Atom

Architecture

System design, module structure, and core design decisions.

Atom is a single Rust service backed by one Postgres database. It centralizes identity, credentials, authorization, certificates, and audit history.

System Diagram

What this means: applications and operators talk to Atom through HTTP, GraphQL, or gRPC. Atom stores normal state in Postgres. Certificate issuer keys are mounted as files and loaded by Atom; they are not stored in the database.

Main Parts

PartJob
IdentityStores entities such as users, devices, services, workloads, and applications.
CredentialsStores password hashes, API key hashes, and issued certificate records.
AuthorizationAnswers live access questions using actions, permission blocks, roles, assignments, direct policies, groups, and conditions.
CertificatesIssues certificates, signs CSRs, revokes certificates, serves CA chain/CRL/OCSP, and resolves runtime certificate identity.
AuditRecords important security events without blocking the main request.
API Endpoint BuilderLets admins expose controlled custom HTTP endpoints backed by Atom GraphQL.

Request Layers

Every request follows the same shape:

Handler -> Service or Engine -> Repository -> Postgres

Handlers deal with HTTP, GraphQL, or gRPC details. Services and engines contain business rules. Repositories run SQL and return domain types.

Online Authorization

Tokens prove identity only. They do not contain permissions.

When a service needs an access decision, it asks Atom at runtime. Atom checks the current database state and returns allow or deny. That means role changes, revocations, and deny rules take effect without issuing a new token.

Certificate Issuer Files

When certificate support is enabled, Atom loads CA material during startup:

  • production: root certificate, intermediate certificate, and intermediate private key;
  • local/dev: root certificate and root private key.

The loaded issuer signs leaf certificates, CRLs, and OCSP responses. Issued leaf certificates are stored as credential rows. Leaf private keys generated by Atom are returned once and never stored.

Deployment Shape

Atom is intentionally small:

  • one binary;
  • one Postgres database;
  • optional Next.js UI;
  • optional mounted CA files for certificate issuance;
  • no OpenBao;
  • no separate Magistrala certificate service.

Previous

Quickstart

Next

Architecture

On this page