130 lines
2.7 KiB
Markdown
130 lines
2.7 KiB
Markdown
# Final platform technical direction (summary)
|
|
|
|
## Product definition
|
|
A distributed secure access platform with:
|
|
- multi-tenant organizations
|
|
- proven persistent session broker for RDP
|
|
- cluster of platform-managed and customer-managed nodes
|
|
- node-agent based service fabric
|
|
- connector/VPN layer
|
|
- future split/full tunnel capability
|
|
- future collaboration extensions
|
|
|
|
## Main top-level domains
|
|
|
|
### Platform
|
|
Owns:
|
|
- global policies
|
|
- cluster control plane
|
|
- platform admins
|
|
- node trust
|
|
- artifact signing and update policy
|
|
- disaster recovery authority
|
|
|
|
### Organization
|
|
Owns:
|
|
- users
|
|
- groups
|
|
- organization admins
|
|
- identity sources
|
|
- resources
|
|
- policies
|
|
- connectors
|
|
- audits
|
|
- quotas
|
|
- domains / branding later
|
|
|
|
### Node
|
|
Has:
|
|
- node identity
|
|
- ownership type (platform-managed, customer-managed)
|
|
- capabilities
|
|
- enabled services
|
|
- health
|
|
- update policy
|
|
- version state
|
|
- partition state
|
|
|
|
### Node Agent
|
|
Small stable agent that:
|
|
- keeps running
|
|
- supervises services
|
|
- downloads signed updates
|
|
- verifies integrity
|
|
- restarts crashed services
|
|
- rolls back if needed
|
|
- reports health
|
|
|
|
### Connector
|
|
Reusable network access method:
|
|
- direct
|
|
- VPN
|
|
- relay-backed
|
|
- future egress mode
|
|
Bound to resources by policy, not duplicated blindly per server.
|
|
|
|
### Session broker
|
|
Already proven for RDP persistent lifecycle.
|
|
|
|
## Mandatory capabilities
|
|
|
|
### Multi-tenant
|
|
- org isolation
|
|
- organization memberships
|
|
- user may belong to multiple organizations
|
|
- clear org switching UX later
|
|
- org admins only see their org
|
|
|
|
### Identity federation
|
|
- local accounts
|
|
- LDAP / AD
|
|
- OIDC
|
|
- group/claim mapping to access
|
|
|
|
### Resource authorization
|
|
- local manual mapping
|
|
- external group / claim driven mapping
|
|
- feature scopes:
|
|
- RDP only
|
|
- connector/VPN only
|
|
- both
|
|
- future scopes
|
|
|
|
### Cluster behavior
|
|
- dynamic membership
|
|
- encrypted inter-node communication
|
|
- no mandatory single center
|
|
- quorum-based authority
|
|
- degraded / recovery / isolated modes
|
|
- manual partition promotion only by highly privileged recovery admin
|
|
- multi-hop route support
|
|
- not every node needs full mesh
|
|
|
|
### Updates
|
|
- signed artifacts
|
|
- canary rollout
|
|
- staged rollout
|
|
- rollback
|
|
- thin node vs artifact-cache node
|
|
|
|
### Customer-managed nodes
|
|
- can join common cluster
|
|
- can be scoped to their organization
|
|
- can serve ingress / connector / egress functions for that organization
|
|
- must not automatically become cluster-global trusted nodes
|
|
|
|
## What to implement first
|
|
- organization model
|
|
- memberships and roles
|
|
- org-scoped resource model
|
|
- identity source model
|
|
- node and node-agent control plane model
|
|
- service capabilities / enabled services model
|
|
|
|
## What to delay
|
|
- full mesh engine
|
|
- full connector scheduler
|
|
- internet exit mode
|
|
- collaboration/video meetings
|
|
- heavy media routing
|