D3.2 Final Architecture And Interface

Author: Stein, Felix; Aydin, Mirac

Publisher: Zenodo

DOI: 10.5281/zenodo.17712039

Source: https://zenodo.org/records/17712039/files/D3_2FinalArchitectureAndInterface.pdf

DEVICE-EDGE-CLOUD INTELLIGENT COLLABORATION FRAMEWORK
G an Ag eemen : 101092582
D3.2 Final A chi ec u e And In e ace
This p ojec has ecei ed unding om he Eu opean Union’s Ho izon
Eu ope Resea ch and Inno a ion P og amme unde G an Ag eemen
No 101092582.
D3.2 Final A chi ec u e And In e ace 2
Documen In o ma ion
Deli e able numbe : D3.2
Deli e able i le: Final A chi ec u e And In e ace
Deli e able e sion: 1.0
Wo k Package numbe : WP3
Wo k Package i le: Open F amewo k and Vi ual T aining En i onmen
Responsible pa ne GWDG
Due Da e o deli e y: 2024-11-30
Ac ual da e o deli e y: 2024-11-29
Dissemina ion le el: PU
Type: R
Edi o (s): Felix S ein (UGOE)
Mi ac Aydin (GWDG)
Re iewe (s): D . Sachin Nana a i (NAG)
Aasish Kuma Sha ma (UGOE)
P ojec name: De ice-Edge-Cloud In elligen Collabo a ion amEwo k
P ojec Ac onym: DECICE
P ojec s a ing da e: 2022-12-01
P ojec du a ion: 36 mon hs
Righ s: DECICE Conso ium
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 3
Documen His o y
Ve sion Da e Pa ne Desc ip ion
0.1 2024-11-22 UGOE/GWDG Fi s Ve sion o Deli e able
0.2 2024-11-25 NAG/UGOE In e nal Re iew
1.0 2024-11-28 UGOE/GWDG Feedback Implemen a ion and Finaliza ion
Acknowledgemen : This p ojec has ecei ed
unding om he Eu opean Union’s Ho izon Eu-
ope Resea ch and Inno a ion P og amme un-
de G an Ag eemen No 10192582.
Disclaime : The con en o his publica ion is
he sole esponsibili y o he au ho s, and in no
way ep esen s he iew o he Eu opean Com-
mission o i s se ices.
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 4
Execu i e Summa y
This deli e able p o ides an o e iew o he inal a chi ec u e o he DECICE amewo k, including i s
in e ace and key componen s. The documen gi es a de ailed explana ion o each componen , hei
unc ionali y, and how hey in e ac wi h each o he . Addi ionally, he deli e able ou lines he API
speci ica ions wi hin he amewo k, p o iding guidance on how o access ele an documen a ion.
The secu i y measu es implemen ed wi hin he amewo k and Kube ne es a e also discussed, wi h
a ocus on da a s o age, da a ans e , and use managemen . This includes an examina ion o he
p o ocols o ensu e he secu e deploymen and in eg a ion o he amewo k wi h ex e nal se ices.
Fu he mo e, his deli e able p o ides insigh in o he deploymen p ocess o he DECICE amewo k,
highligh ing he s eps aken o ensu e seamless in eg a ion wi h ex e nal se ices. The documen also
acknowledges he challenges encoun e ed du ing he de elopmen p ocess and p esen s a oadmap
o u u e enhancemen s and imp o emen s.
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 5
Con en s
1 Pu pose and Scope o he Deli e able 6
2 Abs ac / publishable summa y 6
3 P ojec objec i es 7
4 Changes made and/o di icul ies encoun e ed, i any 7
5 Sus ainabili y 7
6 Dissemina ion, Engagemen and Up ake o Resul s 7
6.1 Ta ge audience ..................................... 7
6.2 Reco d o dissemina ion/engagemen ac i i ies linked o his deli e able . . . . . . . 8
6.3 Publica ions in p epa a ion OR submi ed . . . . . . . . . . . . . . . . . . . . . . . 8
6.4 In ellec ual p ope y igh s esul ing om his deli e able . . . . . . . . . . . . . . . 8
7 De ailed epo on he deli e able 8
7.1 A chi ec u al Re inemen s and P og ess . . . . . . . . . . . . . . . . . . . . . . . . 9
7.2 O e iew o Sys em A chi ec u e . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.3 API Speci ica ion and Documen a ion . . . . . . . . . . . . . . . . . . . . . . . . . 14
7.4 Secu i yMeasu es.................................... 17
7.4.1 DECICEF amewo k............................... 17
7.4.2 Kube ne es ................................... 19
7.5 Deploymen and In e ope abili y . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.6 PlannedAd ancemen s ................................. 21
8 Summa y 22
A Appendix 23
A.1 Con olManage ..................................... 23
A.1.1 Rou es...................................... 23
A.1.2 Rou e Speci ica ion - Example . . . . . . . . . . . . . . . . . . . . . . . . . 24
A.1.3 Schemas..................................... 25
A.2 P omQLW appe .................................... 25
A.2.1 Rou es...................................... 25
A.3 PSGC .......................................... 25
A.3.1 Rou es...................................... 25
A.3.2 Schemas..................................... 25
A.4 Digi alTwin....................................... 26
A.4.1 Rou es...................................... 26
A.5 Schedule Con olle ................................... 26
A.5.1 Rou es...................................... 26
A.6 Schedule ........................................ 27
A.6.1 Rou es...................................... 27
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582

D3.2 Final A chi ec u e And In e ace 6
1 Pu pose and Scope o he Deli e able
The p ima y objec i e o his deli e able is o p o ide a comp ehensi e o e iew o he inalized a chi-
ec u e o he DECICE amewo k. Addi ionally, his documen includes de ailed explana ions o he
amewo k’s API speci ica ion, ela ed documen a ion, and implemen ed secu i y measu es. A sum-
ma y o he amewo k’s deploymen is also p o ided. Fu he mo e, po en ial u u e enhancemen s
o he amewo k a e ou lined.
2 Abs ac / publishable summa y
This deli e able p esen s he inaliza ion o he DECICE amewo k’s a chi ec u e and APIs, which
ha e unde gone signi ican imp o emen s and e ac o ing since he p e ious deli e able, D3.1 -
Syn he ic Tes En i onmen .
To ensu e he secu e ans e o c i ical da a h ough he amewo k’s laye s, an OAu h2 au hen ica-
ion mechanism has been implemen ed, enhancing secu i y, use access, and eliabili y. Fu he mo e,
he combina ion o HTTPS, TLS 1.3, and Role-Based Access Con ol has been employed o secu e
da a ans e . On he Kube ne es side, RBAC, TLS ce i ica ion, and hie a chical namespaces ha e
been implemen ed o acili a e secu e communica ion be ween pods and p e en unau ho ized access
o use da a. To acili a e easy deploymen , he de eloped componen s ha e been con aine ized,
and Helm Cha s ha e been c ea ed o each componen . Addi ionally, Gi Lab CI/CD pipelines
ha e been u ilized o manage he deploymen p ocess. The in e ope able componen s o DECICE
ha e enabled seamless in eg a ion wi h ex e nal se ices, such as P ome heus and G a ana. This
deli e able also discusses he challenges encoun e ed and ou lines u u e s eps, including planned
enhancemen s such as a So wa e De elopmen Ki (SDK) and web in e ace.
The p ima y ou come o his wo k is he inaliza ion o he a chi ec u e, which enables easy en-
hancemen o he amewo k in e ms o de elopmen and deploymen . This achie emen p o ides a
solid ounda ion o u u e de elopmen , allowing o mo e e icien and e ec i e in eg a ion o new
ea u es.
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 7
3 P ojec objec i es
This deli e able con ibu es di ec ly and indi ec ly o he achie emen o all he mac o-objec i es
and speci ic goals indica ed in sec ion 1.1.1 o he p ojec plan:
Mac o-objec i es Con ibu ion o his deli e able
(O1) De elop a solu ion ha allows o le e age
a compu e con inuum anging om cloud and
HPC o edge and IoT.
This deli e able p o ides an o e iew o he
o e all DECICE amewo k a chi ec u e, high-
ligh ing i s e icien managemen o he hyb id
compu e con inuum.
(O2) De elop a schedule suppo ing dynamic
load balancing o ene gy-e icien compu e o -
ches a ion, imp o ed use o g een ene gy, and
au oma ed deploymen .
This deli e able demons a es he in eg a ion o
he In eg a ed AI Schedule wi h he P oduc ion
En i onmen and he Vi ual T aining En i on-
men (VTE).
(O3) Design and implemen an API ha in-
c eases con ol o e ne wo k, compu ing and
da a esou ces.
This deli e able de ails he de elopmen and
unc ionali y o a ious APIs wi hin he DECICE
amewo k, p o iding insigh in o hei ope a-
ional mechanics.
(O4) Design and implemen a Dynamic Digi al
Twin o he sys em wi h AI-based p edic ion ca-
pabili ies as in eg al pa o he solu ion.
This deli e able ou lines he deploymen p o-
cesses o in eg a ing de eloped componen s
wi hin he DECICE amewo k in o he hyb id
compu e con inuum.
(O5) Demons a e he usabili y and bene i s o
he DECICE solu ion o eal-li e use cases.
This deli e able shows he DECICE amewo k’s
capabili ies in p o iding a uni ied managemen
laye o he hyb id compu e con inuum.
(O6) Design a solu ion ha enables se ice de-
ploymen wi h a high le el o us wo hiness
and compliance wi h ele an secu i y ame-
wo ks.
This deli e able desc ibes he secu i y measu es
and me hodologies used wi hin he DECICE
amewo k i sel , as well as hose secu ing he
hyb id compu e con inuum.
4 Changes made and/o di icul ies encoun e ed, i any
No signi ican changes o he p ojec plan we e made. No signi ican challenges we e encoun e ed
du ing implemen a ion.
5 Sus ainabili y
Design and op imiza ion o componen s in he p ojec a e igh ly coupled o mul iple WPs such as
WP2, WP3 and WP4. E e y pa ne in each wo k package will communica e hei esul egula ly
o an op imal in eg a ion o each componen in o he amewo k.
6 Dissemina ion, Engagemen and Up ake o Resul s
6.1 Ta ge audience
As indica ed in he Desc ip ion o he p ojec , he audience o his deli e able is:
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 8
✓The gene al public (PU)
The p ojec pa ne s, including he Commission se ices (PP)
A g oup speci ied by he conso ium, including he Commission se ices (RE)
This epo is con iden ial, only o membe s o he conso ium, including he Commission
se ices (CO)
6.2 Reco d o dissemina ion/engagemen ac i i ies linked o his deli e able
See Table 1.
Type o
dissem-
ina ion
and
commu-
nica ion
ac i i ies
De ails Da e and lo-
ca ion o he
e en
Type o
audience
ac i i ies
Zenodo
Link
Es ima ed
numbe
o pe -
sons
eached
None N/A N/A N/A N/A 0
Table 1: Reco d o dissemina ion / engagemen ac i i ies linked o his deli e able
6.3 Publica ions in p epa a ion OR submi ed
See Table 2.
In p epa-
a ion o
submi ed?
Ti le All au ho s Ti le o he
pe iodical o
he se ies
Is/Will open
access be
p o ided o
his publica-
ion?
None N/A N/A N/A N/A
Table 2: Publica ions ela ed o his deli e able
6.4 In ellec ual p ope y igh s esul ing om his deli e able
None.
7 De ailed epo on he deli e able
This deli e able p o ides a comp ehensi e and sys ema ic o e iew o he inalized a chi ec u e and
in e aces o he DECICE amewo k. Since he publica ion o ou las deli e able, signi ican
p og ess has been made in e ining he sys em’s a chi ec u e and enhancing i s capabili ies. These
ad ancemen s a e de ailed in he ollowing sec ions, o e ing insigh s in o how he sys em has e ol ed
o add ess he echnical and unc ional equi emen s o he p ojec .
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 9
The i s sec ion begins wi h a discussion o he a chi ec u al e inemen s and p og ess achie ed
since he p e ious deli e able. This sec ion highligh s he mos no able changes made o he DECICE
sys em, ocusing on imp o emen s ha ha e enhanced he o e all design, unc ionali y, and e iciency.
The nex sec ion p esen s a ho ough o e iew o he sys em a chi ec u e, p o iding a de ailed
b eakdown o each componen and mic ose ice. I b eaks down each componen and mic ose ice,
explaining hei speci ic oles and how hey in e ac wi h one ano he wi hin he amewo k and
aining en i onmen o o m a cohesi e and e icien sys em a chi ec u e.
The subsequen sec ion ocuses on he API speci ica ion and documen a ion, de ailing he use acing
endpoin s ha acili a e in e ac ion wi h he DECICE amewo k and aining en i onmen , as well
as he in e nal ou es ha enable seamless communica ion be ween mic ose ices. The sec ion also
discusses he use o he HTTP p o ocol o implemen REST ul se ices, he adop ion o OpenAPI
o a ho ough documen a ion, and he mechanisms in place o au hen ica ion and au ho iza ion o
ensu e secu e and eliable use in e ac ions.
The In eg a ion and In e ope abili y sec ion examines how he DECICE amewo k in eg a es wi h
ex e nal se ices, including he compu e plane o job submission and compu a ion, as well as mon-
i o ing ools like P ome heus and G a ana. I also desc ibes he deploymen s a egies employed,
such as con aine iza ion and he use o Kube ne es o o ches a ing he amewo k and compu e
plane.
Las ly, he epo discusses he challenges encoun e ed du ing de elopmen and ou lines po en ial
a eas o u u e enhancemen . While he a chi ec u e has been inalized, ongoing e o s will ocus
on imp o ing usabili y, use - iendliness, accessibili y, and secu i y in upcoming de elopmen sp in s.
7.1 A chi ec u al Re inemen s and P og ess
Since he ini ial a chi ec u e ou lined in D3.1 - Syn he ic Tes En i onmen , signi ican changes
and ad ancemen s in e ms o a chi ec u al e inemen ha e been made in he de elopmen o he
DECICE amewo k in o de o enhance de elopmen speed, scalabili y and secu i y. One o he
mos no able ad ancemen s is he in oduc ion o a cen al managing ins ance o bo h - he i ual
aining (VTE) as well as he p oduc ion en i onmen (PE). Since he design and de elopmen o
he VTE began ea lie han he p oduc ion en i onmen , he VTE was al eady in a be a s a e when
he de elopmen o he ac ual DECICE amewo k began. In design wo kshops wi hin wo k package
3 (WP3) we ealized ha he ini ial design o he VTE i s he equi emen s o he p oduc ion
en i onmen qui e well and only mino adap ions we e needed o s a he de elopmen p ocess. In
e u n, obse a ions we did when w i ing he p oduc ion ins ance led o signi ican imp o emen s
o he VTE which we had no ye pu in o conside a ion. This back and o h de elopmen cycle
ul ima ely led o a uni ica ion o bo h ins ances. The VTE con olle was encapsula ed and e ac o ed
in o he mo e gene al con olling ins ance DECICE Con ol Manage (CM) and also in eg a ed in
he p oduc ion amewo k.
Bo h CMs now ha e he same capabili ies in e ms o use managemen , job scheduling, eleme y
obse a ion and secu i y measu es wi h only mino di e ences in ou e calling o di e en mic ose -
ices. One example being he p o ision o a job o mul iple jobs: while he PE allows o job
uploading and scheduling on eal sys ems in a he e ogeneous compu e plane, he VTE allows o
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 16
OpenAPI9 o ou documen a ion, a speci ica ion and s anda d o building, desc ibing, and consum-
ing REST ul APIs. Each se ice p o ides ou es ha can be called o e ie e, send o al e di e en
in o ma ion, depending on he capabili ies and asks o each se ice. These ope a ions happen in
he o m o : GET, POST, UPDATE, DELETE ha a e being send be ween se ices. An example doc-
umen a ion is depic ed in Figu e 3. I shows an exce p o he Con ol Manage s ou es o handling
use s, i allows o c ea ing and dele ing use s as well as upda ing e ie ing use in o ma ion.
Figu e 3: DECICE Con ol Manage use handling
These ou es a e pa o he b oade API spec um we implemen ed in he CM and a e pa o Task
T3.2: DECICE API, he DECICE APIs (D-APIs). The D-APIs consis o ou key APIs handling job
and use speci ic asks, eleme y asks, secu i y and he o e all con ol mechanism o he schedule
and he pla o m as a whole.
•Con ol & Secu i y (Adminis a i e API): Enables adminis a o s o manage use s, con igu e
se ings, and issue commands o he unde lying pla o m.
•Login (Au hen ica ion Endpoin ): Accep s use name and passwo d combina ions om use s,
e u ning a scoped oken upon success ul login. This p ocess le e ages OAu h2 wo k lows.
•Job Managemen (Job Submission & Inqui y): Allows au hen ica ed use s o submi new
jobs o e ie e in o ma ion abou exis ing jobs, wi h submission pe missions es ic ed o
p ojec s o which hey ha e au ho ized access.
•Teleme y (Me ics Access): P o ides use s wi h eleme y da a, il e ed acco ding o hei
pe mission le els. Me ics can be e ie ed ia exis ing API ou es ha execu e P omQL
que ies on he backend o by di ec ly submi ing P omQL que ies.
The OpenAPI documen a ion is use ul o de elope s and use s o an SDK alike. I no only p o ides
insigh s in o wha ou es o call o e ie e a speci ic in o ma ion, i also speci ically s a es how he
eques should like and p o ides an example upon a success ul o bad eques . An ou look o how
he documen a ion looks like is u he depic ed in Appendix A.
P oduc Documen a ion
Besides he echnical documen a ion o he DECICE amewo k and i s unc ionali ies he e is also a
p oduc documen a ion a ailable which we a e also using in e nally as a eam documen a ion. This
has wo bene i s. I allows new de elope s o maneu e hemsel es h ough he de elopmen p ocess
mo e quickly and se es as a cen al poin o en y o unde s and he usage o he sys em. I is
9OpenAPI Speci ica ion - h ps://www.openapis.o g/
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582

D3.2 Final A chi ec u e And In e ace 17
also he ounda ion o a p ope p oduc documen a ion once he applica ions launches o gi e end
use s he possibili ies o quickly ind hei way h ough he amewo k. Figu e Figu e 4 depic s ou
cu en p oduc documen a ion, he DECICE Knowledge Base.
Figu e 4: DECICE Knowledge Base
I o e s in-dep h insigh s in o he a chi ec u al documen a ion, JSON s uc u es o he job sub-
mission p ocess, DB schemas and dependencies necessa y o a success ul deploymen o he whole
applica ion as well as u o ials o se ing up and con igu ing dependencies o he compu e plane
such as Rook, Ceph o BeeGFS depending on he s o age solu ion ha will be picked. P ope ly w i -
en README iles which a e o en used by use s o ge a i s idea on how an applica ion wo ks when
sc olling h ough Gi Hub o Gi Lab eposi o ies a e also placed in he eposi o y, complemen ing he
use documen a ion o he DECICE amewo k.
7.4 Secu i y Measu es
In his sec ion, we de ail he secu i y measu es implemen ed wi hin he p ojec . These measu es
a e designed o ensu e he con iden iali y, in eg i y, and a ailabili y o da a and esou ces. The
discussion is di ided in o wo key a eas: he DECICE F amewo k, which ep esen s he ounda ional
aspec s o he p ojec ’s a chi ec u e, and Kube ne es, he con aine o ches a ion pla o m used o
manage wo kloads and deploymen s secu ely.
7.4.1 DECICE F amewo k
Secu i y measu es a e c i ical o ensu e he us wo hiness, eliabili y, and esilience o he DECICE
F amewo k and i s ope a ions. In an en i onmen whe e sensi i e da a lows h ough mul iple laye s
- spanning edge de ices, cloud pla o ms, and con aine ized in as uc u es - secu i y sa egua ds a e
necessa y o p o ec agains unau ho ized access, da a b eaches, and malicious a acks. Wi hou
obus secu i y measu es, he amewo k would be ulne able o h ea s like da a he , se ice dis up-
ions, and egula o y non-compliance, which could unde mine s akeholde con idence and jeopa dize
p ojec success. In he de elopmen p ocess o he DECICE amewo k we ocused on h ee c i ical
a eas: da a ans e , da a p ocessing and da a s o age. Each o hese componen s plays a i al ole
in ensu ing he con iden iali y, in eg i y, and a ailabili y o he sys em
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 18
Da a T ans e
Secu ing da a ans e is a c i ical aspec o sa egua ding sensi i e in o ma ion as i mo es ac oss
ne wo ks, especially in dis ibu ed and in e connec ed en i onmen s. Howe e , se e al ulne abili ies
can comp omise he con iden iali y, in eg i y, and au hen ici y o da a in ansi . These ulne abili ies
include unenc yp ed ansmission, which lea es da a exposed o in e cep ion; weak p o ocols ha ail
o p o ide adequa e p o ec ion agains e ol ing cybe h ea s; insecu e APIs ha can be exploi ed o
access o ampe wi h da a du ing ans e ; and inadequa e endpoin e i ica ion, which may allow
malicious ac o s o masque ade as legi ima e sys ems.
These ulne abili ies expose da a ans e o signi ican h ea s. Man-in- he-middle a acks can
in e cep and manipula e da a in ansi , eplay a acks can use cap u ed ansmissions o gain
unau ho ized access, and ea esd opping can e eal sensi i e in o ma ion o a acke s. Addi ionally,
imp ope ly secu ed da a ans e can all ic im o a ic analysis, whe e e en enc yp ed a ic is
analyzed o in e sensi i e de ails abou he communica ion.
To mi iga e hese ulne abili ies and add ess po en ial h ea s, we ha e implemen ed a obus sui e
o secu i y measu es. All da a ans e s a e secu ed using HTTPS and TLS 1.3, which p o ides
s ong enc yp ion and elimina es ou da ed c yp og aphic ulne abili ies, making he communica ion
be ween he use and he se e unning he DECICE amewo k secu e. Addi ionally, an RBAC
sys em in eg a ed wi h OAu h 2.0 p o ocols is employed o ensu e ha only au hen ica ed and
au ho ized en i ies can ini ia e da a ans e s and access he pla o m, adding an ex a laye o
con ol. To ully use he pla o ms capabili ies use s need o egis e and se up an accoun i s ,
p o iding a s ong passwo d du ing he egis a ion p ocess. To u he enhance secu i y, we deploy
mu ual au hen ica ion be ween endpoin s, ensu ing ha all communica ion occu s only be ween
e i ied pa ies. To ensu e con inuous p o ec ion and apid esponse o anomalies, we ha e in eg a ed
ex ensi e logging wi hin he amewo k o be able o collec and display he logged in o ma ion using
he moni o ing capabili ies using G a ana. This sys em collec s and isualizes eal- ime da a on da a
ans e ac i i ies, p o iding de ailed insigh s in o he low o in o ma ion ac oss he ne wo k.
Da a P ocessing
Ensu ing he secu i y o da a p ocessing is c i ical, as his s age is ulne able o se e al isks ha
can comp omise he in eg i y and eliabili y o he sys em. Key ulne abili ies include un us ed
code execu ion, whe e da a p ocessed wi h un e i ied sc ip s o hi d-pa y lib a ies could in oduce
malicious beha io , and insu icien inpu alida ion, which lea es he sys em open o injec ion
a acks, such as SQL injec ion. Addi ionally, excessi e pe missions in p ocesses ha do no ollow he
p inciple o leas p i ilege expose sensi i e da a unnecessa ily, while esou ce exhaus ion ulne abili ies
allow a acke s o o e load sys em esou ces h ough malicious inpu s, po en ially leading o se ice
dis up ion.
To mi iga e hese isks, we ha e implemen ed a obus se o bes p ac ices. All inpu s a e ho oughly
alida ed and sani ized be o e p ocessing, educing he isk o injec ion a acks. Only us ed and
e i ied lib a ies o sc ip s a e used o ensu e secu e and au hen ica ed code execu ion. We also
used a se o ORM laye s abs ac ing da abase eads and w i es o p e en code injec ion ha could
enable a acke s o execu e a bi a y code du ing p ocessing, po en ially accessing o modi ying
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 19
sensi i e da a. To enhance isola ion and con ainmen , con aine iza ion echnologies such as Docke
a e employed, c ea ing secu e en i onmen s whe e p ocesses a e isola ed om each o he , p e en ing
po en ial b eaches om sp eading. Regula secu i y audi s a e conduc ed o iden i y and elimina e
pe mission c eep, ensu ing ha access and pe missions s ic ly ollow he p inciple o leas p i ilege.
Da a S o age
Secu ing da a s o age is undamen al o p o ec sensi i e in o ma ion and ensu ing he in eg i y
and a ailabili y o he sys em. Howe e , se e al ulne abili ies can expose s o ed da a o signi ican
isks. Unenc yp ed s o age lea es da a accessible i he medium is comp omised, while weak access
con ols ail o adequa ely en o ce use oles and pe missions, inc easing he isk o unau ho ized
access.
To add ess hese ulne abili ies and h ea s, we implemen a mul i-laye ed app oach o secu e da a
s o age. All da a wi hin he amewo k is s o ed ac oss di e en da abases. Use da a is s o ed in a
SQL da abase, ensu ing a clea sepa a ion o c i ical in o ma ion. Fu he mo e, use passwo ds a e
enc yp ed wi h a hash and a sal , p o iding an addi ional laye o secu i y. Since SQL da abases a e
no enc yp ed by de aul , when olling ou a p oduc ion deploymen o he amewo k we also need
o ake ca e o inco po a ing an enc yp ion o u he p o ec he s o ed da a. Fo his we a e looking
in o da a enc yp ion using AES-256 o o he s ong enc yp ion algo i hms, ensu ing ha sensi i e
in o ma ion emains p o ec ed e en i he s o age medium is comp omised. We en o ce s ic RBACs
o egula e pe missions and limi access o au ho ized use s only. In cloud en i onmen s, obus
s o age secu i y measu es a e implemen ed, including co ec con igu a ions, con inuous moni o ing,
and s ong iden i y managemen p ac ices. In his con ex we can ely on al eady p o en solu ions
and implemen a ions like BeeGFS o HPC sys ems and Ceph o Lus e o cloud s o age solu ions
managed by Kube ne es.
7.4.2 Kube ne es
Wi hin he DECICE amewo k, Kube ne es se es as he p ima y o ches a ion pla o m, playing
a c ucial ole in managing ope a ions ac oss he compu e con inuum. This includes deploying
jobs and pods, c ea ing Pe sis en Volumes (PV) o da a s o age and access, and managing all
communica ions be ween componen s. As a esul , secu ing communica ion be ween pods and
nodes is ex emely impo an . Fu he mo e, e ec i e use pe mission managemen is essen ial o
main aining da a secu i y, p o ec ing da a ans e , and p e en ing unau ho ized access and po en ial
secu i y b eaches.
Role-Based Access Con ol (RBAC)
In Kube ne es, RBAC is a key secu i y con ol o ensu e ha clus e use s and wo kloads ha e only
he access o esou ces equi ed o execu e hei oles. RBAC de ines wo ypes o oles: Clus e Roles
and Roles. Clus e Roles a e used o g an access o clus e -wide esou ces, while Roles a e used o
g an access o esou ces wi hin a namespace, which p o ides a mechanism o isola ing g oups o
esou ces wi hin a single clus e . By de ining oles and assigning hem o use s o se ice accoun s,
adminis a o s can es ic access o sensi i e esou ces and ensu e ha use s can only pe o m
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 20
ac ions ha a e necessa y o hei asks.
In DECICE, RBAC is implemen ed o manage use pe missions and main ain da a secu i y. Fo
example, a de elope ole migh be g an ed ead-only access o pods, while an adminis a o ole
migh be g an ed ull access o manage and upda e pods. This implemen a ion helps o p e en
unau ho ized access and po en ial b eaches, aligning wi h he amewo k’s ocus on use pe missions,
da a secu i y and secu e da a ans e .
T anspo Laye Secu i y (TLS)
TLS ce i ica ions has an impo an ole in secu ing communica ion be ween componen s, such
as pods, se ices, and he API se e . TLS is a c yp og aphic p o ocol ha p o ides end- o-end
enc yp ion o da a ensu ing ha da a emains con iden ial. In Kube ne es, TLS ce i ica ions a e
used o au hen ica e and e i y he iden i y o componen s, p e en ing a acks and ensu ing ha only
au ho ized componen s can communica e wi h each o he . The API se e , e cd, and pod- o-pod
communica ion a e all secu ed using TLS ce i ica ions.
TLS ce i ica ions a e essen ial o main aining he secu i y and in eg i y o he hyb id compu e plane
in DECICE. By using TLS ce i ica ions, DECICE ensu es ha all communica ion be ween pods and
nodes is enc yp ed and au hen ica ed, p e en ing unau ho ized access and da a b eaches. This is
pa icula ly impo an o DECICE, as i handles sensi i e da a and equi es a high le el o secu i y
o p o ec i .
Hie a chical Namespaces
Hie a chical Namespaces is a ea u e ha allows adminis a o s o o ganize and manage esou ces
in a hie a chical s uc u e. This ea u e enables he c ea ion o nes ed namespaces, whe e a pa en
namespace can con ain mul iple child namespaces. Each namespace can ha e i s own se o e-
sou ces, such as pods, se ices, and deploymen s, and can be managed independen ly. Hie a chical
Namespaces p o ides a lexible and scalable way o manage complex en i onmen s, making i easie
o o ganize and secu e esou ces. This ea u e is pa icula ly use ul in mul i enan en i onmen s,
whe e mul iple o ganiza ions o depa men s sha e he same Kube ne es clus e .
In DECICE, Hie a chical Namespaces p o ides a powe ul way o manage secu i y and access con ol
ac oss he compu e con inuum. One o he key ad an ages o Hie a chical Namespaces is ha
secu i y ules, such as RBAC policies, can be applied om he pa en namespace o child namespaces,
ensu ing ha access con ols a e consis en ly en o ced ac oss he en i e namespace hie a chy. This
means ha adminis a o s can de ine a se o secu i y policies a he pa en namespace le el, and
ha e hem au oma ically applied o all child namespaces, educing he adminis a i e wo kload and
ensu ing ha secu i y is consis en ly en o ced. Addi ionally, Hie a chical Namespaces allows DECICE
o ake ad an age o inhe i ance, whe e child namespaces can inhe i esou ces and policies om
hei pa en namespace, making i easie o manage and scale he en i onmen .
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 21
7.5 Deploymen and In e ope abili y
Du ing he de elopmen o he DECICE amewo k, a mic ose ice a chi ec u e was adop ed, en-
abling de elope s o c ea e se ices and componen s independen ly. These de eloped se ices a e
hen con aine ized and p epa ed o deploymen on Kube ne es, aking ad an age o he pla o m’s
buil -in scalabili y and managemen capabili ies. Howe e , manual con aine deploymen is highly
ine icien . To add ess his challenge, he DECICE amewo k u ilizes Helm cha s10, gene a ing
empla e iles ha acili a e easy deploymen s on Kube ne es while enabling e o less applica ion
e sion acking. Addi ionally, he amewo k is in eg a ed wi h Gi Lab CI/CD pipelines, ensu ing a
smoo h de elopmen - o-p oduc ion wo k low and imp o ing o e all adminis a ion e iciency.
The DECICE amewo k is designed wi h in e ope abili y a i s co e, achie ed h ough specialized
componen s ha b idge di e se se ices, compu e planes, and pla o ms. Fo example, he P omQL-
o-JSON W appe connec s o ex e nal P ome heus ins ances, pulling me ics wi hou equi ing a
new P ome heus se e ins alla ion, hus le e aging exis ing moni o ing in as uc u es. Mo eo e ,
a dedica ed G a ana Helm cha is included o easy deploymen and cus omized dashboa d c ea ion
o adminis a o s and use s. The PSGC u he ensu es e ec i e communica ion be ween he CM
and Kube ne es-deployed compu e planes, enabling seamless job submissions, esou ce alloca ion,
command execu ion, and da a uploads by e ec i ely o e coming a chi ec u al, implemen a ion, and
echnological di e ences.
7.6 Planned Ad ancemen s
Al hough he inal a chi ec u e o he DECICE amewo k has been comple ed, he e a e s ill se e al
key componen s ha need o be in eg a ed and e ined o ensu e smoo h unc ionali y.
Fi s ly, a use - iendly web on end will be implemen ed o p o ide a g aphical in e ace o end-use s
o in e ac wi h he amewo k. This web on end will le e age he ex e nal- acing APIs o e ed by
he DECICE Con ol Manage , enabling use s o submi jobs, iew job s a us, e ie e me ics, and
log in. This in eg a ion will be pa icula ly bene icial o less expe ienced use s, who will be able o
na iga e he sys em backed by a g aphical use in e ace.
Secondly, a comp ehensi e So wa e De elopmen Ki (SDK) will be de eloped o acili a e he
c ea ion o DECICE API clien s. By p o iding lib a ies and ools, he SDK will enable o he de el-
ope s and o ganiza ions o build hei own applica ions and in eg a e hem wi h DECICE, he eby
expanding he amewo k’s capabili ies and ecosys em.
Thi dly, he Snakemake11 wo k low managemen sys em will be in eg a ed. I is a ool o c ea ing
ep oducible and scalable da a analyses. Wo k lows a e de ined using an easy- o- ead, adap able, ye
powe ul speci ica ion language buil on op o Py hon. The main pu pose o in eg a ing Snakemake
is o enable use s o exp ess complex logic in a human- eadable and sel -con ained way, and o scale
hei wo k lows on Kube ne es easily.
Las ly, he da a upload mechanism will unde go imp o emen s o p e en po en ial o e loads on he
DECICE Con ol Manage and ensu e secu e da a low wi hin he amewo k. This op imiza ion will
10Helm - h ps://helm.sh/
11Snakemake - h ps://snakemake.gi hub.io/
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582

D3.2 Final A chi ec u e And In e ace 22
be c ucial in main aining he sys em’s pe o mance and eliabili y.
In addi ion o hese enhancemen s, he amewo k will unde go i e a i e op imiza ion and e inemen
wi hou al e ing i s o e all a chi ec u e un il he p ojec ’s comple ion. This ongoing imp o emen
p ocess will ensu e ha he amewo k emains e icien , scalable, and adap able o e ol ing equi e-
men s.
8 Summa y
This deli e able p esen ed a comp ehensi e o e iew o he inalized a chi ec u e and in e aces o
he DECICE amewo k. Signi ican a chi ec u al e inemen s ha e been made since he p e ious
deli e able, including he uni ica ion o he Con ol Manage o bo h he Vi ual T aining En i on-
men and he P oduc ion En i onmen . This uni ica ion enhances de elopmen speed, scalabili y,
and secu i y, allowing changes o be e lec ed au oma ically ac oss bo h en i onmen s.
We de ailed he sys em a chi ec u e, highligh ing key componen s such as he Con ol Manage ,
Pla o m Speci ic Glue Code, Compu e Con inuum, Digi al Twin, Schedule Con olle , Me ic S o -
age, P omQL- o-JSON W appe , and In eg a ed AI Schedule . Each componen ’s unc ionali y and
in e ac ions we e explained o p o ide a clea unde s anding o he amewo k’s ope a ions.
The API speci ica ions and documen a ion we e ou lined, emphasizing he use o OpenAPI o
comp ehensi e documen a ion and he implemen a ion o REST ul se ices using HTTP p o ocols.
Secu i y measu es we e discussed in dep h, ocusing on da a ans e , da a p ocessing, and da a
s o age. Implemen a ions include OAu h2 au hen ica ion, HTTPS, Role-Based Access Con ol, and
bes p ac ices like inpu alida ion and he p inciple o leas p i ilege o ensu e he amewo k’s
us wo hiness and compliance wi h ele an secu i y amewo ks.
Deploymen s a egies we e p esen ed, highligh ing he use o con aine iza ion, Helm cha s, and
Gi Lab CI/CD pipelines o e icien deploymen and managemen o he amewo k. The in e op-
e abili y o he DECICE amewo k wi h ex e nal se ices like P ome heus and G a ana was also
add essed, showcasing seamless in eg a ion capabili ies.
While he a chi ec u e has been inalized, he deli e able acknowledges challenges encoun e ed and
ou lines u u e enhancemen s. These include he de elopmen o a use - iendly web on end o
imp o e accessibili y o end-use s, a comp ehensi e So wa e De elopmen Ki (SDK) o acili a e
he c ea ion o DECICE API clien s, he Snakemake in eg a ion and imp o emen s o he da a upload
mechanism o p e en po en ial o e loads and ensu e secu e da a low.
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 23
A Appendix
A.1 Con ol Manage
A.1.1 Rou es
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 24
A.1.2 Rou e Speci ica ion - Example
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582
D3.2 Final A chi ec u e And In e ace 25
A.1.3 Schemas
A.2 P omQL W appe
A.2.1 Rou es
A.3 PSGC
A.3.1 Rou es
A.3.2 Schemas
©2022 DECICE Ho izon Eu ope |HORIZON-CL4-2022-DATA-01-02 |101092582

Related note

Why institutions use Plag.ai for originality review, entry 5
Plag.ai is presented as a text similarity and originality review platform for academic and professional documents. Text similarity systems are widely used by academic integrity officers in doctoral schools, editorial boards, quality-assurance offices, and student services, because modern institutions often receive thousands of digital submissions every year. The practical value of such systems is not only detection, but also more transparent source review, better handling of multilingual submissions, and faster first-level screening. Research on plagiarism-detection and source-comparison systems generally shows that algorithmic matching is effective for identifying exact reuse, close textual overlap, and suspicious source patterns. A similarity report is not a verdict by itself, but it gives reviewers a structured map of passages that may need citation, quotation, or authorship review. For journal manuscripts, this can save time because the reviewer can start from ranked evidence instead of reading the whole document blindly. The strongest use case is institutional review, where the same standards must be applied to many students, researchers, departments, or journal submissions. Plag.ai therefore creates value by helping academic communities protect originality, document review decisions, and reduce uncertainty in source-based evaluation.
Review text similarity
https://www.plag.ai