Edit

Integration

The Open Service Broker (OSB) Marketplace provides a common integration point for any remote service which can be provisioned by an API (e.g. a database). A lightweight service broker component implementing the Open Service Broker API Specification allows such services to become a resource within a meshProject and be included in the project lifecycle management at the meshStack platform.

meshMarketplace

The meshMarketplace allows users to manage service instances attached to a meshProject. The meshMarketplace uses the official Open Service Broker API standard to communicate with Service Brokers, which are responsible for the actual provisioning of service instances through their service implementation. This guide aims to provide a quick overview of the Open Service Broker API and implementation specific topics. It is required that service implementers study the Open Service Broker API specification for in-depth information.

Locality of Services

The meshMarketplace provides support for global and local services. Service Providers must choose which type of Service they want to offer so that the service is appropriately integrated into the user interface.

Global Service

  • global entry point for consumers (API), reachable from all networks
  • Service is provided in a location agnostic manner
  • Service may offer configuration of data locations etc. through configuration/dashboards
  • Examples: CDN, DNS, Backup

Local Service

  • Local entry point for consumers (API), may be reachable only within a specific location
  • Service is provided from a single location only
  • Location of data etc. is important
  • Examples: DBaaS

OSB API Profile

meshcloud implements an extended meshMarketplace OSB API Profile that allows brokers a deeper integration with meshStack. Please review the documentation to learn more about the use-cases this API profile enables.

Authentication & Authorization

Marketplace to Service Broker

All communication between the meshMarketplace and Service Brokers is secured using HTTPS Basic Auth and a pre-shared key. Service owners that also develop brokers for platforms like Cloud Foundry or OpenShift will be familiar with this model.

Service Broker Dashboard SSO

meshMarketplace also supports two different options for authenticanting users of Service Broker dashboard clients

  • using an OIDC client in meshIdB as described in the dashboard-tutorial
  • replicating of permission to Azure Active Directory groups

Platform Instance Configuration

Please consult the following example as a reference of possible configuration settings.

let PermissionReplication = ./PermissionReplication.dhall

in    λ(Secret : Type)
     { platform : Text, permissionReplication : PermissionReplication Secret }

The default permissionReplication for setting every meshMarketplace meshPlatform is an instance of MeshIdb, which offers no further configuration options. Note that these platforms do not need to be explicitly configured at this time.

Platforms that want to use AAD permission replication need to configure an instance of AzureAd

let InviteB2BUserConfig =
  { redirectUrl = "https://example.com"
    {-  Redirect URL used in the Azure invitation mail sent -}
  , sendAzureInvitationMail = false
    {- Flag if an Invitation mail by Azure should be send out -}
  }

in    λ(Secret : Type)
     { groupNamePattern :
          {- A pattern for deriving AAD Group names. Please see details described below -}
          Optional Text
      , servicePrincipal :
          {- Either friendly domain name or your tenants GUID -}
          { aadTenant = "<AAD_TENANT>"
          , objectId = "<SERVICE_PRINCIPAL_OBJECT_ID>"
          , clientId = "<SERVICE_PRINCIPAL_CLIENT_ID>"
          , clientSecret = "<SERVICE_PRINCIPAL_CLIENT_SECRET>"
          }
      , b2bUserInvitation :
          {-
          Optionally configure the replicator to create Azure B2B guest invitations for
          users missing in the target AAD tenant.
          -}
          Optional InviteB2BUserConfig
      , roleMappings :
          {-
          Each mesh project role (specified by key, i.e. user) is mapped to an
          AAD Group via an alias. This alias is available as a parameter in the
          groupNamePattern. Example:
          List { mapKey : Text, mapValue : { alias : Text } }
          -}
      }

Role mappings must be configured for all meshProject roles. Note that in contrast to the Azure replicator replication for the meshMarketplace will not create any Azure-role assignments.

AAD Group Name

The name of the generated subscriptions can be fully customized. A printf format string is used. You can read about all the available options in the official Java documentation about String.format.

For example the default string pattern %s.%s-%4$s would generate the group name customer.project-role.

Operators must be careful to ensure resulting group names are unique for project-role combinations. Groups should also not conflict with existing AAD groups.

The arguments available here are:

  1. argument: meshCustomer identifier
  2. argument: meshProject identifier
  3. argument: meshProject ID (numeric)
  4. argument: role name alias.
Last updated on 8/11/2021
Cloud InventoryMarketplace Development