Altan
HomeDiscordStatus
HomeDiscordStatus
  1. Databases
  • What is Altan?
  • Support Options
  • Projects
    • Create Your First Project
    • App Navigation & Settings
    • Building Tips
    • The Art of Prompting
    • Publishing Your App
    • Rollback and Checkpoints
    • Instantly Resolve Errors
  • Databases
    • Introduction
    • Security
    • Technical Overview
  • AI Agents
    • What is an AI Agent?
    • Create your first AI Agent
    • Tools
    • Interacting with Your AI Agent
    • Technical Overview
    • Altan Frontend SDK
      • Altan Frontend SDK
  • Flows
    • Create your first Flow
    • Automation basics
    • Adding modules
    • Types of modules
    • Passing data
    • Filters
    • Debugging
    • Retrigger events
    • Version History
    • Overwrite connection
    • Task credits
  • Integration
    • Magic Link
    • Altan Integrator
    • Create your integration
  • Authentication
    • Authentication
  • Payments
    • Checkout Session
    • Object Storage
  • Media
    • Media
  • Partner Program
    • Who are our Partners?
    • Partner Program Benefits
    • How to import projects into Altan
    • How to export projects from Altan
    • Work collaboratively
    • How to start on Altan
    • Become an Altan Partner
  • API Reference
    • account
      • Create Account
      • Get Account Gq
      • Get Account Public
      • Get Account Usage
      • Patch Account
      • Delete Account
      • Get Account Users
      • Create Custom Webhook
      • Create Media
      • Create Media From Url
      • Create Multiple Media
      • Create Token
      • Create Agent
      • Upsert Flow
      • Fetch User Account Notifications
      • Create Altaner
      • Get Selected Template Version
      • Get Latest Template Version
      • Get Template Version
      • Invite User
      • Create Interface
      • Get Members
      • Get Account Connections
      • Get Apikey
      • Delete Apikey
    • project
      • Get Altaner
      • Create Project V2
      • Update Altaner
      • Delete Altaner
      • Get Altaner Flows
      • Clone Altaner
      • Update Altaner Positions
      • Create Altaner Component
      • Update Altaner Component
      • Get Altaner Component
      • Atomic Update Altaner Component
      • Delete Altaner Component
      • Duplicate Altaner
      • Create Idea
    • interface
      • Start Dev Server
      • Get Dev Status
      • Send Dev Error To Agent
      • Revise Interface
      • Get Dev Errors
      • Log Error
      • Create Or Overwrite File
      • Update File
      • Create Multiple Files
      • Read File
      • Read Multiple Files
      • Delete File
      • Rename File
      • Update Files Pattern
      • Search In Files
      • Search And Replace
      • Preview Updates
      • Install Libraries
      • List Tree
      • List Tree Json
      • Get Repo Status
      • List Branches
      • Create Branch
      • Delete Branch
      • Switch Branch
      • Clone Repo
      • Merge Branch
      • Commit Changes
      • Get Diff Changes
      • Accept Changes
      • Discard Changes
      • Push Changes
      • Pull Changes
      • Reset Repo
      • Get Repo Log
      • Restore Main
      • Get Public Interface
      • Get Interface By Name
      • Get Interface
      • Update Interface
      • Delete Interface
      • Get Interface Screenshot
      • Update Interface With Ai
      • Publish Interface
      • Vercel Webhook
      • Get Deployment Status
      • Add Collaborator
      • Get Deployment Logs
      • Fix Deployment With Ai
      • Add Domain
      • Get Domains
      • Remove Domain
      • Verify Domain
      • Add Env Variables
      • Get Env Variables
      • Delete Env Variable
      • Sync Env Variables
      • Rollback Deployment
      • Get Commit Details
      • Restore To Commit
    • flows
      • modules
        • Fetch Module
        • Update Flow Module
        • Delete Module
        • Fetch Graph Module
        • Rename Module
        • Update Position In Canvas
        • Update In Edge Filter
        • Update Route Condition Filter
        • Add Condition
        • Get Available Variables For Mappings
      • hooks
        • Get Webhook
        • Update Hook
      • executions
        • Get File Signed Url
        • Stream Execution
      • Fetch Flow Execution
      • Fetch Flow
      • Update Flow
      • Delete Flow
      • Get Latest Execution
      • Fetch Flow Schema
      • Get Flow From Hook
      • Get Flow Hook
      • Fetch Flow Executions
      • Fetch Flow Executions
      • Upsert Flow Module
      • Add Flow Module
      • Create Flow Duplicate
      • Clone Flow Modules
      • Paste Flow Modules
      • Delete Modules
      • Update Edge
    • media
      • Get Media Url
      • Delete Media
      • Get Multiple Media
      • Get 3D Media
      • Delete Model
      • Create 3D Model
    • agents
      • tools
        • Patch Tool
        • Patch Tool
      • authorizaiton requests
        • Create Authorization Request
        • List Authorization Requests
        • Get Authorization Request
        • Delete Authorization Request
        • Reject Authorization Request
      • Get Altan Agents
      • List Voices
      • Get Agent
      • Update Agent
      • Delete Agent
      • Get Agent
      • Create And Add Tool To Agent
      • Remove Tool And Space
      • Get User Agent Dm Room
      • Get Agent Gate
      • Get Agent Member Usage
  1. Databases

Technical Overview

This document provides a detailed technical overview of the Altan Database Service infrastructure, focusing on its architecture, security mechanisms, and scalability features. Altan leverages Google Cloud Platform's AlloyDB for PostgreSQL databases, Kubernetes (GKE) for hosting services and proxies, and open-source PostgREST for client-facing and internal administrative APIs. The system is designed to ensure robust tenant isolation, high availability, and seamless scalability for multi-tenant applications.
Architecture Overview
The Altan Database Service is a modular, cloud-native platform built to manage structured data collaboratively across multiple tenants. The infrastructure is composed of the following core components:
AlloyDB for PostgreSQL: A fully managed, PostgreSQL-compatible database service on Google Cloud Platform (GCP) serves as the backbone for data storage. AlloyDB provides high performance, scalability, and availability, optimized for enterprise-grade workloads.
Kubernetes (GKE): Google Kubernetes Engine (GKE) hosts Altan's services, including client-facing APIs, internal administrative services, and proxies like the AlloyDB Auth Proxy for secure database connections.
PostgREST: Open-source PostgREST is used to expose RESTful APIs for both client-facing interactions and internal operations. Two separate PostgREST instances are deployed: one for client-facing APIs and another for admin operations, ensuring clear separation of concerns.
Row-Level Security (RLS): Altan implements RLS at the database level to enforce fine-grained access control, ensuring tenant data isolation and security.
Core Entities
The Altan Database Service organizes data into five core entities:
Databases (Bases): Top-level containers for tables, with access control, collaboration features, and API integration.
Tables: Structured collections of records with metadata, versioning, and customizable views.
Fields: Define table schemas with data types, validation rules, and relationships (e.g., one-to-one, one-to-many).
Records: Rows storing actual data, managed via PostgreSQL with full CRUD support.
Views: Customizable interfaces (e.g., grid, calendar, kanban) for displaying and interacting with data.
Security Mechanisms
Security is a cornerstone of Altan's infrastructure, with a focus on tenant isolation, data protection, and secure access control. The following mechanisms ensure robust security:
1.
Tenant Isolation with Row-Level Security (RLS)
Altan is designed as a multi-tenant platform, where multiple workspaces or clients share the same infrastructure while maintaining strict data isolation. This is achieved through:
PostgreSQL Schemas per Tenant: Each tenant (workspace or client) is assigned a dedicated PostgreSQL schema within the AlloyDB cluster. This logical separation ensures that tenant data is isolated at the database level.
Row-Level Security (RLS): RLS policies are applied to every table within a tenant’s schema. These policies restrict access to rows based on the authenticated user’s identity, extracted from a signed JSON Web Token (JWT). For example:CREATE POLICY tenant_isolation
ON tasks
FOR ALL
USING (account_id = current_setting('app.account_id')::uuid);
This policy ensures that users can only access rows where the account_id matches their authenticated identity, preventing cross-tenant data leakage.
Zero-Trust by Default: If no RLS policy is defined for a table, PostgreSQL denies all row access, ensuring that misconfigurations do not compromise security.
Immutable Access Control: RLS is enforced at the database level, meaning it applies regardless of how data is accessed (e.g., via PostgREST APIs, direct SQL, or AI agents). This eliminates reliance on application-layer logic for security.
JWT Integration: Altan uses JWTs for authentication, tightly coupled with RLS. The JWT contains user metadata (e.g., account_id, user_id, or role), which is injected into the database session via current_setting. This ensures that sessions cannot be spoofed or escalated.
2.
Dedicated Instances for Critical Workloads
For tenants requiring enhanced isolation or performance, Altan supports dedicated AlloyDB instances:
Dedicated Instances: High-sensitivity or high-throughput tenants can be provisioned on dedicated AlloyDB instances within the same GKE cluster. This ensures complete physical separation from other tenants’ data, reducing the risk of resource contention or accidental data exposure.
Private VPC Connectivity: Each AlloyDB instance is accessible only through a private IP within the tenant’s Virtual Private Cloud (VPC). The AlloyDB Auth Proxy, running as a sidecar container in GKE, facilitates secure connections using Google Cloud Identity and Access Management (IAM) for authentication. This eliminates the need for public IP exposure, enhancing security.
Encryption: AlloyDB encrypts data at rest using AES256 or AES128 with Google-managed or customer-managed keys (via Google’s Key Management Service). Data in transit is secured with TLS, ensuring end-to-end encryption.
3.
PostgREST Security
Altan uses two separate PostgREST instances to enforce a clear separation of concerns:
Client-Facing PostgREST: Exposes RESTful APIs for end-user interactions, such as querying records or submitting forms. These APIs are restricted to tenant-specific schemas and enforce RLS policies, ensuring that users only access their own data.
Admin PostgREST: Used for internal operations (e.g., schema migrations, backup management, or system monitoring). Admin APIs are accessible only to elevated roles (e.g., alloydb_admin) and are isolated within a private network segment in GKE.
Role-Based Access Control (RBAC): PostgREST integrates with PostgreSQL’s role system, where each API request is executed under a specific database role. For example, client requests use a restricted api_user role, while admin requests use a privileged admin_user role, further enforcing access boundaries.
4.
Auditability and Monitoring
Audit Logs: All database operations, including those bypassing RLS (e.g., by admin users), are logged and auditable via Google Cloud’s audit logging system. This ensures traceability for compliance and debugging.
Monitoring: GKE and AlloyDB integrate with Google Cloud Monitoring to track performance metrics, query latencies, and potential security anomalies (e.g., unusual access patterns). Alerts are configured to notify administrators of suspicious activity.
5.
Additional Security Features
IAM Integration: AlloyDB and GKE leverage Google Cloud IAM for role-based access control, allowing fine-grained permissions for database and cluster management.
Network Security: GKE clusters are deployed within a single VPC, with network policies restricting traffic to authorized services. Firewall rules and private service connections further secure communication between GKE and AlloyDB.
Compliance: Altan’s infrastructure adheres to standards like GDPR, HIPAA, and SOC2, facilitated by AlloyDB’s compliance certifications and Aiven’s managed AlloyDB Omni offerings.
Scalability Features
Altan’s infrastructure is designed to handle varying workloads, from small-scale applications to enterprise-grade systems, with seamless scalability:
1.
AlloyDB’s Disaggregated Architecture
AlloyDB’s separation of compute and storage enables independent scaling, critical for handling dynamic workloads:
Compute Scaling: Altan can scale compute resources (nodes and instances) up or down based on query demands without reprovisioning storage. For example, during traffic spikes (e.g., e-commerce holiday seasons), additional read-only nodes can be added to handle increased read traffic, with no impact on availability.
Storage Scaling: AlloyDB’s distributed storage layer automatically scales as data grows, leveraging Google’s cloud-based file system optimized for PostgreSQL. This eliminates manual storage provisioning and ensures low-latency I/O.
Read Replicas: AlloyDB supports up to 20 read replicas per cluster, allowing Altan to scale read-heavy workloads horizontally. These replicas share the same storage layer, reducing costs and ensuring data consistency.
2.
Kubernetes (GKE) Scalability
GKE provides a robust platform for hosting Altan’s services and proxies, with built-in scalability features:
Horizontal Pod Autoscaling (HPA): GKE automatically scales PostgREST and AlloyDB Auth Proxy pods based on CPU/memory usage or custom metrics (e.g., request rate). This ensures that client-facing APIs remain responsive during traffic spikes.
Cluster Autoscaler: GKE dynamically adjusts the number of nodes in the cluster to meet resource demands, ensuring efficient resource utilization for both client and admin services.
Multi-Zone Deployment: Altan’s GKE clusters span multiple availability zones within a GCP region, providing high availability and fault tolerance. AlloyDB’s regional storage layer complements this by replicating data across zones, ensuring durability even in case of zonal failures.
3.
PostgREST Scalability
Stateless Design: PostgREST is stateless, allowing Altan to deploy multiple instances behind a load balancer to handle increased API traffic. This is particularly effective for client-facing APIs, which experience variable request volumes.
Query Optimization: PostgREST translates RESTful requests into efficient SQL queries, leveraging AlloyDB’s query planner and columnar engine for fast execution, especially for analytical workloads.
Batching Support: Altan’s APIs support batch operations for creating or updating multiple records/tables, reducing round-trip latency and improving throughput for high-volume workloads.
4.
Workload-Specific Optimizations
Dynamic Sharding: AlloyDB’s storage layer dynamically reassigns shards to dedicated Log Processing Service (LPS) instances during workload spikes (e.g., sudden popularity of a dataset). This ensures high performance without manual intervention.
Columnar Engine: For analytical queries, AlloyDB’s in-memory columnar engine accelerates processing by up to 100x compared to standard PostgreSQL, making Altan suitable for hybrid transactional/analytical (HTAP) workloads.
Caching: AlloyDB’s ultra-fast cache, combined with machine learning-driven data tiering, minimizes latency for frequently accessed data, enhancing performance for both transactional and analytical queries.
5.
Cross-Region Replication
For disaster recovery and global scalability, Altan supports cross-region replication:
Secondary Clusters: AlloyDB asynchronously streams data from a primary cluster to secondary clusters in different GCP regions. These can be promoted to primary clusters in case of regional outages, ensuring business continuity.
Global Accessibility: Client-facing PostgREST instances can be deployed across multiple regions, with traffic routed via Google Cloud’s global load balancer to minimize latency for geographically distributed users.
Integration with AI and Automation
Altan’s infrastructure is optimized for AI-driven automation:
Vertex AI Integration: AlloyDB’s integration with Google Cloud’s Vertex AI allows Altan to execute machine learning models directly within SQL queries, enabling AI agents to process tenant-specific data securely (e.g., analyzing leads or personalizing workflows).
RLS for AI Agents: AI agents querying Altan databases are subject to the same RLS policies as human users, ensuring that automated workflows respect tenant isolation.
Scalable AI Workloads: AlloyDB’s vector search capabilities and high-performance analytics support AI-powered applications, such as real-time recommendation systems or anomaly detection, without compromising scalability.
Conclusion
Altan’s database infrastructure, built on AlloyDB, GKE, and PostgREST, delivers a secure, scalable, and flexible platform for multi-tenant applications. By leveraging RLS and dedicated instances, Altan ensures robust tenant isolation and data security. Its disaggregated architecture, combined with Kubernetes’ autoscaling and AlloyDB’s dynamic sharding, enables seamless scalability for diverse workloads. Whether supporting collaborative data management, AI-driven automation, or high-throughput transactional systems, Altan provides a reliable and efficient foundation for modern applications.
Happy building with Altan! 🚀
Modified at 2025-08-03 21:15:54
Previous
Security
Next
What is an AI Agent?
Built with