Skip to main content
Platform provides the management layer for Mistrive deployments. It handles user authentication, organization hierarchy, project isolation, and access control. All other services integrate with Platform for identity and authorization.

System components

Identity & Access Management

User authentication, role-based access control, and authorization using a Zanzibar-style relationship model.

Organizations

Top-level containers that group projects and define membership boundaries.

Projects

Resource containers within organizations. Each project isolates its own artifact repositories and service accounts.

Service accounts

Machine identities for automation and CI/CD pipelines. Scoped to projects with key-based authentication.
Platform exposes both gRPC and REST APIs. The management UI provides a web interface for common administrative tasks.

Identity and access management

Platform implements a relationship-based access control system inspired by Google Zanzibar. Permissions are defined through relationships between subjects (users, service accounts) and objects (organizations, projects, repositories).

Authentication

Platform supports password-based authentication with secure cookie sessions. Authentication state is managed through HTTP-only cookies with configurable domain and security settings.
MethodDescription
Password loginUsername/password authentication with session cookies
Service account keysJWT-based authentication for machine identities

Authorization model

Access control uses a hierarchical role system where higher roles inherit all permissions from lower roles: 
owner → editor → viewer → member
The authorization engine evaluates permission checks by traversing relationship tuples stored in FoundationDB. This model supports:
  • Direct grants: User explicitly assigned a role on a resource
  • Inherited grants: Role inherited from a parent resource (organization → project)
  • Computed grants: Role derived from another role (owner implies editor)

Roles

RoleScopePermissions
memberOrganizationBasic membership without resource access
viewerOrganization, ProjectRead access to resources
editorOrganization, ProjectRead and write access to resources
ownerOrganization, ProjectFull access including IAM management
administratorGlobalSystem-wide administrative access
Organization-level roles propagate to all projects within that organization. A user with editor on an organization automatically has editor on all its projects.

Service-specific roles

Artifact Store defines additional roles for fine-grained repository access:
RolePermissions
artifact_store_viewerPull images and list repositories
artifact_store_editorPush and pull images
artifact_store_ownerFull repository management including deletion
These roles also follow the inheritance hierarchy and can be granted at organization, project, or repository level.

Organizations

Organizations are the top-level containers in the resource hierarchy. Every project belongs to exactly one organization.

API operations

OperationDescription
ListOrganizationsList all organizations (requires global admin)
GetOrganizationRetrieve organization details
CreateOrganizationCreate a new organization
UpdateOrganizationModify organization properties
DeleteOrganizationSoft-delete an organization
RestoreOrganizationRestore a deleted organization
AddOrganizationMemberAdd a user with a specified role
RemoveOrganizationMemberRemove a user from the organization

Member roles

When adding members to an organization, specify one of the following roles:
RoleEffect
MEMBEROrganization membership with no implicit project access
VIEWERViewer access to all projects in the organization
EDITOREditor access to all projects in the organization
OWNEROwner access to all projects in the organization

Projects

Projects provide resource isolation within organizations. Artifact repositories, service accounts, and IAM policies are scoped to individual projects.

API operations

OperationDescription
ListProjectsList projects in an organization
GetProjectRetrieve project details
CreateProjectCreate a new project (requires owner on organization)
AddIamRelationsGrant roles to a principal on the project
RemoveIamRelationsRevoke roles from a principal on the project

Project roles

RoleDescription
VIEWERRead access to project resources
EDITORRead and write access to project resources
OWNERFull access including IAM and deletion
ARTIFACT_STORE_VIEWERRead access to artifact repositories only
ARTIFACT_STORE_EDITORRead and write access to artifact repositories only
ARTIFACT_STORE_OWNERFull access to artifact repositories only

Service accounts

Service accounts provide machine identities for automation workflows. Each service account belongs to a specific project and authenticates using cryptographic keys.

API operations

OperationDescription
ListServiceAccountsList service accounts in a project
GetServiceAccountRetrieve service account details
CreateServiceAccountCreate a new service account
DeleteServiceAccountDelete a service account
CreateServiceAccountKeyGenerate a new authentication key
ListServiceAccountKeysList keys for a service account
DeleteServiceAccountKeyRevoke an authentication key

Key management

Service account keys are JSON credentials containing:
  • Service account identifier
  • Private key for signing JWTs
  • Token endpoint URI for credential exchange
Keys should be stored securely and rotated periodically. Deleting a key immediately revokes all sessions authenticated with that key.

Authentication flow

  1. Load the JSON key file
  2. Sign a JWT assertion with the private key
  3. Exchange the assertion for an access token at the token endpoint
  4. Include the access token in API requests via the Authorization header

User administration

Global administrators manage users through the User Admin Service.

API operations

OperationDescription
ListUsersList all users in the system
GetUserRetrieve user details
CreateUserCreate a new user with email and password
UpdateUserModify user properties
UpdateUserPasswordReset a user’s password
DeleteUserSoft-delete a user
RestoreUserRestore a deleted user
UpdateIsGlobalAdministratorGrant or revoke global admin status

User lifecycle

Users are soft-deleted rather than permanently removed. Deleted users:
  • Cannot authenticate
  • Retain their resource assignments (for audit purposes)
  • Can be restored by a global administrator

Management UI

Platform includes a web-based management console built with Next.js. The UI provides:
  • User authentication (login, logout, password change)
  • Organization management (create, list, member administration)
  • Project management (create, list, IAM configuration)
  • Artifact Store integration (repository browsing, image details)
  • Global settings for administrators (user management, organization oversight)
The UI communicates with Platform APIs over REST, with authentication handled through secure cookies.

Quotas

Platform tracks resource usage and enforces limits at organization and project levels.

Quota dimensions

DimensionScopeDescription
org_countGlobalTotal number of organizations
projects_per_orgOrganizationProjects within an organization
repos_per_projectProjectArtifact repositories within a project
artifact_bytesProjectTotal storage consumed by artifacts
iam_members_per_projectProjectUsers and service accounts in a project

Enforcement

Quota checks occur during resource creation. When a limit is reached, the operation fails with a clear error indicating the exceeded quota and current usage. Administrators can view and adjust quotas through the API or management UI.

Configuration

VariableDescriptionRequired
ADDRESSBind address for the serverNo (default: 0.0.0.0:12221)
FDB_DIRECTORYFoundationDB directory pathNo (default: topaz)
ARTIFACT_STORE_DIRECTORYFoundationDB directory for artifact metadataNo (default: registry)
UI_ADDRESSPublic URL of the Platform UIYes
PCLIENTS_ADDRESSAddress for OAuth client redirectsYes
COOKIE_DOMAINDomain for authentication cookies (e.g., .example.com)Yes
COOKIE_SECUREEnable Secure flag on cookiesNo (default: true)
SERVICE_ACCOUNT_TOKEN_URIToken endpoint for service account authenticationNo (default: http://localhost:12221/v1/token)
ARES_CLIENT_ADDRESSAddress of the DFS metadata serviceNo (default: http://localhost:9182)
DEBUGEnable debug loggingNo (default: false)

Deployment

Requirements

Platform requires:
  • Access to a FoundationDB cluster
  • Network connectivity to DFS for artifact storage operations
  • A configured domain for cookie-based authentication

Initial setup

On first deployment, create an initial administrator:
  1. Start Platform with the required configuration
  2. Navigate to the setup page in the management UI
  3. Create the first user account (automatically granted global administrator)
Subsequent users are created through the User Admin Service or management UI.

High availability

Platform is stateless. Deploy multiple instances behind a load balancer for availability. All instances share the same FoundationDB cluster for consistent state. Session cookies are validated against FoundationDB, so users can authenticate through any instance.