cloud_controller_ng
cloud_controller_ng copied to clipboard
Binding Application Security Groups by organization admin
Issue
My goal is to create definition of a security group as a CF admin and let an organization admin bind them to his spaces. For example, there are 2 orgs: orgA
and orgB
and 4 user-provided-services:
-
orgA-dbProd
-
orgA-dbDev
-
orgB-dbProd
-
orgB-dbDev
I want to create them as the CF admin :
# orgA
cf create-security-group orgA-dbProd ./orgA-dbProd.json
cf create-security-group orgA-dbDev ./orgA-dbDev.json
# orgB
cf create-security-group orgB-dbProd ./orgB-dbProd.json
cf create-security-group orgB-dbDev ./orgB-dbDev.json
and give the org admins rights to bind them to the org spaces:
# orgA
cf allow-bind-security-group orgA-dbProd orgA
cf allow-bind-security-group orgA-dbDev orgA
# orgB
cf allow-bind-security-group orgB-dbProd orgB
cf allow-bind-security-group orgB-dbDev orgB
and now the CF admin should be able to bind them to the selected spaces.
Context
As the CF admin I don't want to have knowledge about org spaces configuration. My responsibility is to configure org-level and let org-admin do his config.
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/168480381
The labels on this github issue will be updated when the story is started.
@ssisil & @Gerg any thoughts here? Security groups are somewhere in VAT's backlog for v3ification, but I don't know how much we've thought about something like allow-bind-security-group
.
This flow reminds me of isolation segments. Isolation segments are admin-managed, but can be entitled to organizations, which then allows org-level configuration.