Standards and Security Specifications
This document outlines the security specifications, network layouts, and industry-standard protocols implemented across the Intelligence Cloud Platform.
1. Identity & Access Management (IAM)
The platform adheres to modern OAuth 2.0 and OpenID Connect (OIDC) specifications. Authentication is outsourced to Keycloak, acting as the Identity Provider (IdP).
Token-Based Authentication Flow
- The Angular Client initiates an authorization code flow with PKCE (Proof Key for Code Exchange) against the Keycloak OIDC endpoint.
- After successful authentication, Keycloak issues a cryptographically signed JSON Web Token (JWT) to the client.
- Every subsequent HTTP or WebSocket request from the client to the API Gateway includes the token in the
Authorization: Bearer <JWT>header. - The Proxy Server Gateway verifies the token statelessly using the RSA Signature with SHA-256 (
RS256) algorithm and retrieves the verification key dynamically from Keycloak's JSON Web Key Set (JWKS) certificates endpoint.
Role-Based Access Control (RBAC)
User permissions are managed through Client Roles within the angular-dash client in Keycloak:
- Viewer: Allowed read-only access to view instances, network mappings, and logs.
- Editor: Allowed to deploy containers, create virtual machines, and execute commands within their own project context.
- Admin: High-privileged role with full access to view, control, or configure cross-project resources and perform administrative operations.
2. Multi-Tenancy & Project Isolation
Multi-tenancy is enforced at the hypervisor level (LXD) rather than the application level.
+---------------------------------------------+
| LXD HOST |
| |
| +-------------------+ +----------------+ |
| | Project: u-user1 | | Project: u-usr2| |
| | | | | |
| | [VM1] [Cont1] | | [VM2] [Cont2]| |
| +-------------------+ +----------------+ |
| | | |
+-----------|---------------------|-----------+
+----------+----------+
|
[ OVN Network Bridge ]
- LXD Projects: Each user is assigned an isolated LXD Project named
u-${user_subject_id}(derived from the OIDC JWTsubfield). - Scoped REST calls: All container state and execution requests directed to the LXD API include a strict
?project=u-<id>query parameter, ensuring users cannot view or manipulate resources belonging to another tenant. - Shared Cluster Administration: Admin users are authorized to pass explicit
?project=variables or search all projects (all-projects=true) to enable platform-level support.
3. Network Architecture & Dynamic Routing
OVN Network Isolation
All instances created via the platform are connected to an isolated OVN (Open Virtual Network) overlay network ovn-net. OVN provides secure Layer-2 isolation inside the hypervisor, preventing direct cross-tenant container snooping.
Dynamic Port Forwarding (NAT)
Because instances run on private OVN subnets, they cannot be reached directly from the internet. The platform implements dynamic public IP and port forwarding mapping using LXD OVN Network Forwards:
1. Public IPs are reserved.
2. The user registers a mapping (e.g., Public IP X.X.X.X Port 80 mapped to Instance IP 10.0.0.12 Port 8080).
3. The Proxy Server invokes the LXD OVN Forwards API to dynamically inject DNAT rules at the hypervisor network boundary.
4. Industry Standards Reference
| Area | Implemented Standard | Purpose |
|---|---|---|
| Authentication | OpenID Connect (OIDC) Core 1.0 | Identity verification and single sign-on (SSO). |
| Authorization | OAuth 2.0 Client Roles / RBAC | Role segregation (viewer, editor, admin). |
| Cryptography | RS256 / JWKS (RFC 7517) | Verification of signed tokens using public key pairs. |
| Infrastructure | Terraform / HCL | Declarative infrastructure orchestration. |
| APIs | RESTful JSON & WebSockets | Client-gateway interactions, dynamic terminals. |
| Monitoring | Prometheus OpenMetrics | Standardized metric collection and telemetry format. |