oups, sorry wrong list, meant to send it to cf-dev@, will repost.
toggle quoted messageShow quoted text
On Mon, Aug 3, 2015 at 11:43 PM, Guillaume Berche <bercheg(a)gmail.com> wrote:
The service broker api great to provide access to a common catalog (e.g.
mysql, cassandra...). I understand private service brokers  will enable
to extend the marketplace per space or per org (grant custom services per
spaces or per orgs).
I'm now looking at exposing enterprise services in the marketplace whose
visibility would depend on the user making the request, and therefore
looking at ways the services visibility in the catalog could dependent on
user permissions (possibly managed outside CF)
use-case 1: a user has been enabled a set of APIs in google api manager
 for a given project, and would like to inject some credentials into his
application. The list of google apis to display in the catalog for this
"google api" service broker would vary from user to user, or more precisely
from user+project basis.
use-case 2: similar as use-case 1 but for a corporate api manager system,
providing access to internal apis. A user has been granted access a set of
restricted apis for the applications he is a member/client of, and would
like to inject credentials for these apis in his application without having
to create user-provided-services (which would require manual copy/paste and
be error prone).
What could be possible way to provide such personalized service
With private service brokers, I imagine the following scenario A) for
The marketplace is exposing a meta service "meta-google-apis" accepting as
i- google authentication keys
ii- project id (for which apis were enabled)
iii- target org/space into which to expose the personalized catalog.
iv- UAA Authorization code for granting the "meta-google-apis" rights to
call CC api POST /v2/service_brokers on the user's behalf
Upon instanciation of the "meta-google-apis" service instance, a private
service broker called "google-apis" appears in the marketplace for the
specified org/space. The broker being provided authentication key + project
is able to restrict the list in the "catalog" endpoint to the apis that
were enabled for this specific user/project. When creating a service
instance for one of the services offering exposed by the broker (e.g.
"google maps"), an api key for service is generated as returned as
credentials using  equivalent REST API.
A second scenario B) would be to provide this mechanism as a cli plugin
instead of a "meta service". This has the advantage of allowing more
fine-tuned users interactions, having access to the user's oauth tokens,
but requires users to install the plugin and update it when improvements as
Is there other ways that can thinked of for providing personalized service
catalogs, with a more natural UX ?
Could it be considered to have the service broker catalog endpoint be
provided some kind of identity of the user invoking the "cf marketplace"
command, and possibly some credentials to act on the users's behalf ? The
requirements for the personalized service brokers params would be specified
at the time the broker is registered . Users would be prompted by the CF
CLI to provide autorization codes for the broker to act on their behalf, a
bit similar to the "cf login --sso" 
Thanks in advance for your inputs,