The Unryo Configuration Vault: For Simple, Secure, Real-time, Large-scale Configurations
Ricardo Vallé
April 13, 2021
The Unryo Configuration Vault is a key component of the Unryo monitoring tool stack – and for good reason! With just a few clicks, I can ask all my Unryo Timeseries Collectors to start collecting, say, CPU usage information, about the machines on which they are running. Within seconds, every one of my Collectors has received the new configuration information, and is using it to collect the data I need.
So, what is the Unryo Configuration Vault?
It is a good-looking, intuitive User Interface (UI) that effortlessly centralizes the management of all components on the Unryo platform, and where I get to do all of this! And the icing on the cake – I can rest assured that all my configurations are stored in an encrypted format, and that all my data is completely safe and secure!
Unryo is available as a SaaS solution where we host and manage everything for you. For organizations that want to keep their data on premises, they can opt for our fully-deployable solution in their hybrid cloud environments.
How the Unryo Configuration Vault Works
There are three key players that form part of the Unryo platform’s Connect Console:
-
the Vault ;
-
the Vault Clients ;
-
the Configuration UI.
The Vault's main purpose is to store, safeguard and distribute files to Vault Clients. It also stores and encrypts all configurations, and serves as the communication channel back to collectors.
Vault Clients are Unryo components that have been built in a way to allow them to begin communicating with the Vault as soon as they are deployed. In essence, every few seconds they ask the Vault "what do you have for me?" The Vault checks that the messages it receives are from nodes that are authorized to retrieve information from it. It then retrieves all files that concern the Client that has made the request, and sends them back to the Client. The Client then uses the files as it needs.
The Vault can reside on-prem or in the cloud, providing organizations with great flexibility regarding its use.
The Configuration UI provides a central, unified place for all configuration files, and allows users to manage the Vault. Through the UI, users can add, copy, modify, enable, disable and delete files from the Vault, and associate the files with specific Clients or with groups of Clients. Users also get to see feedback from each Client regarding each file that concerns it. This allows users to detect some types of problems with the files they created from the same UI, in real time. For instance, say, a user creates a configuration file instructing the Unryo Analytics Engine to alert them by email if one of their servers has over 95% hard drive usage. However, the user makes a syntax mistake. No problem! The UI will show an icon indicating there is an issue so they can take action to quickly fix it.
The functionality described above that’s used by the Vault Clients and the Configuration UI is made available by the Vault via a powerful REST API. In fact, there is some more functionality I have not described that’s also available via the Vault's API. This means that the Vault can be plugged with all sorts of other systems, and can handle a great variety of use cases for greater operational flexibility and scalability. Users can interact with the Vault on the command line via shell scripts or via full-fledged programs.
Security in the Configuration Vault
All communication to and from the Vault is encrypted. In fact, all communication between all Unryo components is encrypted! The Vault further rejects requests sent by unauthorized sources. In addition, it only sends information to Clients that are concerned with that information. This means, for example, that your Unryo Analytics Engine will not receive configuration files meant for your Unryo Log Collectors.
But that's not all.
All user-created files are also encrypted on disk in the Vault. And if that weren't enough, they are encrypted in such a way that the Vault cannot decrypt them under normal circumstances. What does this all mean in practical terms?
First, it means that even if someone were to physically steal the hard drive in which the Vault has stored your files, they would get nothing from the files you placed in the Vault.
Extensibility in the Configuration Vault
Unryo provides both the Vault and the Vault Client (1) as standalone components. This means that you can use them in ways that even we have not thought of! For example, if you have developed your own database that’s just perfect for what you do, and you would like to configure it via the Vault, you can!
You can deploy the Vault Client on the same machine as your database, and configure it in such a way that it retrieves and applies the configuration files for your database. Of course, some of the usual Unryo magic won't be present because you will not be using an Unryo component. But this is a small price to pay for this level of extensibility. Isn’t it?
You can also define new labels that you can then use to group your components logically such that... oh wait! Actually I'm not going to get into that here. Who knows, I may explain all this in another article.
For now, congratulations on reading this article all the way through to the end! I guess you're interested huh? :D
Your next favorite IT infrastructure monitoring tool awaits, just one click away!
(1) Note that I am using the term "Vault Client" slightly differently here. There is actually a program that is, properly speaking, the Vault's client. In the rest of this article, I have referred to components we package with the real Vault Client as "Vault Clients".