Bitmask:Main Page
Bitmask is a Fork of the Zombi infrastructure. The reason for the fork was to provide a Platform where new aproaches can be tried out, without compromising the stability of the existing Zombi services. It is still tightly connected with the Zombi Platform, and thus shares some of the infrastructure.
There are no guarantees regarding the stability of any of the provided services.
Roadmap
The current main goal is to Provide a well-integrated user management system, so that other projects can be implemented on top of it.
Authentication
Zombi has used an LDAP-based user management for the last 10 Years, and it has proven to be stable so far. However there are some shortcomings that became apparent:
- Users need to have mandatory attributes, such as
given_name
andlast_name
, which are not really of great interest for us, and should be left out for data protection reasons in the future. - All services using LDAP need to handle user passwords; this becomes a problem when one of these services is compromised.
- Only password-authentication is supported; Multi-Factor authentication can not be implemented, and neither can alternative login methods (such as key or certificate-based authentication).
- New attributes cannot easily be added to user accounts.
Keycloak
Until all the required components are finished, A Keycloak server is be set up for authentication. After all the core features can be handled by the auth system, it will disappear again.
OAuth2 Service
Already implemented. This component will deal with authorizing and authenticating the clients. It will have no GUI and will be configured via an API, in order to keep it simple.
Consent UI
This component displays Login and consent forms for the OAuth2 Service. It is also responsible for mapping scopes to attributes to the access_token and oidc_token.
Registration
Either handled via the consent UI itself or a dedicated service.
User self-service endpoint
Allows the user to:
- Change password
- Add new email addresses and verify them
- Change primary email
- Add TOTP
- Add oauth2 clients for own projects
- See and modify own profile (firstName, lastName, displayName, address, phone, xmpp, website…)
- See own attributes (credit, quotas, permissions…)
Client registration
Handled via shell scripts for now, will be handled via the user self-service endpoint.
Resource Mangement
Some Resources are required for many projects, and should be easy for users to claim.
VPN
Already implemented: Allows the user to Create a VPN client. Might be extended to allow users to create their own isolated networks, and invite people to them.
Containers
Will allow users to
- run their own containers on the shared infrastructure
- View the logs
- exec into them
Database
Handled via shell scripts for now. Will allow users to create database access for own projects, and export them.
Storage
Will allow users to create S3-Compatible storage for their projects, and access them.