Editor's note: This article is published in the preface of "Guidelines for Building a New Generation of Bastion Hosts" (JumpServer v3.0 Release Commemorative Edition), and the author of the article is Guang Hongwei, the founder of the JumpServer open source bastion host project. Click the "Read the original text" link at the bottom of the article to download the new version of the white paper "Guidelines for the Construction of a New Generation of Fortress Machines".
"In nine years, make a fortress machine with heart"
From June 2014 to June 2023, the JumpServer open source bastion host project has gone through nine years. The slogan we used to say before was: "Change the world, start from a little bit." Then, in the past nine years, our efforts to change the bastion machine application market should be seen and felt by the public. From a simple operation and maintenance script to an open source project with at least 250,000 cumulative installations and deployments, JumpServer has realized its own value, carried more and more expectations from users, and faced many realistic challenges.
The V2 version of JumpServer was released in the sixth year (2020) of the project. Under this major version, we adhere to the rhythm of releasing new versions on a monthly basis, and have iterated 28 versions in the major version of V2. In more than two years, JumpServer's R&D team has been aggressive and compromised, and found some unreasonable and redundant product designs during the function iteration process. And such a long time of high-speed iteration also makes some functional design of JumpServer not fully thought out, and the development is very complicated, which makes the whole system bloated.
Standing at the ninth year of project development, we need to "subtract" JumpServer. At the same time, the feedback from users in the community has also made us perceive the actual needs of enterprise users of different sizes for JumpServer. Some functional requirements of some large-scale enterprise users are difficult to meet under the technical architecture of the JumpServer V2 version. The main reason is due to the limitations of the underlying architecture design of JumpServer.
Driven by the reshaping of product architecture and user needs, the JumpServer open source project team decided to start the research and development of JumpServer v3.0 in March 2022, and reconstruct the technical architecture of JumpServer under the banner of this new version number .
The entire refactoring took nearly a year. On February 27, 2023, JumpServer officially released version v3.0. After that, JumpServer iterated a small version every month to solve the problems of version upgrade and asset migration encountered in the real environment of users. At present, a relatively mature and stable new version of JumpServer has been formed.
In JumpServer v3.0, we restructured the underlying technical architecture, taking into account the actual usage scenarios of users of different sizes and types by changing the management model, and based on the four dimensions of users, system users, assets, and authorization. Most of the usage scenarios have been redesigned.
In the process of product design, we adhere to the principle of "both internal and external", hoping to further improve the user experience, and truly make an open source bastion machine with our heart. In terms of the internal aspect of the product, we have carried out a comprehensive optimization design on the core functions. details as follows:
■ System users are refactored into accounts, and the middle layer of system users is abandoned
In the past versions of JumpServer, system users took on too many responsibilities, and the functions of system users seemed very bloated. The original intention of JumpServer to design system users is to exist as accounts, and create system users through privileged accounts. This is very convenient to use when the asset scale is relatively small and most users have the same account password. However, as the scale of JumpServer users and the scope of use continue to expand, for large and medium-sized enterprises with a large number of IT assets and other security requirements that require different asset passwords, this has brought a lot of trouble.
To solve this problem, we separate system users and accounts. When a system user associates an asset, an account is generated, and a system user is allowed to generate different accounts on different assets, and the account list is formed after the joint table calculation. This meets the needs of users with large-scale IT asset scenarios, but in the face of business scenarios with a large amount of calculation, the account list is prone to problems and collapse, so we decided to redesign the system users. In JumpServer v3.0, system users are reconstructed into accounts, and the middle layer of system users is abandoned. This means that in JumpServer v3.0 and subsequent versions, there will be no concept of "system user".
■ Asset and application consolidation
At first, there were only assets in the JumpServer design, and later applications were added to support database connections. Because each application may have some separate fields, in order to distinguish it from assets, we have to add the Application table, which leads to many back-end data relationship tables existing in multiple copies like assets, both databases and APIs The phenomenon of redundancy. In the JumpServer v3.0 version, we simplified the complexity, combined assets and applications, collectively referred to as assets, and strengthened the responsibilities of the asset platform.
■ Platforms are abstractions and constraints of assets
After the merger of assets and applications, the role of the asset platform is strengthened, so it is also necessary to redesign the asset platform and constrain the assets. The original asset platform essentially only plays the role of marking, but in the JumpServer v3.0 version, the new platform can also customize functions in addition to distinguishing asset types.
In addition, the new platform can also flexibly define automation configurations. All automation functions rely on the Ansible automation operation and maintenance tool, which does not require us to fill in additional Python codes, and we can directly select assets and accounts for configuration. In this way, it not only improves the degree of automation and configuration efficiency of the system, but also reduces our workload to a certain extent, allowing us to focus more energy on more important function optimization.
■ Remote applications are at the heart of future expansion
The original RemoteApp remote application is an application category that only exists as a capability of JumpServer. In JumpServer v3.0, we have redesigned the remote application. Remote application is the core of JumpServer's future expansion, and it is also a very important part of the refactoring of JumpServer v3.0. Our R&D team attaches great importance to the redesign of remote applications. We have made a major update in JumpServer v3.0 and open sourced it to the community. We hope that remote applications can achieve the goal of "everything can be connected" in the future.
In addition, as a tool software frequently used by enterprise IT departments, the user experience of JumpServer is also very important. Therefore, while redesigning the internal structure and functions, professional designers also carried out a new UI design on the operation interface of JumpServer v3. The white design greatly improves the user experience.
June is of special significance to JumpServer. The first line of code for the JumpServer project was written in June 2014, and the JumpServer v2.0 release date is June 2020. In June 2021, the JumpServer open source project team wrote the first edition of the white paper "Guidelines for the Construction of a New Generation of Bastion Hosts", using this as a carrier to review the development history of the bastion host as an IT product category and the challenges it faces in the era of cloud computing. Problems, as well as the idea and practice of building a new generation of bastion machines. In the past two years, more than 4,000 community users have downloaded the electronic version of "Guide to Building a New Generation of Bastion Hosts", and more than 6,000 copies of the paper version of "Guide to Building a New Generation of Bastion Hosts" have been delivered to users.
In July 2023, the "Guidelines for Building a New Generation of Bastion Servers" specially launched the commemorative edition of JumpServer v3.0 release. Combining the feedback from users in the community in the past two years, in this version, we have further upgraded the connotation interpretation of the new generation of bastion hosts, elaborated on the functional architecture and core advantages of the latest version of JumpServer, and shared JumpServer v3 with you. 0 version of the R & D design ideas and functional evolution. In addition, we have simultaneously updated the latest enterprise application cases including Tencent Overseas Games, Huolala, and Wanhua Chemical to help users better promote the implementation of the JumpServer open source bastion machine in enterprises.
Regularly compiling the development process, product capabilities and user cases of the JumpServer open source project into a book has become an important way for us to interact with community users. "Guidelines for Building a New Generation of Bastion Servers" (JumpServer v3.0 release commemorative edition) let us stand at a new starting point. In this season when everything is flourishing, we will work with the majority of users and customers to make unremitting efforts to "make a fortress machine with heart".
Guang Hongwei, founder of the JumpServer open source project
June 2023
