Service-Instance Sharing

Service-instance sharing for VMware Tanzu GemFire for VMs permits access to a Tanzu GemFire service instance by an app within a different space. Read-only access of the data by the app is configured by default.

Follow these steps to set up sharing:

  1. A Cloud Foundry operator enables instance sharing as detailed in Enable Service-Instance Sharing
  2. (Optional) To give the app write access to the data, a developer creates the service instance with service instance sharing enabled as defined in Provide Optional Parameters.
  3. A developer shares a service instance
  4. A developer binds the app to the shared service instance

These instructions require identification of the org and the space of both the service instance and the app. The following diagram names the components for use in the configuration instructions. Service instance X resides within space C, which is part of org A. App Y resides within space D, which is part of org B.

diagram of spaces within orgs

Share a Service Instance

The Tanzu GemFire service instance must be up and running prior to sharing.

To share the service instance:

  1. An org A developer does a cf login with a space developer role. Target the space that contains the service to be shared: org A, space C.

  2. The org A developer shares the the space with a command of the form

    cf share-service SERVICE-X -s SPACE-D -o ORG-B

    Replace SERVICE-X with the Tanzu GemFire service instance name. Replace SPACE-D with the space name where the app resides. Replace ORG-B with the org name where the app resides.

Bind an App to a Shared Service Instance

The app must be bound to the shared service instance prior to starting the app.

To bind the app to the shared service instance:

  1. An org B developer does a cf login with a space developer role. Target the org and space that contains the app: org B, space D.

  2. Verify that the Tanzu GemFire service instance is available and shared across the spaces in the output of the command:

    $ cf services

  3. The org B developer binds the app with a command of the form

    cf bind APP-Y SERVICE-X

    Replace SERVICE-X with the Tanzu GemFire service instance name. Replace APP-Y with the name of the app.

App Authentication

Apps that interact with a shared Tanzu GemFire service instance which resides in a different space will be given a set of credentials. The app must acquire and use this set of credentials for authentication. Apps built with Spring Boot Data GemFire version 1.1.1 or a more recent version will automatically pick up the credentials, so these apps do not need to acquire the credentials.

By default, the role of these credentials is authorized only for read access of region data. If the cluster is created with the shared_write_access parameter, the cluster operator role will be used, authorizing the operations for that role, as defined in Security.

The set of credentials are in the VCAP_SERVICES environment variable, with a role of readonly or cluster_operator_XXX. The app must parse the VCAP_SERVICES environment variable to extract the credentials. The app uses the credentials to set a VMware Tanzu GemFire property that then gets passed to the ClientCacheFactory for the purpose of authentication prior to creating the cache.