Re: CF CLI v6.35.0 Release Today - service instance sharing; client credentials


Dr Nic Williams <drnicwilliams@...>
 

I’m not sure what I’m asking is what you’re saying; I think you’re confirming the current implementation - a service offering cannot be made shareable unless the vendor is aware of the concept of shareable services and ships a future version to modifies their /v2/catalog JSON. I’m asking for admins to be able to make up their own decisions without requiring service brokers to be modified.

Question: when a service instance is shared with another space, does a broker API get invoked? Or would a broker only discover this ( if it cared) when the new binding API requests come in with different org/space GUIDs?


From: cf-dev@... <cf-dev@...> on behalf of Dr Nic Williams <drnicwilliams@...>
Sent: Monday, March 12, 2018 6:18:18 PM
To: cf-dev@...
Subject: Re: [cf-dev] CF CLI v6.35.0 Release Today - service instance sharing; client credentials
 
Jay, to confirm, an admin will be able to share a service broker/service offering even if it’s not explicitly supported by the /v2/catalog?


From: cf-dev@... <cf-dev@...> on behalf of Jay Badenhope <jbadenhope@...>
Sent: Monday, March 12, 2018 6:16:51 PM
To: cf-dev@...
Subject: Re: [cf-dev] CF CLI v6.35.0 Release Today - service instance sharing; client credentials
 
Hi Dr Nic,
Building on Denise's response, we also empower the admin to enable/restrict sharing. There are two settings that must be true in order to enable service instance sharing:
1. At the global level: "To enable service instance sharing, an administrator must enable the `service_instance_sharing` flag." https://docs.cloudfoundry.org/devguide/services/sharing-instances.html#enabling
2. At the service level, as you mentioned, "Service brokers must explicitly enable service instance sharing by setting a flag in their service-level metadata object." https://docs.cloudfoundry.org/services/enable-sharing.html#enabling

Matthias,
I'm going to connect with my UAA colleagues and make sure we have a good answer to your question.

Jay

On Mon, Mar 12, 2018 at 3:24 AM, <dyu@...> wrote:
The decision to have service authors opt in was to account for the fact that some services may not be shareable out-of-the-box, primarily due to security considerations. Some brokers may currently be designed to only issue global read+write permissions, but authors may want to change their service permissions model if shareability is now on the cards, for example, read+write for SpaceDevs in the original space, but read-only for spaces that received the instance via sharing.




--

Jay Badenhope

Product Manager
Pivotal Labs
+1.510.517.6973 
LinkedIn | Twitter


Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.