Ctrl+K
⚠️ This document is work in progress. Feedback is welcome. ⚠️

Nubus for Kubernetes - Architecture Manual 0.1.6

Functional components

2.2. Functional components#

This section provides an overview of the functional components of Univention Nubus. For each component, it describes the purpose and the main tasks.

Fig. 2.5 provides an overview of all the functional components grouped by their main tasks:

  1. End user facing

  2. Authentication and Authorization

  3. Integration

  4. Connectors

Univention Nubus consists of the following functional components:

  1. Authorization Service

  2. Directory Manager

  3. End User Self Service

  4. Identity Provider

  5. Identity Store and Directory Service

  6. Intercom Service

  7. Management UI

  8. Portal Service

  9. Provisioning Service

  10. IAM Connector

Overview of functional components in Univention Nubus

Fig. 2.5 Overview of functional components in Univention Nubus#

2.2.1. End user facing#

Functional components that provide features that directly serve the end user are end user facing. These components are the following:

  • Portal

  • End User Self Service

  • Management UI

Functional components facing the end user

Fig. 2.6 Functional components facing the end user#

2.2.1.1. Portal Service#

The Portal Service is a web application that shows administrators and end users the applications they have access to, manages sign-in and sign-on redirects, and visually integrates different applications into one desktop.

Purpose

  • Delivers customer access, for example for end users using openDesk.

  • Delivers access to administer user accounts and user groups in Nubus.

  • Delivers user interface (UI) integration layer for other services, such as modules in openDesk.

Tasks:

  • Login form for end users to sign in.

  • Portal UI.

  • Link to end user self service.

  • Link to administer user accounts and user groups.

  • Link to other openDesk modules.

  • Present notifications from a central notification service.

2.2.1.2. Management UI#

The Management UI allows customers to administer IAM resources like user accounts and user groups.

Purpose

User interface (UI) for administration of directory objects, such as user account objects, user group objects, and asset objects. Administrators manage user account and group objects through the Management UI, if Nubus has no external IAM system connected. For more information, see Connectors.

Tasks

  • CRUD operations for directory objects, such as user account objects and user group objects.

  • UI for the CRUD operations that depends on permissions.

2.2.1.3. End User Self Service#

The End User Self Service allows end users to modify certain data of their own user account object, including a password reset service.

Purpose

UI for end users to manage distinct attributes of their user account object

Tasks:

  • Maintenance of user account data, such as profile information.

  • Actions for forgotten password and password change.

2.2.2. Authentication and Authorization#

The Guardian is a generic Authorization Service where applications can register rules and roles. They can then use it to authorize the operations they offer to clients.

Functional components listed in this section provide features for authentication and authorization. They’re the following:

  • Authorization Service

  • Directory Manager

  • Identity Provider

  • Identity Store and Directory Service

Functional components for authentication and authorization

Fig. 2.7 Functional components for authentication and authorization#

2.2.2.1. Identity Provider#

The Identity Provider service is responsible for authentication, token creation, renewal, and removal. The Identity Provider includes the software stack for Keycloak and the integration to the Identity Store and Directory Service.

Purpose

Authentication provider using the authentication protocols SAML and OpenID Connect.

Tasks

  • Session handling for user authentications.

  • Offers authentication protocols SAML, and OpenID Connect.

2.2.2.2. Authorization Service#

The Authorization Service is responsible for managing user permissions and organizing them in roles. The software stack also has the name Guardian.

Purpose

The authorization service provides authorization for other Nubus components, such as the End User Self Service.

Note

For the time being, no Nubus component uses the Authorization Service. As soon as components use it, this section explicitly lists them.

Tasks:

  • Authorize operations in Management UI.

  • Deliver API for CRUD operations for rules.

  • Deliver UI for management of rules.

See also

Guardian Manual

for more information about the Guardian in Guardian Manual [3].

2.2.2.3. Directory Manager#

The Univention Directory Manager (UDM) REST API offers an HTTP REST interface to manage the user account, user group, and asset objects stored in the Identity Store and Directory Service.

Purpose

Façade in front of the Directory Service, that transforms business actions on user account objects, user group objects, and asset objects. It orchestrates CRUD operations for the Directory Service.

Tasks:

  • Applies business logic on user account objects, group objects, and asset objects.

  • Transforms objects to and from directory service.

  • Triggers events for provisioning.

2.2.2.4. Identity Store and Directory Service#

The Identity Store and Directory Service uses OpenLDAP as the primary database for user account, user group, and asset objects.

Purpose

Persistence layer for structured directory service data. It implements availability and performance requirements. The structured data is user account objects, user group objects, and asset objects.

Tasks:

Delivers user account objects and user group objects through CRUD operations.

2.2.3. Integration#

Functional components listed in this section provide functions for the integration of the components into the central user interface (UI), as well as, the Authentication and Authorization. They’re the following:

  • Intercom Service

  • Provisioning Service

Functional components for integration

Fig. 2.8 Functional components for integration#

2.2.3.1. Provisioning Service#

The Provisioning Service is a system that notifies interested services about changes in the IAM database, for user creation.

Purpose

Connection and synchronization of user account objects, user group objects and asset objects, that the directory Identity Store and Directory Service manages, with functional components that have their own data persistence.

Tasks:

Delivers objects based on events from the directory store to the functional component.

2.2.3.2. Intercom Service#

The Intercom Service is an intermediary for communication between applications like Nextcloud, OX App Suite and Matrix.

Purpose

Intermediary to allow sharing of resources between different backends directly from the browser.

Tasks

Provide restricted usage of resources across functional components.

2.2.4. Connectors#

Connectors enable the connection of external systems to Nubus.

Functional components for connectors

Fig. 2.9 Functional components for connectors#

2.2.4.1. IAM Connector#

A central external identity and access management (IAM) system is the leading and authoritative source system for management and maintenance of user accounts and user group memberships.

Purpose

The connector serves the setup of a direct interface between the external IAM and the Authentication and Authorization from Nubus.

Tasks

  • Synchronize user account and user group data from the external IAM to Nubus.

  • Provide an unidirectional or bidirectional synchronization.

2.2.4.2. UDM Directory Connector#

The UDM Directory Connector is a distinct implementation of the IAM Connector, as shown in Fig. 2.10.

UDM Directory Connector as implementation for an IAM Connector

Fig. 2.10 UDM Directory Connector as implementation for an IAM Connector#

Purpose

The connector synchronizes the Directory Manager in Nubus with the directory structure of several external directories using LDAP.

Tasks:

  • Search for user account objects and user group objects in the source and the target through LDAP.

  • Determine the differences between the source and target to calculate the modification operations.

  • Synchronize the found objects to the Directory Manager through the UDM HTTP REST API.

See also

How-to connect to external IAM

for more information about how to connect Nubus through the UDM Directory Connector with an external directory service.

On this page