C4 Framework - dennisholee/notes GitHub Wiki
workspace "Authorization Architecture" "An authorization architecture using OPA as a Policy Decision Point." {
// !identifiers hierarchical
model {
// Define People and Systems
consumer = person "Consumer" "A service that requires access to a protected resource."
api_gateway = softwareSystem "API Gateway" "A single entry point that manages, secures, and routes all external API traffic, providing a layer of defense against common web attacks and enforcing traffic policies (WAAP)."
iam = softwareSystem "Identity Access Management System" "Manages authentication and authorization for services."
agora = softwareSystem "AGORA" "A Policy Decision Point (PDP) server responsible for evaluating authorization rules and returning entitlement decisions to enforcement points like the AuthGuard component."
appD = softwareSystem "AppDynamics" "A web interface used by operators to visualize metrics and logs."
extService = softwareSystem "External Service"
backboneService = softwareSystem "Backbone Services"
messageBroker = softwareSystem "Message Broker"
splunk = softwareSystem "Splunk" "A platform for searching, monitoring, and analyzing machine-generated data (logs, metrics, traces) via a web-style interface." {
openTelemetry = container "Open Telemetry Collector"
}
provider = softwareSystem "CDMS Orchestration Service" "Microservice that manages and coordinates the execution flow of complex, multi-step business processes." "Spring Boot, EIP Framework" {
// authz_server = container "Authz Server (PEP)" "The Policy Enforcement Point, a Spring Boot application that intercepts requests and queries OPA." "Spring Boot"
opa_app = container "OPA Application (PDP)" "A custom-built Spring Boot application hosting the OPA engine and policies." "Spring Boot, OPA, Rego"
// Define a placeholder for the actual data store if needed, though OPA often uses in-memory data
policy_store = container "Policy Store" "A database or storage mechanism for policies and potentially cached data." "Git repo/Database"
secretsVault = container "Secrets Vault" "Centralized, secure system for managing, storing, and rotating sensitive data." "HashiCorp Vault"
db = container "EIP Framework Database" "The central data store used by the framework for managing persistent state related to EIP" "Mongo DB" "Database"
app = container "App" {
authGuard = component "AuthGuard Filter" "A policy enforcement point (PEP) that intercepts requests and queries the Agora policy decision point (PDP) server to verify user entitlement before granting access." "HTTP Filter"
springSecurityFilter = component "Authorization Filter" "A servlet filter chain component that intercepts incoming HTTP requests to handle authentication, authorization, and other security concerns." "Spring Security Framework"
openPolicyAgent = component "Open Policy Agent" "A general-purpose policy engine used to offload authorization decisions from application logic via an API."
eipFramework = component "EIP Framework" "A framework for implementing Enterprise Integration Patterns that facilitates messaging." "Spring Integration"
micrometer = component "Micrometer" "An observability facade that provides a vendor-neutral API for instrumenting applications with dimensional metrics." "Micrometer, Spring Actuator"
otelSDK = component "OTel SDK" "An implementation of OpenTelemetry APIs that processes and exports application telemetry data (traces, metrics, logs) to various backends"
clientKit = component "API Client Kit" "A library of standardized client code used to facilitate consistent, resilient communication with external APIs across microservices." "HTTP Client, Resilience4j"
authGuard -> agora "Check entitlement" "HTTPS"
agora -> authGuard "Authorization decision"
authGuard -> eipFramework "Enforce policy based on decision"
eipFramework -> springSecurityFilter "Request macro policy entitlement decision"
springSecurityFilter -> openPolicyAgent "Request macro policy entitlement decision"
openPolicyAgent -> springSecurityFilter "Authorization decision"
springSecurityFilter -> eipFramework "Authorization decision"
eipFramework -> openPolicyAgent "Request flow policy entitlement decision"
openPolicyAgent -> eipFramework "Authorization decision"
eipFramework -> clientKit "Makes request via"
clientKit -> extService "Sends HTTP request to"
extService -> clientKit "Returns response to"
clientKit -> eipFramework "Returns parsed response to"
clientKit -> backboneService "Sends HTTP request to"
backboneService -> clientKit "Returns response to"
eipFramework -> secretsVault "Request secrets"
secretsVault -> eipFramework "Provide secret value to"
eipFramework -> messageBroker
eipFramework -> micrometer "Records metrics"
eipFramework -> splunk "Generates and emits logs to"
eipFramework -> db
micrometer -> otelSDK "Delegates instrumentation via bridge to"
otelSDK -> openTelemetry "Exports telemetry to"
}
app -> appD "Streams telemetry data (metrics, traces, logs) to"
}
// Define Relationships
consumer -> api_gateway "Requests access to protected resources" "HTTPS"
api_gateway -> iam
opa_app -> policy_store "Loads policies and data from" "HTTPS/Internal API"
// policy_store <- "Managed by" consumer "via separate management interface" "HTTPS"
app -> appD
api_gateway -> authGuard
}
views {
// System Context Diagram
systemContext provider "SystemContext" "The system context diagram for the authorization architecture." {
include *
autolayout
}
// Container Diagram
container provider "ContainerDiagram" "The container diagram highlighting the PEP and PDP components." {
include *
autolayout
}
component app {
include *
autolayout
}
// Styles (optional, but good practice)
styles {
element "Person" {
shape Box
background "#0866ff"
color "#ffffff"
}
element "SoftwareSystem" {
background "#1168bd"
color "#ffffff"
}
element "Container" {
background "#438dd5"
color "#ffffff"
}
element "Policy Store" {
shape Cylinder
background "#9a9a9a"
color "#ffffff"
}
element "Database" {
shape cylinder
}
}
}
}