Service-Instance Sharing
Service-instance sharing for VMware Tanzu GemFire for VMs permits access to a Tanzu GemFire service instance by an app within a different space. Read-only access of the data by the app is configured by default.
Follow these steps to set up sharing:
- A Cloud Foundry operator enables instance sharing as detailed in Enable Service-Instance Sharing
- (Optional) To give the app write access to the data, a developer creates the service instance with service instance sharing enabled as defined in Provide Optional Parameters.
- A developer shares a service instance
- A developer binds the app to the shared service instance
These instructions require identification of the org and the space of both the service instance and the app. The following diagram names the components for use in the configuration instructions. Service instance X resides within space C, which is part of org A. App Y resides within space D, which is part of org B.
Share a Service Instance
The Tanzu GemFire service instance must be up and running prior to sharing.
To share the service instance:
An org A developer does a
cf login
with a space developer role. Target the space that contains the service to be shared: org A, space C.The org A developer shares the the space with a command of the form
cf share-service SERVICE-X -s SPACE-D -o ORG-B
Replace
SERVICE-X
with the Tanzu GemFire service instance name. ReplaceSPACE-D
with the space name where the app resides. ReplaceORG-B
with the org name where the app resides.
Bind an App to a Shared Service Instance
The app must be bound to the shared service instance prior to starting the app.
To bind the app to the shared service instance:
An org B developer does a
cf login
with a space developer role. Target the org and space that contains the app: org B, space D.Verify that the Tanzu GemFire service instance is available and shared across the spaces in the output of the command:
$ cf services
The org B developer binds the app with a command of the form
cf bind APP-Y SERVICE-X
Replace
SERVICE-X
with the Tanzu GemFire service instance name. ReplaceAPP-Y
with the name of the app.
App Authentication
Apps that interact with a shared Tanzu GemFire service instance which resides in a different space will be given a set of credentials. The app must acquire and use this set of credentials for authentication. Apps built with Spring Boot Data GemFire version 1.1.1 or a more recent version will automatically pick up the credentials, so these apps do not need to acquire the credentials.
By default, the role of these credentials is authorized only for read
access of region data.
If the cluster is created with the shared_write_access
parameter,
the cluster operator role will be used, authorizing
the operations for that role, as defined in Security.
The set of credentials are in the VCAP_SERVICES environment variable,
with a role of readonly
or cluster_operator_XXX
.
The app must parse the VCAP_SERVICES environment variable to
extract the credentials.
The app uses the credentials to set a VMware Tanzu GemFire property that then gets passed
to the ClientCacheFactory
for the purpose of authentication
prior to creating the cache.