great and it's stable and I would not want to write it myself to replace it just because there's something I didn't like about it. But when it comes to deploying it on Cloud Foundry, not as easy as it could be. That's what we're going to talk about. So why you might want to run your own UAE is hopefully interesting to the people who've decided that they would like to find out how to run it. It is, if you've got an app, at some point you're going to have users that are not you and at that point you'd like to know which user is which. And a lot of this functionality will be on your app but the delegation of who they are and what their authorization is to build all that into your app is probably a lot of functionality that is either then going to be duplicated across your other apps or someone's going to say we need to extract that out into our Active Directory system and at some point you're going to wish that you had not invested time unnecessarily. And if only there was a way to do users and access and account and authorization and authentication and you could have done that early, you could have made a lot more progress than the rest of the app that you're working on that is more high value. And so when it comes to security it's also just thinking it through if you've never had to go and do a high security and gone through all the different facets there is just so much to doing application security. So many different ways in which people are going to interact with your systems both the systems that face them, whether it's mobile apps and their back ends whether it's APIs, whether it's the back ends to the back ends which you might think well I don't need authorization for that. Yes you do. Like other apps who which apps are allowed to talk to that app how are they allowed to pass what portion of user data is allowed to be passed around your micro system, your micro services. Do all apps need all data? No they don't. So we need a model for this. Now this talk is not a talk about how to use the UAA. There are a lot of talks about that. You will be more interested in how to learn the UAA if you've learned how to run it. Your own UAA. Because you do know that if you've got a cloud boundary there is a UAA in your life. Every time you do CF login every time you go to a web portal and login to something every time you use an app that connects to UAA you'll be taken to that page and you'll log in. But we're not going to use that one. That's not yours. And if you are the admin of that UAA and you're thinking it is mine then I'm not talking to you. You are the owner of the platform. I am talking to people who are deploying apps and have their own customer on top of that. So we're going to give you your own UAA. We're going to talk about how you can theme it and we're going to talk about this experience. Now at some level this talk should be really simple. It should just be to get the wire file the wire ball and the wall ball. I don't know how to pronounce it. And deploy it. I mean that's how we do things on cloud boundary. This is as simple as it should be. I made it slightly more complicated by saying you have to set up DNS only in the sense that the UAA wants to know what its URL is. But we would have set up most of DNS already when we set up cloud boundary. So the couple of nuances are when we look at it is that the UAA is not like you might call it a cloud native app. It has a big yaml file that it wants in order to configure it. Now fortunately we don't have to pass it as a file. Fortunately we can pass it as an environment variable a big environment variable but inside that big environment variable is where the database is. So we don't get to use the normal service bindings that we've enjoyed if you've ever done if you've deployed apps you do create service create binding, push in and everything's great. That doesn't work but we have a solution to it. But these are just some of the hiccups in deploying the UAA. So if you're going to do this yourself and by the way I'm going to get to a tool that I found made this all easier for me. If you'd like to use the tool you're more than welcome it is essentially a big bash script but it looks lovely. You wouldn't know it was a bash script except I told you I spelled it. But the point of it being a big bash script is if you don't like the tool you can just look inside and go okay I run this then I run that excellent we can put in CI. But these are the sorts of steps that we're going to automate. You will need to build the wire file for yourself. The UAA team do not ship versions of the the cut tagged releases but they don't ship a product. The UAA's attitude by the way is that we should not be meeting like this. The UAA team do not believe in anyone deploying the UAA except with Bosch that is their official stance. I don't think they've technically said we shouldn't gather as groups in more than four or five but every time someone pops up on the internet and says hey how do I deploy the UAA to Cloud Foundry and because I'm like a tiger I go in with here's a tool and then someone from the UAA team comes in like a brown bear and says don't do that. Do you know just the just Bosch they don't say it like that they say that our supported way is to deploy with the Bosch release. So we're all under the radar. But it's just code and just think of as lift and shift. We're going to run someone else's thing I'm going to make it work and it's all going to be great. But we do need to create a service key because the binding doesn't work so we need to get that UAA out for the database but we can use Postgres or MySQL whatever however you like to get your Postgres or MySQL. And then we sort of just mystically magically create a big YAML file. Let's skip over that for the moment. It's very large, has a lot of secrets in it and this is where you appreciate the tool. The pre-built UAA actually is moderately theme-able. You can change a logo, you can change some text you can put some more links in the bottom and obviously it's configurable and most importantly you can set up all the clients. This is one of the reasons you will want your own UAA is you will now be responsible for setting up clients. Clients are the UAA language or the OAuth language for other apps. So your web apps that want to represent customers or users, your other backend micro apps, microservices, CLIs, everything that interacts is called a client and you will get to set those up. So there's a bit of customization of the GUI and then we have the CLI which we'll look at later for how to customize it as a product. But it is just a web app. Theoretically we can do anything we like. This is where the UAA doesn't really help us along but old Dr. Nick will help you out here. Now I'm going to show you how to do this and as all thanks this is where we use the word hack. We're going to hack the UAA so we can make it look cool. This idea comes from the cloud.gov team. They do deploy with Bosch like champions and they wrote another Bosch release. That's really funny. So the first Bosch release deploys the UAA. The second Bosch release stops it, opens up the wire file, slaps in the new theme, wraps it back up and says, all right, off you go again. And that's what we're going to do. It's going to be awesome. Except we don't have to start it and stop it. We'll just take it, fix it and then move it on. So a lot of that idea comes from the cloud.gov team. But the idea of theming it, so Pivotal for a period of time last year had a menu bar thing or an advert at the top of their site. This is a custom theme. This is not something as far as I can tell that's easy to do without changing HTML. And this goes back to you and your apps. You want to theme things. You want your experience to be your experience. So I encourage you to think about putting some cycles into that. And I mentioned the process. Essentially, we're going to iterate on a design. The process will take versioned wire files. And I said that the UAA team doesn't publish wire files. I do for you. There's a CI pipeline. I just put them back up on a GitHub repo somewhere. So you can follow them like you would follow anything else. Or you can make your own. And so it just slots into this process. And then with the CF push, you can iterate that. So if you're doing the redesign, you can just keep pushing. New versions come down from the UAA team. You can just automatically deploy them like you would automatically set up any CI system. And I mentioned, sorry, skipping ahead of my own slides. Whilst you can make your own wire files from master, if you just want to track a version that's coming out, then you can follow that GitHub repo with your concourse, whatever versions come out, and just pull them down. If you don't trust that might build them, and that's fair enough, build your own. But that repo has also got the pipeline of what's running. But you might not trust me, so make your own. But the gist of it is we're just going to upload that and do a no-start. We're going to do the no-start because... I've forgotten all of a sudden why we do a no-start. Because the app doesn't exist yet. So we need to do the no-start. This is a Cloud Foundry nuance. Remember I said that we need to do the service key? We need to... No, damn it. Why do you need a no-start? That's really interesting. Well, maybe we'll come back to it and we'll all learn why we do no-start. When you get in front of people, you're confused. So the YAML manifests. Now, if you've ever deployed the UAA and if you've run Cloud Foundry, you've kind of implicitly deployed the UAA. It's in there somewhere. You might never explicitly configure it. You just take what you get and move on with your life. What's interesting, though, is that the UAA job in the UAA BUSH release, the config is different from what you actually passed down. And I don't know the history of this, of why they started to evolve it slightly differently, and so they'd have an idea of what the schema is for the app. And then whoever was doing the BUSH release just decided to make it look different. So what we are doing, the file, and we are going to need to learn what its schema is a little bit. And we are going to need a... It's an app. It's an important app. You are going to do a staging, a production version because you are good people and you care about yourself and your friends at work. And so therefore we will need different UAA.yamls for staging and production. We are going to need a solution for that. We are going to need a solution for generating all those secrets, encryption keys. The newer versions of UAA now support multi-factor authentication so your users can... You can force them all to sort of have to bring in a phone, Google Authenticator or Authy in order to support that feature they had to encrypt the database which means you now have this very special encryption key and whilst you can rotate many secrets in life, encryption keys, more secret and more special than others. So I don't know yet whether they have supported... I think they actually have supported now rotation of encryption keys. Which is super handy. And more than likely at some point they want to sort out backing your UAA with Active Directory, etc. Now, how are we going to get this large YAML file into our app? Because we are uploading the .wav file. We don't get to upload that and a YAML file. We just get to do one, not the other. So fortunately the UAA does support environment variable and so this is a little bash command that you can run to sort of say, this file to go in as a big rectangular YAML environment variable. Now, you can get very enthusiastic with this. If I mentioned you can do theming. The way you do theming of images is you base 64 and code the image and put it in there. It gets pretty big pretty quickly and that's when you start hitting road limits on your database inside your cloud controller and you'll just get an error. So, if you ever do this and it just comes back with a 501 database access error that is entirely your fault, you've made an environment variable that's just too big and that's when we'd move to doing the custom theming as opposed to just changing... Just so we're all on the same page. I mentioned we can just change some images. That's all built in. We don't have to do custom HTML. You can do that except we are going to be base 64 encoding the images that makes them really big and then that goes... That means your YAML file is even bigger and at some point that will not fit in the cloud controller's database when we do the set environment variable. That's not the error you get. We love errors. Errors are so helpful. Errors just tell us there's more games to be played. A terrible error. No one likes an error that says exactly what's wrong and tells you how to fix it. That's not what we signed up for in this profession. What we signed up for is just really vague mentions of something where we have to ask three people and one of them says, Oh, I remember that and that's why our profession is just the best. I think it's been... Even if you can, this issue may turn up. I've never seen this problem turn up of having too big an environment variable until I started deploying the UAA and if I remember it, I think it's because of big images. Why I had to do big images? No, I don't remember. And so now we want to move on to the next problem. And again, whether you use my tool or not, you're going to need a solution to this problem. And that is, what is the point of deploying to... What is the point of a pipeline that deploys to production? What is everything we do? We want production to be awesome all the time or at least not awesome and no one notices. If your app stops working in the woods and no one hears it, does it stop working? No, it didn't stop working. It's awesome. If you didn't have to send out an apology email, you're good to go. I know. Yes, right. All the 9s just, you know, there might be other numbers in there as well. So this is this idea of what we want... It's going to be a different UAA.yaml. But we want it to be as close to the same as possible so we cannot continuously maintain two files and hope they're always pretty much the same. You want to have a template. You want to have the one that you want and staging and production are kind of... just slightly different. And we have tools for this for managing big YAML files. If you have had a terrible life with Bosch, you'll remember Spiff. That is not worth mentioning on a slide. I will just say it out loud for anyone that remembers that tool. Spruce is another tool for merging YAML files together. And my favorite is still the Bosch in command. It's got to like it. I liked that it failed fast. It told me I'd done something wrong more often than not. And so I've tended to bring it with me to not Bosch places to merge YAML files together. You can choose your favorite way to curate large YAML files that I keep using the Bosch in. And so, you know, you can sort of say, well, it's all the same, but here's the prod bit. And it's all the same, but change these bits for staging. And that leads to, at that point, you would think, well, I better wrap all this up in some sort of large shell script and in order to share it with people, I need to give it a cool name. And the cool name originally was you. And then someone told me that's not a cool name. Now, you might wonder why I would call it you. Well, the whole idea of this script came from a project called Buc. Buc was a way which we bring up Bosch. And it stood for Bosch UAA credit hub concourse, because you get all of that in one VM. It's awesome. But since it's an acronym, and all I needed was the UAA bit, I called the project you. And it made a lot of sense in my own mind until other people started using it and thought it was dumb. So took the feedback. I took the feedback. And so I do get to pronounce it, though. It's not Q-U-A-A, because that's ridiculous. It's Q-A-A. It's Q-U. That's a Q-U-A-A. Whatever. It is a quick UAA deployment. And it's actually a family of tools for depending on where you want to deploy. We're only going to talk about the Cloud Foundry target. But the idea is that regardless of whether you're deploying, like locally, using Bosch locally, or whether you're deploying locally to a... Sorry, whether you're using Bosch, like MicroBosch sort of thing, or whether you're locally to Tomcat, or whether you're using Cloud Foundry, the idea was that you would have this one CLI and this one experience, because you might be wondering why I would go to such efforts. I was in the process of writing a book about the UAA. And I wanted a simple way to say the same thing over and over regardless of if you're deploying to Cloud Foundry, do this, if that, I didn't want to have to explain that. In the end, I can't be bothered writing the book on the UAA. But we still get the tool, and that is an important outcome. So it's this up command. So Q-A-A up, and then we're going to configure the CLI to be able to talk to it with Auth client, and we'll find out our credentials with info. And so it's this nice little CLI. If you don't like the CLI, and you just want to deploy the UAA your own way, that's great. It obviously encodes many ideas on how to do this. The only dependency is creating the database first. So go to your favorite service provider for MySQL or Postgres provision one, and it just needs to be called UAA-DB. And then you're good to go. Everything else is automatic. You run this command, and it works. So let's see this in action. And when I say everything else works, it downloads every CLI dependency. Even if you've never used Cloud Foundry before and don't have the CF-CLI, it will download it for you. Don't have Bosch, it will download it. Don't have the UAA-Tarball, it will download it for you. Obviously you do have to have the CF-CLI because you've just created service, but nonetheless it downloads it. All right, projects, UAA. Quick. Look at all those different versions. Again, it's just... All right. So in coming to this, it automatically added... It's actually under... Again, a lot of these patterns come from the Buck project. You go into this folder, it automatically becomes active and the CLI is inside this folder. So there it is, a bunch of sub-commands. You will be able to find out what your YAML file looks like because you may want to iterate on this to configure it so you can keep mashing together your operator files to see what your final YAML file looks like before you deploy. This is for setting up the client so that you can start configuring. And all we do is go right up. It exists in a different space. That's the best. Oh, I see, because I've already got bars. Oh, there we go. Just delete that. Okay, up. And we'll do routes. So I know that it's on Pivotal's thing so I know I'm going to have a bit of that action. See if summit demo. So it generates the manifest.yaml for what we're deploying. And is that... There's no point in me asking. I hope that you can read what's on the screen. You want it bigger? I understand. White is a lot better. I learned that. And I could not get all the other colors on my computer to work with white. And it got worse and worse and worse and I banned white. I'm just talking through a CF deployment. There's nothing else special about this at this juncture. We're just patiently waiting for it to come up. It's not going to work because I haven't set up the UADB. CF creates service in a different place. It creates... I told you you needed to do this but you can go and do it. Try it again. That's what you do when something doesn't work the first time. It's already going better. Look at that. Where are we up to? What happened? It started that. Let's just delete that so we can feel good about ourselves. All right. So we're on this command and off it goes again. I mentioned before, the first time you do this, it will download that.wafile. What this means is that the way you upgrade is you just do get pull and if there's a new version of the wafile you'll just deploy that. I was very patient the first time. That looks good doesn't it? Looks like it's doing things. There we go. The rest of it is the magic of Cloud Foundry. This project was a lot easier to do because Cloud Foundry is awesome. Really what we're talking about. This is part of just an interesting example of bringing an app that doesn't quite fit nicely onto Cloud Foundry and trying to jam it in there and other than having to bring in a YAML file and make sure that it will take that through an environment variable. It's impressive that Cloud Foundry can still take this app that really doesn't want to be on Cloud Foundry that much. All right. That will keep working. You know what this is going to look like at the end? It will look like the UAA so we can move on. An unrelated side topic. I just learned Ruby on Rails. I was very excited to learn Ruby on Rails. Ruby on Rails came out at a time in our lives where Gmail and Google Maps had come out and Ajax was a thing. Literally they had given it the name Ajax and you might remember this. A lot of websites, cool websites, started to use round corners for things. I wanted round corners so I decided I needed to learn Ruby on Rails and so one of the first projects I thought I'm going to learn, I didn't actually have any imagination so I thought I wanted like my own Webmail. Webmail was terrible. That's why we love Gmail. It was terrible. I don't know if you remember you used to type a big long email probably angry and you press send and it would say if something went wrong you go well that's no good and you go back and the email would be gone. Oh my lord they were dark days. So Gmail was fantastic except Gmail was what we call a SaaS product and you can't trust those so I wanted an on-prem version. Right. Here we are so I decided I would just clone Gmail because I don't know any design so I literally just stole all the HTML and CSS from Gmail and made it look like Gmail so proud of myself, showed my friends and they said well done you've made Gmail I hate you people so much. And the worst part the worst part was as a Windows developer and as pretty much just not a person I didn't do anything. I didn't actually know how email works so I never actually sent email. It's now you've seen this this is just the best part right this is the UAA so let's go and see our UAA action that would have been a lot better if it worked wouldn't it? We can all agree on that. Now I'm going to debug in front of people let's go to the top spend all that time selling a silly story I mean it was a good story sorry I mean I you know there's a line between the font being big enough for you to see and being small enough to me to be able to see where is the error who can write produce look at all that YAML obviously there's going to be a point where I stop looking and we just move on and look at slides and that point is now alright and then there's the auth client so the auth client command this is where we introduce the UAACLI you might not have seen the UAACLI if you've ever interacted with the UAA before for the longest time there's been a RubyCLI called the UAAC and that is impressively still this supported standard CLI the UAA team did have a very exciting burst where they actually made a new GoCLI and so it just compiled binary take it where wherever you are take a camping it's just the best and I like it a lot more because so that's the one we're using and it comes with QAA so the moment you start using QAA it will have downloaded that CLI for you and you can start using it and so if you've ever used and ever configured the UAA you'll know you create clients so that apps can use them generate the secrets pass them give them out and you can generate users or and you might wonder what is this thing it is just a git repo and it starts working it starts downloading CLIs so now at that point your path will have all these CLIs in there most of which the CF one will be done for you the Bosch int one will be done for you and you'll get the opportunity to run the UAA and so we went through this process unsuccessfully just moments ago just like just remembering it's like watching a news flash of a disaster that just happened that you were in trying to think if I did anything wrong no I did all these things I was awesome I was let down by computers so to go through again what happened we created the only thing you needed to do was to create the UAA database MySQL Postgres it automatically downloads a wild file builds that demo file and has the push alright why that's impressive or helpful is the UAA.yaml file is easy to get wrong it's big you don't know what's supposed to be in it when it errors as it I've I mean as I able to showed what it looks like when it errors not exactly pointing the finger you know to fix that alright so I think this even if you end up not using this tool as a way to start learning what goes in this file it might be very helpful and the tool for building the YAML is built in so you can see one of the examples that's got the encryption keys that's the encryption keys for the database and has an active one it allows you to rotate them JDBC driver and this about the fourth line down you can see the JDBC URL now the UAA team has told me they are looking into making it more spring cloud more cloud foundry like so that you won't need to do that and we'll just discover service bindings and we'll see how this works was to get this URL in there now all the secrets that we generated are stored locally in this folder there's a state folder and why I'm just caching them there so that you've got them for later so this folder becomes full of your secrets and they're important secrets so you want to put them in a Git repo and push them and this is then you might build CI around this Git repo and if you're unhappy with that where else secrets can go because I'm using the Bosch int command it just spits secrets out under the file system and then we put them somewhere alright Bosch int is really quite nice and it allows you to take a base YAML file and then with additional files make changes like little snippy snips and so let's just have a quick look at some of them so that you can sort of get the feel for that it's a learnable skill I do not know what just happened there but the good is going on in my laptop that just got weird quickly yeah just take five keynote mmm mmm mmm decades of speaking on stage live coming to the four alright alright so branding example so this is an example of an operator file and you can't see that let's just think of the humans and it's this idea of saying somewhere in this YAML file cut that out and replace it with the following so just going down and changing bits and pieces and all you do is add those together the instructions are in the book the instructions are in the readme and once you learn what this structure looks like you can start making your own changes want to set up like Google apps authentication so that you can log in as starkandwayne.com or whatever yours is there's some operator files for this I think this one works for LDAP that would require me to have something LDAP-y I can point to I may have lost motivation around the same time as I was developing this and I don't think I've ever finished testing this one so if you ever get to chance to play with it and want to set this up and it doesn't work, let's chit chat on Slack and we'll make it work mostly by asking the U18 to help and then we'll just put it in here and this is like encapsulating some good ideas I was trying to play with the jump cloud which is like a sass alright keynote, are you ready to behave this time? then we'll finish up don't worry about all those slides where are we alright new theme, I said one of the cool things there's a new theme also in here is a command called customize UAAWA you run the int and what it does is it unpacks the WA file, steals all the templates and puts them in your project and now you can start editing them and every time you do a up a QA up it will put it back together again so you can iterate on that if you don't anyway play with it, it's a bit of fun now just a quick introduction to using it of course there's the UAA CLI and go create clients it is obviously using the UAA does require you learn how it works and I'm not going to teach you today because of time constraints but it is super interesting and if you decide I don't want to learn how the UAA works but you still want to do user management you're just going to invent something that's terrible I mean you can't know enough to know what to invent like OAuth is so well defined it's far nicer to go with existing libraries and existing system and work with it rather than think well that's just terrible look at all that Java, I don't like Java that is not an excuse to not use the UAA there are excuses but that's not one of them and if not the UAA find something else but please avoid inventing this particular frame of your business it is so not worth it there's so much to be gained the upgrade process as I said I keep track of a CI pipeline it keeps track of all the upstream things the CLIs and the UAA versions and when they change I change this .versions file so if you have an update all you need to do is pull down a new version and do an up and that's that I appreciate your tolerance for what was a terrible demo of something that was supposed to solve all your problems and if you have patience we can all try to make it work together later but do you have any questions you should be entirely possible because what is an app, it's a stateless process backed by some state the state in this case would be the database behind and the UAA.yaml file I guess is the other half of the state of what makes it so as long as you can reproduce that somewhere else with the same routes then you should be good and that goes for all our migrations but it's otherwise a pretty good app I don't mean it's a bad app Tyler love your question QAA you're a champion do you have any questions in the back? I feel like I owe you like five questions alright thank you very much I hope you had a good conference