Yarkon Cloud Architecture

System Architecture

Yarkon Cloud is a distributed system, made of a number of services working together to provide a complete solution.

At the very high level, it consists of the following modules:

  • Yarkon Web Client Application – this is the web based HTML5 running in the end-user’s browser. It is common to all Yarkon Editions. It is responsible for all end-user interaction with S3.
  • Yarkon Admin Console – this is the server side module, running in our VPC. It is responsible for all admin user interaction with Yarkon, and is used mostly for user account management.
  • Supporting services for Yarkon Admin Console:
  • AWS IAM – used to get user account credentials.
  • AWS STS – used to provide temporary credentials to end-users.
  • AWS S3 – used to get the authorized buckets to the end-user.
  • Mail (SMTP) – used to communicate temporary password to new users and users who reset their password.

Use-Cases

In the following, details are provides for the most common use-cases of the application. The diagrams use a standard “swim lane” depiction, with the time axis going from left to right, and the main components of the system that are involved in the action above it. The state transitions or actions are highlighted in order.

Authentication

This is the most common use-case: an existing user logs into the system once authenticated and authorized, can process with using the Yarkon Web Client to access AWS S3.

The action flow is as following:

  1. The Yarkon server gets its credentials to your AWS account from its secure database. The credentials are only used to authorize your users and provide them with temporary credentials. Your AWS API credentials are never shared or sent over the network. The server waits for incoming user requests.
  2. An existing Yarkon end-user, using the Yarkon Web Client Application, logs into the system using her username/password credentials.
  3. The Yarkon server receives these credentials and authenticates them using its own user management database. If the credentials are not good, an error message is sent to the end-user. If the credentials are valid, then the user is said to be “authenticated”, and can proceed to the next step, which is authorization. The Yarkon server calls the AWS STS server to provision temporary credentials for the end-user. These temporary credentials are limited in time and in scope – they provide the user access only to the buckets allowed to her, based on the access policies defined in the AWS account. See the document see setting up an AWS organization for a complete review of how user permissions are managed for S3 users.
  4. The temporary credentials are communicated to the end-user.
  5. From this point an on, the end-user can access AWS S3 using the temporary credentials. No interaction with the Yarkon server is required, until the temporary credentials expire, at which point the authorization process is repeated automatically (no need to re-enter the username/password), and a new set of temporary credentials is sent to the user.

Add User

Adding a new user to the system is a common workflow for the system administrator. The administrator is using the Yarkon Admin Console application to provision a new user. This new user will receive his Yarkon login information by email and can then login to the system and use AWS S3 with the permissions allowed by the administrator.

The action flow is as following:

  1. The Yarkon server gets its credentials to your AWS account from its secure database. The credentials are only used to authorize your users and provide them with temporary credentials. Your AWS API credentials are never shared or sent over the network. The server waits for incoming user requests.
  2. The administrator user logs into the Yarkon Admin Console application, and uses the user management screen to add a new user. Users can be added individually, or in bulk. The details required are:
    • Details – first and last name.
    • Email – this will be used for the username and for communicating the temporary password to the user.
    • Role – use this to give the user administrative permissions to Yarkon Admin Console (but not to AWS).
    • In case you use the Integrated Security Model, at this point you will have to specify the AWS user name of the user.
  3. The server will now send a welcome email to the new user with the login information, which is made of the username (the email of the user) and a temporary password. The email provides detailed instructions on how to log into the Yarkon Web Client application, the tool to be used by end-users.
  4. Once the user logs into the client application, using his temporary credentials, the system will require the user to change the password. When this is done, the server will authenticate and authorize the user to access S3 (see “Authentication” above).
  5. From this point an on, the end-user can access AWS S3 using the temporary credentials. No interaction with the Yarkon server is required, until the temporary credentials expire, at which point the authorization process is repeated automatically (no need to re-enter the username/password), and a new set of temporary credentials is sent to the user.