UDBIdentity, policy, and tenancy on an isolated listener
Alongside the data plane, UDB ships a network-isolated native control plane defined
under proto/udb/core/** — all proto-driven and Postgres-backed, fail-closed, with no
in-memory stores. Counts are authoritative from the generated descriptor contract.
Everything the platform enforces
| Service | Category | What it does | RPCs |
|---|---|---|---|
AuthnService | auth | JWT / session / API-key / external auth, RS256 signing + refresh, TOTP MFA, CSRF, OTP, devices, WebAuthn, signing-key rotation, user admin | 50 |
AuthzService | governance | RBAC + ABAC + ReBAC over a Casbin enforcer, role/policy/relationship CRUD, governance + simulation, audit decisions, GetNativeAccess, GetPolicyBundle | 41 |
IdentityProviderService | auth | OIDC/SAML providers, SCIM provisioning, JIT, external-identity linking | 27 |
NotificationService | messaging | Notifications, templates, preferences, delivery stats (emits to Kafka) | 11 |
ApiKeyService | auth | Create / get / list / update / revoke / validate API keys + usage stats | 9 |
AssetService | storage | Asset-management pipelines (steps, EMBED → vector upsert), executor trait | 8 |
AnalyticsService | analytics | Pipeline metrics, executor performance, reconciliation, throughput, SLA compliance | 7 |
StorageService | storage | Object-storage metadata/lifecycle, quotas, presigned URLs, GC | 7 |
TenantService | tenant | Tenant + tenant-config CRUD | 6 |
ControlPlaneService | control | xDS-style versioned policy distribution (ACK/NACK/nonce, ordered delivery, canary rollout) | 5 |
RoomService · WebRTC | realtime | Room lifecycle CRUD | 5 |
PeerService · WebRTC | realtime | Peer lifecycle CRUD | 4 |
TrackService · WebRTC | realtime | Track lifecycle CRUD | 4 |
TurnService · WebRTC | realtime | TURN credential issuance (fail-closed) | 1 |
SignalingService · WebRTC | realtime | WebRTC signaling bridge (PixelStreaming + json-relay) | 1 |
Auth that’s native, not bolted on
Authentication
Native JWT (static PEM or JWKS with kid rotation), UDB-issued RS256 access + refresh tokens, Argon2id passwords, RFC 6238 TOTP MFA, server-side sessions with idle/absolute TTL + revocation, CSRF, and mTLS SAN identity. External-provider auth requires a signed, verified JWT before claims are mapped.
Authorization
One engine for RBAC (roles + bindings), ABAC (attribute conditions), and ReBAC (relationship tuples) over Casbin — tenant/project domains, explicit-deny-wins, priority, deterministic decision_id + audit records, and GetNativeAccess for a restricted role + scoped DSN + RLS session vars.
Identity federation
OIDC/JWT provider registry, SAML lifecycle (metadata/login/ACS/replay), SCIM user/group provisioning, JIT, and account linking. External groups map to UDB roles only through configured, audited mappings.
Tenant · notification · analytics
Tenant + config management, notifications with templates/preferences/delivery-stats (Kafka emit), and pipeline/executor/reconciliation/throughput/SLA analytics.
An xDS-style control plane for fleets
Policy and config distribution is modeled on Envoy-style versioned, ACK/NACK, nonce-paired, ordered, delta delivery — for routing policy, method-security, RLS/tenant policy, native-service enablement, and backend targets.
- ✓ACK/NACK with nonce — a node can reject a bad policy without silently diverging; the last-good version is preserved.
- ✓Make-before-break ordering — referencing policies are never applied before their target definitions.
- ✓Progressive rollout — canary by node or tenant with a metric-based success condition and automatic rollback before fleet-wide impact.