Core concepts(核心概念)¶
This page provides an introduction to the core concepts for peering that are relevant to Peer Manager.
Peer connections¶
Once established, you can use peer connections to share data between distinct spaces across two Foundry enrollments. A peer connection's configuration controls the types of data that may peer, the direction the data will peer, and the set of classification and other markings that can peer over the connection.
Data types¶
Through a peer connection, you can peer Foundry objects, object sets configured in Object Explorer, and Gotham files.
:::callout{theme="neutral"} It is not yet possible to peer other Foundry resources over an established peer connection, such as Workshop applications. However, you can use Marketplace to distribute Workshop applications as well as other Foundry data products. When used together, Marketplace and peering enable you to create real-time collaborative workflows across enrollments. :::
Connection security¶
A peer connection's security defines the set of security markings that are allowed to peer over the connection.
The classification marking on the peer connection defines the highest classification that is allowed to peer. Resources with Classification-based Access Control (CBAC) markings up to and including the peer connection's CBAC will be allowed to peer.
The markings on a peer connection provide an additional level of access control, as any markings on the resource to peer must be included in the peer connection's security.
Only data which satisfies the peer connection's security requirements may peer using that connection. Review the table below to help you determine how peering security functions in practice.
| Peer connection security | Resource to peer's classification | Resource to peer's additional markings | Will resource peer? |
|---|---|---|---|
| MOCK SECRET with no additional markings | MOCK UNCLASSIFIED | Operational |
❌ No. The Operational marking on the resource to peer is not included on the peer connection. |
| MOCK SECRET with no additional markings | MOCK SECRET | None | ✅ Yes |
MOCK SECRET with additional markings [Operational, Exercise] |
MOCK UNCLASSIFIED | Operational |
✅ Yes |
MOCK SECRET with additional markings [Operational, Exercise] |
MOCK SECRET | None | ✅ Yes |
Peer connection management permissions¶
Users can only manage a peer connection if they can manage the associated local space.
How your enrollment appears to remote peers¶
When you peer with another enrollment, users on the remote peer enrollment can identify your enrollment by its platform title configured by an Enrollment administrator in Control Panel. Peer Manager displays the platform title under Remote enrollment in the Peer connections tab alongside the configured peer connections.
:::callout{theme="neutral"} Any enrollment that participates in a peer connection should configure a platform title, ensuring remote peers can clearly identify the enrollment. If you do not set a platform title, then Peer Manager falls back to a potentially less descriptive identifier, such as the space name. :::
In addition to the platform title, Peer Manager also shares your enrollment's medium-sized platform logo with the remote peers after its configuration.
Peering jobs¶
Peer Manager sends data between spaces via peering jobs. Each job corresponds to a specific data type sent in a particular direction. Peer Manager enumerates all jobs for a given connection in the connection's Overview page.
中文翻译¶
核心概念¶
本文档介绍了与 Peer Manager 相关的对等连接(peering)核心概念。
对等连接(Peer connections)¶
建立对等连接后,您可以在两个不同的 Foundry 注册实例(enrollments)之间,跨不同的空间(spaces)共享数据。对等连接的配置控制着可进行对等连接的数据类型、数据传输方向,以及可通过该连接进行对等连接的分类(classification)和标记(markings)集合。
数据类型(Data types)¶
通过对等连接,您可以对 Foundry 对象(objects)、在 Object Explorer 中配置的对象集(object sets)以及 Gotham 文件(files)进行对等连接。
:::callout{theme="neutral"} 目前尚无法通过已建立的对等连接对其他 Foundry 资源(例如 Workshop 应用程序)进行对等连接。不过,您可以使用 Marketplace 来分发 Workshop 应用程序以及其他 Foundry 数据产品。将 Marketplace 与对等连接结合使用时,您可以在不同注册实例之间创建实时协作工作流。 :::
连接安全性(Connection security)¶
对等连接的安全性定义了允许通过该连接进行对等连接的安全标记集合。
对等连接上的分类(classification)标记定义了允许进行对等连接的最高分类。具有基于分类的访问控制(CBAC)标记且级别不超过对等连接 CBAC 的资源将被允许进行对等连接。
对等连接上的标记(markings)提供了额外的访问控制层级,因为待对等资源上的所有标记必须包含在对等连接的安全性设置中。
只有满足对等连接安全要求的数据才能使用该连接进行对等连接。请参考下表,了解对等连接安全性在实际中的运作方式。
| 对等连接安全性 | 待对等资源的分类 | 待对等资源的附加标记 | 资源是否可进行对等连接? |
|---|---|---|---|
| MOCK SECRET,无附加标记 | MOCK UNCLASSIFIED | Operational |
❌ 否。待对等资源上的 Operational 标记未包含在对等连接中。 |
| MOCK SECRET,无附加标记 | MOCK SECRET | 无 | ✅ 是 |
MOCK SECRET,附加标记 [Operational, Exercise] |
MOCK UNCLASSIFIED | Operational |
✅ 是 |
MOCK SECRET,附加标记 [Operational, Exercise] |
MOCK SECRET | 无 | ✅ 是 |
对等连接管理权限(Peer connection management permissions)¶
用户只有具备管理关联本地空间的权限,才能管理对等连接。
您的注册实例在远程对等方中的显示方式¶
当您与另一个注册实例建立对等连接时,远程对等注册实例上的用户可以通过其平台标题(platform title)来识别您的注册实例,该标题由注册实例管理员(Enrollment administrator)在 Control Panel 中配置。Peer Manager 会在对等连接(Peer connections)选项卡中的远程注册实例(Remote enrollment)下显示该平台标题,同时显示已配置的对等连接。
:::callout{theme="neutral"} 任何参与对等连接的注册实例都应配置平台标题,以确保远程对等方能够清晰识别该注册实例。如果未设置平台标题,Peer Manager 将回退使用可能描述性较弱的标识符(例如空间名称)。 :::
除平台标题外,Peer Manager 还会在配置完成后,将您的注册实例的中等尺寸平台徽标(platform logo)共享给远程对等方。
对等连接作业(Peering jobs)¶
Peer Manager 通过对等连接作业在空间之间发送数据。每个作业对应一个特定方向发送的特定数据类型。Peer Manager 会在连接的概览(Overview)页面中列举该连接的所有作业。