2.7 KiB
2.7 KiB
Final platform technical direction (summary)
Product definition
A distributed secure access platform with:
- multi-tenant organizations
- proven persistent session broker for RDP
- cluster of platform-managed and customer-managed nodes
- node-agent based service fabric
- connector/VPN layer
- future split/full tunnel capability
- future collaboration extensions
Main top-level domains
Platform
Owns:
- global policies
- cluster control plane
- platform admins
- node trust
- artifact signing and update policy
- disaster recovery authority
Organization
Owns:
- users
- groups
- organization admins
- identity sources
- resources
- policies
- connectors
- audits
- quotas
- domains / branding later
Node
Has:
- node identity
- ownership type (platform-managed, customer-managed)
- capabilities
- enabled services
- health
- update policy
- version state
- partition state
Node Agent
Small stable agent that:
- keeps running
- supervises services
- downloads signed updates
- verifies integrity
- restarts crashed services
- rolls back if needed
- reports health
Connector
Reusable network access method:
- direct
- VPN
- relay-backed
- future egress mode Bound to resources by policy, not duplicated blindly per server.
Session broker
Already proven for RDP persistent lifecycle.
Mandatory capabilities
Multi-tenant
- org isolation
- organization memberships
- user may belong to multiple organizations
- clear org switching UX later
- org admins only see their org
Identity federation
- local accounts
- LDAP / AD
- OIDC
- group/claim mapping to access
Resource authorization
- local manual mapping
- external group / claim driven mapping
- feature scopes:
- RDP only
- connector/VPN only
- both
- future scopes
Cluster behavior
- dynamic membership
- encrypted inter-node communication
- no mandatory single center
- quorum-based authority
- degraded / recovery / isolated modes
- manual partition promotion only by highly privileged recovery admin
- multi-hop route support
- not every node needs full mesh
Updates
- signed artifacts
- canary rollout
- staged rollout
- rollback
- thin node vs artifact-cache node
Customer-managed nodes
- can join common cluster
- can be scoped to their organization
- can serve ingress / connector / egress functions for that organization
- must not automatically become cluster-global trusted nodes
What to implement first
- organization model
- memberships and roles
- org-scoped resource model
- identity source model
- node and node-agent control plane model
- service capabilities / enabled services model
What to delay
- full mesh engine
- full connector scheduler
- internet exit mode
- collaboration/video meetings
- heavy media routing