Nexus

Architecture:

achitecture_Nexus.png


The Configuration system consists of two main components, the Configuration service and the Proxy.
The configuration service is the main repository for configuration settings and the tool for editing configuration data. This supports Windows Integrated and Azure Ad authentication. Internally the configuration service utilizes a user store for authorization and authentication.
The database is an embedded noSql database that is backed up every time the application starts (the database files are locked during use and backup is not allowed). The backup is saved on the server as zip files. These files can be imported into other Stardust Nexus instances.
Notification
The proxy provides a cache layer for the applications; this can be distributed and scaled independently of the service. Changes made in the configuration service are propagated to the proxies through signalr channels. Changes has to be published from the configuration tool for the signaling to occur.

nexusNitification.png


Security and access levels
The proxy supports encryption of the cached config files for maximum security. But that makes debugging and troubleshooting harder.
The application components connect to the proxy by utilizing a key/token pair. The token is generated by the Configuration Service. This key/token pair is used to authorize access to the configuration set.
There are 3 token types: config set master token, config set environment token and user tokens.
By default only config set environment token is allowed to access the configuration settings.
Allowed tokens are configured on each configuration set.


Usage:
User administration:
Create users:

Username (NameId), is the user name provided by the authentication system Window internal uses the account name and Azure AD the email address. This cannot be changed after the user is created.
Select the Role
Role Name Description
SystemAdmin An administrator for the whole configuration system, these users can see and edit all configuration sets and manage users.
ConfigAdmin These are users that can edit defined configuration sets. These users has to be added to the configuration set user list explicitly.

ConfigReader Accounts with only read access. These are accounts that the applications would use to get the configuration.

Add a config set child
A config set child inherits all the settings from the parent set. Useful in scenarios where the service rely on shared services provided by the parent. Single signon configuration is also inherited from the parent.

Add a description and layer names for the new application
Layer names are used in the overview page to label the layers in the generated system documentation.
Hosts
Create your applications service hosts. This would be the web server, database server and so on

Add the details and assign the host to a layer.
For the system documentation to be generated properly the hosts has to be connected. Do this by adding upstream/downstream hosts.

This gives us the the following system overview.

Services
Add services and endpoints
Environments
Define your environments; environments defined on the parent set will pop up with all values inherited. Add and change values as needed.


Installation:

Server provisioning
Azure
Provision one medium standard Web App instance for the service with auto scale off
Provision small Api app instances, as may needed (eg; one in West Europe and one in South East Asia)
Deploy code.
Configure traffic manager for the proxy
On premise
Order one server for the service and one or more for the proxies.
Configuration server, Stardust Nexus
App settings:
Key Value suggestion Description
configStore Type=embedded;endpoint=http://localhost:8090/brightstar;StoresDirectory=\home\Stardust\ConfigStores;StoreName=configWeb Where to put the database files.
stardust.DefaultLoggerLocation \home\site\wwwroot\app_data\defaultLog.txt Where the log file is stored
stardust.StoreLocation \home\Stardust\ConfigStores Used by the migration tool to upload an existing database from an external server
configStoreMigrationFile \home\Stardust\ConfigStores\migration.txt Used as a marker to tell if the database is generated or imported


Security:
Enable azure ad in the Authentication/Authorization blade of the Web app


Configuration Proxy
App settings:
Key Sugested values Description
stardust.authority https://login.microsoftonline.com/{tenantid}/oauth2/token The endpoint for azure ad
stardust.configUser The client id from azure ad
stardust.configPassword The generated app key from azure ad
stardust.useAzureAd true Uses azure ad for auth with config server
stardust.configLocation The path to the config server, same as ApiResourceId
stardust.useConsolidatedFile false Places the cache in separate files
stardust.EncryptCacheFiles false Encrypts the files on the proxy server. Makes them unreadable. However passwords and other sensitive info is already encrypted in the configuration data set.
stardust.DefaultLoggerLocation \home\site\wwwroot\app_data\defaultLog.txt Where the log file is stored
stardust.EncryptionKey somethingRandom The key used to encrypt the cache files

Downloads
Nexus Config Service
Nexus Config Proxy
Documentation

nuget:
Light weight client:
Install-Package Stardust.Interstellar.Config
Full framework:
Install-Package Stardust.Core.Service.Web
Install-Package Stardust.Core.Default.Implementations

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License