search

cloudfoundry / cloud_controller_ng

Cloud Foundry Cloud Controller
Apache License 2.0
194 stars 360 forks source link

Binding Application Security Groups by organization admin #1441

Open kinjelom opened 5 years ago

kinjelom commented 5 years ago

Issue

My goal is to create definition of a security group as a CF admin and let an organization admin bind them to his spaces. For example, there are 2 orgs: orgA and orgB and 4 user-provided-services:

I want to create them as the CF admin :

# orgA
cf create-security-group orgA-dbProd ./orgA-dbProd.json
cf create-security-group orgA-dbDev ./orgA-dbDev.json
# orgB
cf create-security-group orgB-dbProd ./orgB-dbProd.json
cf create-security-group orgB-dbDev ./orgB-dbDev.json

and give the org admins rights to bind them to the org spaces:

# orgA
cf allow-bind-security-group orgA-dbProd orgA
cf allow-bind-security-group orgA-dbDev orgA
# orgB
cf allow-bind-security-group orgB-dbProd orgB
cf allow-bind-security-group orgB-dbDev orgB

and now the CF admin should be able to bind them to the selected spaces.

Context

As the CF admin I don't want to have knowledge about org spaces configuration. My responsibility is to configure org-level and let org-admin do his config.

cf-gitbot commented 5 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/168480381

The labels on this github issue will be updated when the story is started.

cwlbraa commented 5 years ago

@ssisil & @Gerg any thoughts here? Security groups are somewhere in VAT's backlog for v3ification, but I don't know how much we've thought about something like allow-bind-security-group.

Gerg commented 5 years ago

This flow reminds me of isolation segments. Isolation segments are admin-managed, but can be entitled to organizations, which then allows org-level configuration.