How to provide personalized service catalogs ?


Guillaume Berche
 

Hi,

The service broker api great to provide access to a common catalog (e.g.
mysql, cassandra...). I understand private service brokers [3] will enable
to extend the marketplace per space or per org (grant custom services per
spaces or per orgs).

I'm now looking at exposing enterprise services in the marketplace whose
visibility would depend on the user making the request, and therefore
looking at ways the services visibility in the catalog could dependent on
user permissions (possibly managed outside CF)

use-case 1: a user has been enabled a set of APIs in google api manager [1]
for a given project, and would like to inject some credentials into his
application. The list of google apis to display in the catalog for this
"google api" service broker would vary from user to user, or more precisely
from user+project basis.

use-case 2: similar as use-case 1 but for a corporate api manager system,
providing access to internal apis. A user has been granted access a set of
restricted apis for the applications he is a member/client of, and would
like to inject credentials for these apis in his application without having
to create user-provided-services (which would require manual copy/paste and
be error prone).

What could be possible way to provide such personalized service
catalog/offerings ?

With private service brokers, I imagine the following scenario A) for
use-case #1:

The marketplace is exposing a meta service "meta-google-apis" accepting as
arbitrary params:
i- google authentication keys
ii- project id (for which apis were enabled)
iii- target org/space into which to expose the personalized catalog.
iv- UAA Authorization code for granting the "meta-google-apis" rights to
call CC api POST /v2/service_brokers on the user's behalf

Upon instanciation of the "meta-google-apis" service instance, a private
service broker called "google-apis" appears in the marketplace for the
specified org/space. The broker being provided authentication key + project
is able to restrict the list in the "catalog" endpoint to the apis that
were enabled for this specific user/project. When creating a service
instance for one of the services offering exposed by the broker (e.g.
"google maps"), an api key for service is generated as returned as
credentials using [2] equivalent REST API.

A second scenario B) would be to provide this mechanism as a cli plugin
instead of a "meta service". This has the advantage of allowing more
fine-tuned users interactions, having access to the user's oauth tokens,
but requires users to install the plugin and update it when improvements as
brought.

Is there other ways that can thinked of for providing personalized service
catalogs, with a more natural UX ?

Could it be considered to have the service broker catalog endpoint be
provided some kind of identity of the user invoking the "cf marketplace"
command, and possibly some credentials to act on the users's behalf ? The
requirements for the personalized service brokers params would be specified
at the time the broker is registered [5]. Users would be prompted by the CF
CLI to provide autorization codes for the broker to act on their behalf, a
bit similar to the "cf login --sso" [6]

Thanks in advance for your inputs,

Guillaume.

[1]
https://developers.google.com/console/help/new/#activating-and-deactivating-apis
[2] https://developers.google.com/console/help/new/#generatingdevkeys
[3]
https://docs.google.com/document/d/1azArNcDtOjiq5wHx0BCS3OABfJf1PufPmc0OqfkFq7c/edit#heading=h.kz6110mpkon2
[4] http://docs.cloudfoundry.org/services/api.html#catalog-mgmt
[5]
http://docs.cloudfoundry.org/services/managing-service-brokers.html#register-broker
[6] https://www.pivotaltracker.com/story/show/69963432

Join cf-bosh@lists.cloudfoundry.org to automatically receive all group messages.