Cloud Foundry is an open source PaaS (Platform-As-A-Service) service used to abstract infrastructure details from development teams. I will be producing a ‘Getting Started’ article to accelerate the learning curve at some time in the future. This article will focus on a two concepts provided by Cloud Foundry, Organizations and Spaces, to assist development organizations with application management.
An organization provides a high level management interface and access control. I think of the Cloud Foundry (CF) Organization to be synonymous with a department in a business.
To give an example, if I was an Insurance Company running CF I could segment the departments of the company into CF Organizations:
- Personal Insurance
- Business Insurance
- Commercial Insurance
Benefits of using Cloud Foundry Organizations
Each Cloud Foundry organization has its own domain. This feature can be used to segment an organizations services.
Organizations are setup to allow individual users to have access to the organization. In the above insurance company example we can enforce authentication and authorization for each organization, so a developer in the Personal Insurance organization would not have access to make a change in the Business Insurance organization (unless said permission was explicitly set, of course).
Cloud Foundry organizations are configurable to set resource limits to prevent services in one organization from hogging resources, causing an issue with another organization. Additionally, resource consumption can be monitored to make allocation decisions.
Applications and services deployed to Cloud Foundry (CF) are scoped to spaces with each organization containing one to many spaces.
Using my previous example of an Insurance Company. Within each organization we would organize our services into spaces. Each space may contain a component of that particular department. So for the Commercial Insurance department we may have a space for:
Spaces allow for finer grained authentication and authorization security. Each user can be assigned a role that grants permissions for specific activities. For example, a user with the “Space Developer” and another user with the “Space Auditor” roles can both view all the same things, however the user with “Space Developer” has additional permissions to create/edit/delete/rename services, applications, and routes.
To view all roles and permissions for an organization have a look at the matrix at Roles and Permissions for Active Orgs.
Cloud Foundry Organizations and Spaces Summary
Cloud Foundry organizations and spaces provide ways to organize compute resources in natural ways. There are clear benefits to creating separate organizations for departments in a large organization. Adding the ability to group resources into distinct spaces provides simplified tools for monitoring and security. Users are created at the organization level to allow general access to the organization in Cloud Foundry. Each space can create its own roles and permissions to create more fine grained access controls.
The concept of spaces encourages modular application design with low coupling.