Overview¶
The purpose of ezBastion is to allow you to provide your administrative tasks via REST requests. Once the nodes have been installed, you will be able to import your system administrators’s scripts and assign them an HTTPS URL. To finish, declare the users and delegate the apis.
In general, to administer a system, you need 4 elements:
- An administrator account.
- The knowledge of the product.
- Access rights and flow opening.
- Consoles or administrative clients.
Just one question: Do you have any actions that could be delegated, if there were not the above points?
Architecture¶
ezBastion architecture is split in three zones, public, infrastructure and business and six microservices.
Public zone¶
This area is accessible by clients (users, services, computers) and must use corporate certificates. It is recommended to use multiple bastion (ezb_srv) and security token authority (ezb_sta) behind a load balancing system.
ezb_sta¶
Secure Token Authority (sta), provide authentication. It accept Basic, HTTP form and SSPI requests. Authenticated Accounts can be store in ezbastion database or use Microsoft accounts management (Builtin and domain accounts). It return a signed token in JWT format. This token is used as Bearer authentication, when login to admin console or request an api.
features:
- authentication
- bearer generator
ezb_srv¶
This node, called Bastion, is the front part of ezBastion architecture. It receive all clients requests and serves as api gateway. By default the listening don’t use TLS, you must put a load balancer in front of a pair of ezb_srv services (with ssl offload).
features:
- authorization
- cache (l1)
- logging
- workers’s load balancer
Infrastructure zone¶
This area is dedicated to ezBastion management team.
ezb_pki¶
This node provide ECDSA certificates, used by all ezBastion’s node to communicate.
feature:
- Public key infrastructure
ezb_db¶
The database is used to store ezBastion configuration and clients access rules.
- ezBastion configuration
- API configuration
- Access log
business zone¶
The services running in this area are business dependent. You can provide API to different business line, using dedicated workers.
ezb_worker¶
The workers are the infrastructure backend. There are in charge to execute business tasks and return result to the bastion.
- Task execution
ezb_vault¶
Some time we need user/password inside a script, and clear password is evil ! Vault node, will store key/value inside an AES dedicated DB.
- key/value secure store