As an admin I would prefer not to have to opt every org and space into being able to share. Perhaps a global switch can be enabled for installations that don't require that level of security?
Mike
On Thu, Jun 29, 2017 at 7:35 AM, Matthew McNeeney <mmcneeney(a)pivotal.io> wrote:
Many Cloud Foundry users have expressed a desire to share service instances across orgs and spaces. Whilst this could be considered an anti-pattern for some data services, there are many use cases for which the ability to do this is important. Two examples are sharing config servers and messaging queues.
The workarounds that exist today (e.g. creating user-provided services) require credentials to be passed around in some out-of-band way and will prevent the platform from being able to do things like automatic rotation of credentials in the future.
We'd like to propose a new workflow that looks like this:
A SpaceDeveloper in the target org/space will only be able to bind/unbind to/from the shared service instance, and running cf service will show that the service instance has been shared.
To manage any security concerns around this, a CF admin would have to enable one-way sharing between two spaces with a command like:
$ cf enable-service-sharing SERVICE SOURCE_ORG SOURCE_SPACE TARGET_ORG TARGET_SPACE
We'd love to hear feedback from the community on this proposal. If you have any other use cases that this could help with, please let us know about those too.
