Re: CF CLI v6.35.0 Release Today - service instance sharing; client credentials

Gowrisankar M

Hello All,

CF services sharing when it will be available for user-provided services?


On Thu, Mar 15, 2018 at 12:53 AM, Matthias Winzeler <matthias.winzeler@...> wrote:
Hi Tian

Thanks for the information - this sounds good. 
We're looking forward for clients with user permission since this will solve the issue with SAML federated users who want to interact with the API interactively (currently not possible, so we create local users for them).


2018-03-14 20:02 GMT+01:00 Tian Wang <tiwang@...>:
Hi Matthias,

The service accounts feature today works for global scopes on clients created in UAA such as `cloud_controller.admin` and `cloud_controller.admin_read_only`.

The current plan is to integrate down the line with the Perm project which will provide the ability to assign clients with space and org fine-grained authorizations, so that they can act essentially the same as a user.



On Sat, Mar 10, 2018 at 12:52 AM, Matthias Winzeler <matthias.winzeler@...> wrote:
Hi Jay

The service accounts feature sounds very exciting. How does it work exactly? 

I guess I have to create a user on UAA with client credentials grant type (i.e. with uaac) first.
How can I then permit this client to orgs and spaces so that he can interact with CF like a user?


2018-03-10 2:15 GMT+01:00 Dr Nic Williams <drnicwilliams@...>:

> Service brokers must explicitly enable service instance sharing by setting a flag in their service-level metadata object. This allows service instances, of any service plan, to be shared across organizations and spaces. The "shareable" flag must be set to true in the service-level metadata to enable service instance sharing. If the flag is set to false or is absent, sharing is disabled.

From: cf-dev@... <cf-dev@...> on behalf of Dr Nic Williams <drnicwilliams@...>
Sent: Saturday, March 10, 2018 11:14:01 AM
To: cf-dev@...
Subject: Re: [cf-dev] CF CLI v6.35.0 Release Today - service instance sharing; client credentials
Reading the links thru to info in services supporting sharing - what were the ideas behind requiring service implementors to opt in; rather than leave this to CF administrators or space/org administrators to enable?

From: cf-dev@... <cf-dev@...> on behalf of Jay Badenhope <jbadenhope@...>
Sent: Saturday, March 10, 2018 8:53:18 AM
To: cf-dev@...
Subject: [cf-dev] CF CLI v6.35.0 Release Today - service instance sharing; client credentials
The CF CLI team released version 6.35.0 today. Yay!

Service Instance Sharing

This cf CLI feature includes two new commands, share-service and unshare-service, to enable you to share service instances between spaces in the same or different orgs. Additional details here. We welcome your feedback on the new implementation.

To help you track where a service instance is shared to or from, we refactored and updated the service command.

Service Account Authentication (Client Credentials)

It is now possible to authenticate with only a client ID and a secret using the auth command with a new --client-credentials flag. Before this release, users could only log in as a user (i.e. username & password with either default client id, or custom client id & secret). That meant "fake" users needed to be prepared for CI environments and scripts ("tiles" self-registration).

push Fixes and Enhancements

  • v2-push no longer accepted (previous release merged v2-push into push)
  • Fixes problem where existing routes with customer hosts were ignored on push, #1321

Other Fixes and Enhancements

  • Fixed problem where wildcards weren't allowed in routes section of app manifest, deployment #399

Plugin Updates

Going forward, we ask that every plugin name matches its command name so it can be installed and uninstalled with the same name.

  • Updated Event Alerts Plugin to 0.0.1, #198, then removed that plugin, #211
  • Updated top Plugin to 0.9.3, #210
  • Updated service-use to 1.2.2 with matching command and plugin names #213

Refactored commands

  • services to enable an upcoming feature
  • service (see above)
  • logout to enable clearing of client credentials for Service Account Authentication (see above); will now also show user name during logout for consistency with other commands

Release contributors: An Yu, Nick Wei, Sebastian Vidrio, Anande Gaitonde, Jay Badenhope, and special guest Kevin Middleton. Thanks also to our partners on the CAPI, SAPI, and UAA teams.


Jay Badenhope

Product Manager, CF CLI
Pivotal Labs
LinkedIn | Twitter



Join { to automatically receive all group messages.