Application Should Create a Temporary User for Collecting Logs

[hev]

The authorization model for this application is confusing to setup and requires setting up a one-off user for the purposes of running the test and then separately choosing a user name and password for accessing the application. It would make more sense if the application could create or inherit credentials that have access to read the logs without providing the one-off user.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[dugancathal]

I'm unsure how to accomplish this.

In order to read logs for an application via the cf-java-client, you need to either be a user that has access to that application (SpaceAuditor, SpaceDeveloper, or SpaceManager) or be a have a service account that has that access.

According to the information I can gather, asking the user deploying this application for credentials to create such a user could pose a security threat. We could modify the deploy script to create the SpaceAuditor user for the deployer, but it felt too magical to do something like that.

Additionally, there does not appear to be a way to make an application "inherit" permissions.