KDI Architecture

KDI Fabric

KDI Fabric is a networking environment comprising distributed nodes securely connected using KDI Framework components. At the core of the KDI Fabric is the KDI Root, the central server responsible for tracking, monitoring and ensuring secure connectivity with multiple KDI Leaf nodes.

KDI Root

KDI Root is a central hub for managing the local KDI Fabric. It holds the collective fabric information: the registered users, connected nodes and their applications, and cloud connections.

Features:

Node Management: KDI Root controls node registration within the fabric, providing complete oversight over the KDI Fabric. Whenever a new node attempts to connect to the KDI Root, a provisional request is placed on the KDI Root for the administrator to accept or deny the request to join the KDI Fabric.
Secure Communication: KDI Root ensures a secure communication framework within the fabric using KDIS via a token-based authentication mechanism.
Granular Authorization Control: With OpenFGA, authorization capabilities extend to enforce fine-grained access control delving into access grants based on the relationships between resources, such as the nodes and the users.
KDI Management UI: KDI Root grants access to the web application KDI Management UI, enabling you to manage user credentials, handle provisional requests from leaf nodes, and gain a comprehensive overview of all fabric members.

KDI Root is powered with KDIC, KDIS, KDIU, KDIP, and KDI Management UI.

KDI Leaf

A KDI Leaf is any device on the network equipped with a KDI Controller (KDIC). It can be a PC, test station, or instrument, excluding modular devices. Any device you wish to integrate into your fabric must be configured as a KDI Leaf and connected to the KDI Root to become a fabric member.

Keysight Distributed Infrastructure Controller (KDIC)

KDIC is a fundamental component that operates on both the KDI Root and KDI Leaf nodes for smooth communication within the fabric.

KDI Authentication Service (KDIS)

KDIS is a standalone gateway service for authenticating and authorizing incoming connections to the KDI Root ensuring secure access to the fabric members. Importantly, authorization extends beyond the local network, enabling the authentication of federated user accounts managed by the Keysight External User Team.

External Authentication Provider - Hydra

Hydra is an open-source Python framework for authentication and authorization. It facilitates OAuth 2.0 token issuance, validation, revocation, and consent handling. By default, Ory/Hydra gets installed along with KDIS and configured to manage the internal users of the KDI Fabric.

OpenFGA

OpenFGA is an open-source authorization system that provides scalable solutions for implementing fine-grained authorization for diverse applications. OpenFGA relies on Relationship-Based Access Control(ReBAC), a model that defines authorization rules based on object relationships.

The backbone of OpenFGA is its database containing authorization details like resources, users, and their relationships organized in tuples. These relationships may include data ownership, parent-child relationships, groups, and hierarchies. Based on these relationships, ReBAC services govern the authorization decisions. OpenFGA supports various storage options: memory, MySQL, and PostgreSQL.

In KDI, with OpenFGA, you can establish relationships between users and nodes with relationships such as admin, fabric, member, can view, or can edit. KDI Adopters can experiment with ReBAC features by employing APIs to establish relationships between users and nodes, permitting specific users to view designated nodes.

KDIU and KDIP

KDIU (KDI Updater) and KDIP (KDI Proxy), are essential for the internal functioning of KDI Framework components and are not exposed for external use. They facilitate automated software installations within the KDI Fabric and serve as a secure gateway for authorized internal clients to access server applications within the network.

Database

KDI relies on SQLite for persistent storage on KDI Root. However, for KDIG Cloud, the system utilizes PostGres for its storage requirements.

KDI Gateway

KDI Gateway (KDIG) is a gateway server that enables communication with multiple KDI Fabrics. When A KDI Fabric connects to KDIG, it is assigned a unique Fabric ID. You have the choice to connect your local fabric to KDIG. Connection to KDIG is essential

when you need to manage multiple fabrics or
utilize Keysight Cloud services that rely on KDIG for access to your local fabric

Global Service

A non-KDI service advertises its connection details in a Global Service Description File residing on the KDI Root, enabling KDI Fabric users to connect directly. Through the global_service_list API, both KDI Clients and KDI Apps can access a list of all global services registered on a KDI Root node, facilitating direct connections to these services.

KDI Client

A KDI Client is an application that connects to the KDI fabric to securely access information, status, and control features for nodes in the KDI Fabric. KDI offers a /ws endpoint specifically for KDI Clients, enabling them to connect and access the available APIs.