> In the discussions about v0.2, the (now obvious) idea came up to implement something that we're calling "private sharing". It works a lot like the traditional on-demand reverse proxy, except instead of exposing the private endpoint through a public HTTP listener, it binds the shared resource onto an OpenZiti network, where it can be accessed securely by another zrok client. This "other" zrok client exposes an HTTP listener wherever the user wants... but it's usually put on the loopback interface of that user's system. This allows the user to securely access the shared resource on their system as if it's local, even though it's somewhere else on a zero-trust network.
> As we've started working through the development of v0.3, we've realized that we can incorporate other useful capabilities, like streamlined file sharing (elegant WebDAV integration is coming).
Oracle has an article on the underlying network layer which is called OpenZiti, which defines ZeroTrust:
> Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.
All of this sounds very interesting to me, but I have no experience with these kinds of network stacks.
Has anyone here evaluated it?
Would this be useful for adding document sharing to applications I write, for instance, a hypothetical word processor? I mean sharing with other people working on a document. The SDKs seem to be clients, so to interchange files between two applications with an embedded SDK, does it still need a third machine running an API server?
> Would this be useful for adding document sharing to applications I write, for instance, a hypothetical word processor? I mean sharing with other people working on a document. The SDKs seem to be clients, so to interchange files between two applications with an embedded SDK, does it still need a third machine running an API server?
We could certainly incorporate an "embeddable" SDK so that zrok can be incorporated into other applications.
As it currently stands, you would need access to a zrok "service instance" ("cloud"), running the zrok controller (providing API access). But we could certainly look at other kinds of use cases where that control plane is potentially enabled ephemerally or on-demand. I have some ideas for things we might be able to do.
Neither of these are on the immediate roadmap. But if people ask for them, we could certainly build them.
> In the discussions about v0.2, the (now obvious) idea came up to implement something that we're calling "private sharing". It works a lot like the traditional on-demand reverse proxy, except instead of exposing the private endpoint through a public HTTP listener, it binds the shared resource onto an OpenZiti network, where it can be accessed securely by another zrok client. This "other" zrok client exposes an HTTP listener wherever the user wants... but it's usually put on the loopback interface of that user's system. This allows the user to securely access the shared resource on their system as if it's local, even though it's somewhere else on a zero-trust network.
> As we've started working through the development of v0.3, we've realized that we can incorporate other useful capabilities, like streamlined file sharing (elegant WebDAV integration is coming).
From a quick look, it seems that the self-hostable part (https://github.com/openziti/zrok/blob/main/docs/guides/v0.3_...) is written in Go, and there are SDKs for connecting to it from a variety of languages.
Oracle has an article on the underlying network layer which is called OpenZiti, which defines ZeroTrust:
> Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.
All of this sounds very interesting to me, but I have no experience with these kinds of network stacks. Has anyone here evaluated it?
Would this be useful for adding document sharing to applications I write, for instance, a hypothetical word processor? I mean sharing with other people working on a document. The SDKs seem to be clients, so to interchange files between two applications with an embedded SDK, does it still need a third machine running an API server?