From 7efa7d428cee2ae832af680d951b02bea679275b Mon Sep 17 00:00:00 2001
From: Tim Downey <tim.downey@broadcom.com>
Date: Thu, 12 Jun 2025 16:09:40 -0600
Subject: [PATCH 1/3] Add properties for specifying an allowlist of Process
 users

Issue: https://github.com/cloudfoundry/cloud_controller_ng/issues/4372
---
 jobs/cc_deployment_updater/spec                               | 4 ++++
 .../templates/cloud_controller_ng.yml.erb                     | 1 +
 jobs/cloud_controller_clock/spec                              | 4 ++++
 .../templates/cloud_controller_ng.yml.erb                     | 1 +
 jobs/cloud_controller_ng/spec                                 | 4 ++++
 .../cloud_controller_ng/templates/cloud_controller_ng.yml.erb | 1 +
 jobs/cloud_controller_worker/spec                             | 4 ++++
 .../templates/cloud_controller_ng.yml.erb                     | 1 +
 8 files changed, 20 insertions(+)

diff --git a/jobs/cc_deployment_updater/spec b/jobs/cc_deployment_updater/spec
index 641a812b51..cdda31b702 100644
--- a/jobs/cc_deployment_updater/spec
+++ b/jobs/cc_deployment_updater/spec
@@ -208,6 +208,10 @@ properties:
     description: "The file descriptors made available to each app instance"
     default: 16384
 
+  cc.allowed_process_users:
+    default: ['vcap']
+    description: "Allow-list of users that a Process/Task may use"
+
   cc.locket.host:
     default: "locket.service.cf.internal"
     description: "Hostname of the Locket server"
diff --git a/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb b/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
index 67189dceea..38cc1a4ef3 100644
--- a/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
@@ -133,6 +133,7 @@ default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
 instance_file_descriptor_limit: <%= p("cc.instance_file_descriptor_limit") %>
+allowed_process_users: <%= p("cc.allowed_process_users") %>
 
 deployment_updater:
   update_frequency_in_seconds: <%= p("deployment_updater.update_frequency_in_seconds") %>
diff --git a/jobs/cloud_controller_clock/spec b/jobs/cloud_controller_clock/spec
index 990c7f7070..a33ebb7116 100644
--- a/jobs/cloud_controller_clock/spec
+++ b/jobs/cloud_controller_clock/spec
@@ -422,6 +422,10 @@ properties:
     default: 2048
     description: "The maximum amount of disk a user can request"
 
+  cc.allowed_process_users:
+    default: ['vcap']
+    description: "Allow-list of users that a Process/Task may use"
+
   cc.newrelic.license_key:
     default: ~
     description: "The api key for NewRelic"
diff --git a/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
index 5fd80db002..15c39a1bb2 100644
--- a/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
@@ -72,6 +72,7 @@ maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
 max_retained_deployments_per_app: <%= p("cc.max_retained_deployments_per_app") %>
 max_retained_builds_per_app: <%= p("cc.max_retained_builds_per_app") %>
 max_retained_revisions_per_app: <%= p("cc.max_retained_revisions_per_app") %>
+allowed_process_users: <%= p("cc.allowed_process_users") %>
 
 default_app_log_rate_limit_in_bytes_per_second: <%= p("cc.default_app_log_rate_limit_in_bytes_per_second") %>
 
diff --git a/jobs/cloud_controller_ng/spec b/jobs/cloud_controller_ng/spec
index 21fa0eef91..cbfacbeff2 100644
--- a/jobs/cloud_controller_ng/spec
+++ b/jobs/cloud_controller_ng/spec
@@ -844,6 +844,10 @@ properties:
     default: "2048M"
     description: "Maximum body size for nginx bits uploads"
 
+  cc.allowed_process_users:
+    default: ['vcap']
+    description: "Allow-list of users that a Process/Task may use"
+
   cc.default_app_log_rate_limit_in_bytes_per_second:
     default: -1
     description: "Default application log rate limit"
diff --git a/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
index c300ac2f5b..31c2773b1c 100644
--- a/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
@@ -128,6 +128,7 @@ cpu_weight_max_memory: <%= p("cc.cpu_weight_max_memory") %>
 default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
+allowed_process_users: <%= p("cc.allowed_process_users") %>
 
 default_app_log_rate_limit_in_bytes_per_second: <%= p("cc.default_app_log_rate_limit_in_bytes_per_second") %>
 
diff --git a/jobs/cloud_controller_worker/spec b/jobs/cloud_controller_worker/spec
index 2e405ae667..a934883055 100644
--- a/jobs/cloud_controller_worker/spec
+++ b/jobs/cloud_controller_worker/spec
@@ -364,6 +364,10 @@ properties:
     default: 2048
     description: "The maximum amount of disk a user can request"
 
+  cc.allowed_process_users:
+    default: ['vcap']
+    description: "Allow-list of users that a Process/Task may use"
+
   cc.allow_app_ssh_access:
     default: true
     description: "Allow users to change the value of the app-level allow_ssh attribute"
diff --git a/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
index 61a6b050c3..2944091261 100644
--- a/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
@@ -63,6 +63,7 @@ jobs:
 default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
+allowed_process_users: <%= p("cc.allowed_process_users") %>
 
 instance_file_descriptor_limit: <%= p("cc.instance_file_descriptor_limit") %>
 

From 9b4bcb49775b47636b8ed053ad583e6e9ee384cc Mon Sep 17 00:00:00 2001
From: Tim Downey <tim.downey@broadcom.com>
Date: Fri, 20 Jun 2025 08:57:18 -0600
Subject: [PATCH 2/3] Clarify allowed_process_users description

---
 jobs/cc_deployment_updater/spec   | 2 +-
 jobs/cloud_controller_clock/spec  | 2 +-
 jobs/cloud_controller_ng/spec     | 2 +-
 jobs/cloud_controller_worker/spec | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/jobs/cc_deployment_updater/spec b/jobs/cc_deployment_updater/spec
index cdda31b702..5172d3306f 100644
--- a/jobs/cc_deployment_updater/spec
+++ b/jobs/cc_deployment_updater/spec
@@ -210,7 +210,7 @@ properties:
 
   cc.allowed_process_users:
     default: ['vcap']
-    description: "Allow-list of users that a Process/Task may use"
+    description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
 
   cc.locket.host:
     default: "locket.service.cf.internal"
diff --git a/jobs/cloud_controller_clock/spec b/jobs/cloud_controller_clock/spec
index a33ebb7116..88769c645b 100644
--- a/jobs/cloud_controller_clock/spec
+++ b/jobs/cloud_controller_clock/spec
@@ -424,7 +424,7 @@ properties:
 
   cc.allowed_process_users:
     default: ['vcap']
-    description: "Allow-list of users that a Process/Task may use"
+    description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
 
   cc.newrelic.license_key:
     default: ~
diff --git a/jobs/cloud_controller_ng/spec b/jobs/cloud_controller_ng/spec
index cbfacbeff2..51359b8de9 100644
--- a/jobs/cloud_controller_ng/spec
+++ b/jobs/cloud_controller_ng/spec
@@ -846,7 +846,7 @@ properties:
 
   cc.allowed_process_users:
     default: ['vcap']
-    description: "Allow-list of users that a Process/Task may use"
+    description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
 
   cc.default_app_log_rate_limit_in_bytes_per_second:
     default: -1
diff --git a/jobs/cloud_controller_worker/spec b/jobs/cloud_controller_worker/spec
index a934883055..79da799cb5 100644
--- a/jobs/cloud_controller_worker/spec
+++ b/jobs/cloud_controller_worker/spec
@@ -366,7 +366,7 @@ properties:
 
   cc.allowed_process_users:
     default: ['vcap']
-    description: "Allow-list of users that a Process/Task may use"
+    description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
 
   cc.allow_app_ssh_access:
     default: true

From 13ebfc6fbf71b5ca256b619a296eab0aa4234de4 Mon Sep 17 00:00:00 2001
From: Tim Downey <tim.downey@broadcom.com>
Date: Fri, 20 Jun 2025 10:35:26 -0600
Subject: [PATCH 3/3] Rename allowed_process_users property to clarify its
 behavior

---
 jobs/cc_deployment_updater/spec                               | 4 ++--
 .../templates/cloud_controller_ng.yml.erb                     | 2 +-
 jobs/cloud_controller_clock/spec                              | 4 ++--
 .../templates/cloud_controller_ng.yml.erb                     | 2 +-
 jobs/cloud_controller_ng/spec                                 | 4 ++--
 .../cloud_controller_ng/templates/cloud_controller_ng.yml.erb | 2 +-
 jobs/cloud_controller_worker/spec                             | 4 ++--
 .../templates/cloud_controller_ng.yml.erb                     | 2 +-
 8 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/jobs/cc_deployment_updater/spec b/jobs/cc_deployment_updater/spec
index 5172d3306f..2b9cc47289 100644
--- a/jobs/cc_deployment_updater/spec
+++ b/jobs/cc_deployment_updater/spec
@@ -208,8 +208,8 @@ properties:
     description: "The file descriptors made available to each app instance"
     default: 16384
 
-  cc.allowed_process_users:
-    default: ['vcap']
+  cc.additional_allowed_process_users:
+    default: []
     description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
 
   cc.locket.host:
diff --git a/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb b/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
index 38cc1a4ef3..5c96e92178 100644
--- a/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb
@@ -133,7 +133,7 @@ default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
 instance_file_descriptor_limit: <%= p("cc.instance_file_descriptor_limit") %>
-allowed_process_users: <%= p("cc.allowed_process_users") %>
+additional_allowed_process_users: <%= p("cc.additional_allowed_process_users") %>
 
 deployment_updater:
   update_frequency_in_seconds: <%= p("deployment_updater.update_frequency_in_seconds") %>
diff --git a/jobs/cloud_controller_clock/spec b/jobs/cloud_controller_clock/spec
index 88769c645b..0d42516f69 100644
--- a/jobs/cloud_controller_clock/spec
+++ b/jobs/cloud_controller_clock/spec
@@ -422,8 +422,8 @@ properties:
     default: 2048
     description: "The maximum amount of disk a user can request"
 
-  cc.allowed_process_users:
-    default: ['vcap']
+  cc.additional_allowed_process_users:
+    default: []
     description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
 
   cc.newrelic.license_key:
diff --git a/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
index 15c39a1bb2..b1030f8ac2 100644
--- a/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb
@@ -72,7 +72,7 @@ maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
 max_retained_deployments_per_app: <%= p("cc.max_retained_deployments_per_app") %>
 max_retained_builds_per_app: <%= p("cc.max_retained_builds_per_app") %>
 max_retained_revisions_per_app: <%= p("cc.max_retained_revisions_per_app") %>
-allowed_process_users: <%= p("cc.allowed_process_users") %>
+additional_allowed_process_users: <%= p("cc.additional_allowed_process_users") %>
 
 default_app_log_rate_limit_in_bytes_per_second: <%= p("cc.default_app_log_rate_limit_in_bytes_per_second") %>
 
diff --git a/jobs/cloud_controller_ng/spec b/jobs/cloud_controller_ng/spec
index 51359b8de9..2d5bc70ab3 100644
--- a/jobs/cloud_controller_ng/spec
+++ b/jobs/cloud_controller_ng/spec
@@ -844,8 +844,8 @@ properties:
     default: "2048M"
     description: "Maximum body size for nginx bits uploads"
 
-  cc.allowed_process_users:
-    default: ['vcap']
+  cc.additional_allowed_process_users:
+    default: []
     description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
 
   cc.default_app_log_rate_limit_in_bytes_per_second:
diff --git a/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
index 31c2773b1c..a8dfdd3f5d 100644
--- a/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
@@ -128,7 +128,7 @@ cpu_weight_max_memory: <%= p("cc.cpu_weight_max_memory") %>
 default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
-allowed_process_users: <%= p("cc.allowed_process_users") %>
+additional_allowed_process_users: <%= p("cc.additional_allowed_process_users") %>
 
 default_app_log_rate_limit_in_bytes_per_second: <%= p("cc.default_app_log_rate_limit_in_bytes_per_second") %>
 
diff --git a/jobs/cloud_controller_worker/spec b/jobs/cloud_controller_worker/spec
index 79da799cb5..9126e8329e 100644
--- a/jobs/cloud_controller_worker/spec
+++ b/jobs/cloud_controller_worker/spec
@@ -364,8 +364,8 @@ properties:
     default: 2048
     description: "The maximum amount of disk a user can request"
 
-  cc.allowed_process_users:
-    default: ['vcap']
+  cc.additional_allowed_process_users:
+    default: []
     description: "Allow-list of users that a Process/Task may use in addition to 'vcap'. The 'vcap' user is always permitted."
 
   cc.allow_app_ssh_access:
diff --git a/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
index 2944091261..7583a43b37 100644
--- a/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
@@ -63,7 +63,7 @@ jobs:
 default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>
 maximum_app_disk_in_mb: <%= p("cc.maximum_app_disk_in_mb") %>
-allowed_process_users: <%= p("cc.allowed_process_users") %>
+additional_allowed_process_users: <%= p("cc.additional_allowed_process_users") %>
 
 instance_file_descriptor_limit: <%= p("cc.instance_file_descriptor_limit") %>