About DominoArchitecture
Keycloak Authentication Service
About Domino
Domino Data LabKnowledge BaseData Science BlogTraining

Architecture

The following diagram shows the physical infrastructure of Domino.

Domino runs in a Kubernetes cluster with a standard set of three master nodes, a set of worker nodes dedicated to hosting Domino platform services, and a set of worker nodes dedicated to hosting compute workloads. Outside the cluster is a durable blob storage system, and a load balancer that regulates connections from users.

logical safe harbor

The Domino application hosts the following major workloads:

  1. Domino Platform

    These components provide user interfaces, the Domino API server, orchestration, metadata and supporting services.

  2. Domino Compute

    This is where users' data science, engineering, and machine learning workflows are executed.

All workloads in the Domino application run as containerized processes, orchestrated by Kubernetes. Kubernetes is an industry-standard container orchestration system. Kubernetes was launched by Google and has broad community and vendor support, including managed offerings from all major cloud providers.

Typically, you will provision and manage your own Kubernetes cluster into which you will install Domino. Domino can advise on best practices for creating and managing Kubernetes clusters. Contact your account executive for more information about deployment options.

Services

Domino services are best understood when arranged into logical layers based on function and communication. A description of the functionality provided by each layer follows.

safe harbor 3 layers

Client layer

The client layer contains the Frontend pods that are the targets of a network load balancer. Domino users can access Domino’s core features by connecting to the Frontends through:

  • Web browser, in which case the Frontend serves the Domino application

  • HTTPS request to the Domino API, which the Frontend routes to the API server

  • Domino CLI, which uses the API

The Frontends run on platform nodes.

Service layer

The service layer contains the Domino API server, Dispatcher, Keycloak authentication service, and the metadata services that Domino uses to provide reproducibility and collaboration features.

MongoDB stores application object metadata, Git manages code and file versioning, Elasticsearch powers in-app search, and the Docker registry is used by Domino Environments. Project data, logs, and backups are written to durable blob storage.

All these services run on platform nodes.

The service layer also contains the dedicated master nodes for the Kubernetes cluster.

Execution layer

The execution layer is where Domino will launch and manage ephemeral pods that run user workloads. These can host Jobs, Model APIs, Apps, Workspaces, and Docker image builds.

These run on compute nodes.

Software

The Domino platform runs or depends on the following software components.

Application services

The following primary application services run on platform nodes in the Domino Kubernetes cluster.

  • nginx

    nginx is an open source HTTP and reverse proxy server. Domino uses NGINX to serve the Domino web application and as a reverse proxy to route requests to internal services.

    Learn more about nginx.

  • Domino API server

    The Domino application exposes the Domino API and handles REST API requests from the web application and user clients.

  • Domino dispatcher

    The Domino dispatcher handles orchestration of workloads on compute nodes. The dispatcher launches new compute pods, connects results telemetry back to the Domino application, and monitors the health of running workloads.

  • Keycloak

    Keycloak is an enterprise-grade open source authentication service. Domino uses Keycloak to store user identities and properties, and optionally for identity brokering or identity federation to SSO systems and identity providers.

    Keycloak supports the following protocols:

    • SAML v2.0

    • OpenID Connect v1.0

    • OAuth v2.0

    • LDAP(S)

      Learn more about Keycloak.

Supporting services

Metadata, communication, and processing services run on platform nodes.

  • MongoDB

    MongoDB is an open source document database. Domino uses MongoDB to store Domino entities, like projects, users, and organizations. Domino stores the structure of these entities in MongoDB, but underlying data is stored separately in encrypted blob storage.

    Learn more about MongoDB.

  • Git

    Git is a free and open source distributed version control system. Domino uses Git internally for revisioning projects and files. Domino Executors also run Git clients, and they can interact with user-controlled external repositories to access code or data.

    Learn more about Git.

  • Elasticsearch

    Elasticsearch is a distributed, RESTful search and analytics engine. Domino uses Elasticsearch to power user searches for Domino objects like projects, files, and models. Domino also uses Elasticsearch for logging.

    Learn more about Elasticsearch.

  • Docker registry

    The Docker registry is an application used to store and distribute Docker images. Domino uses its registry to store images for Domino environments and Model APIs. These images are built to user specifications by compute nodes.

    Learn more about Docker registry.

  • Fluentd

    Fluentd is an open source application that unifies and processes logging and telemetry data. Domino uses Fluentd to aggregate logs and forward data to durable storage.

    Learn more about Fluentd.

  • Redis

    Redis is an open source data structure cache. Domino uses Redis to cache logs in-memory for streaming back to users through the web application.

    Learn more about Redis.

  • RabbitMQ

    RabbitMQ is an open source message broker. Domino uses RabbitMQ as an event bus to asynchronously distribute event messages between Domino services.

    Learn more about RabbitMQ.

  • Postgres

    Postgres is an open source relational database system. Domino uses Postgres as a storage system for Keycloak data on user identities and attributes.

    Learn more about Postgres.

User accounts

Domino uses Keycloak to manage user accounts. Keycloak supports the following modes of authentication to Domino.

Local accounts

// As a user with network access to a deployment I can create a domino account
// As an admin of the Domino deployment, I can manage accounts through the application
// As a user of a Domino deployment, I can use multi-factor authentication to secure my account When using local accounts, anyone with network access to the Domino application can create a Domino account. Users supply a username, password, and email address on the signup page to create a Domino-managed account. You can track, manage, and deactivate these accounts through the application. Domino can be configured with multi-factor authentication and password requirements through Keycloak.

Learn more about Keycloak administration.

Identity federation

// As an admin, I can configure Domino/Keycloak to authenticate users using Active Directory
// As an admin, I can configure Domino/Keycloak to authenticate users using LDAP(S)
// When identity federation is enabled, local account authentication is disabled
// When identity federation is enabled, Domino/Keycloak acquires usernames and email addresses from the IdP Keycloak can be configured to integrate with an Active Directory (AD) or LDAP(S) identity provider (IdP). When identity federation is enabled, local account creation is disabled and Keycloak will authenticate users against identities in the external IdP and retrieve configurable properties about those users, such as for Domino usernames and email addresses.

Learn more about Keycloak identity federation.

Identity brokering

// As an admin, I can configure Domino/Keycloak to authenticate users using external authentication or SSO system(s)
// As a user of Domino, after external or SSO login I am redirected back to Domino Keycloak can be configured to broker authentication between Domino and an external authentication or SSO system. When identity brokering is enabled, Domino will redirect users in the authentication flow to a SAML, OAuth, or OIDC service for authentication. Following authentication in the external service, the user is routed back to Domino with a token containing user properties.

Learn more about Keycloak identity brokering.

Service mesh

A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions, such as: traffic routing, load balancing, observability, and encryption. Domino can optionally deploy or integrate with Istio, an open source service mesh. We require Istio 1.7.2+. Istio is required to implement intra-cluster encryption in transit.

Learn more about Istio.

Domino Data LabKnowledge BaseData Science BlogTraining
Copyright © 2022 Domino Data Lab. All rights reserved.