Skip to main content

Glossary

Definitions of terms used in Cirata Symphony documentation.

Account : A NATS account that represents a user in Symphony. Each user gets a cryptographically isolated account with its own keys, JetStream storage, and subject permissions.

Account JWT : A cryptographic token signed by the Symphony operator that defines a NATS account's identity, imports, and resource limits. Part of the JWT chain.

API Key : A credential that grants programmatic access to Symphony. Each API key includes a bearer token (for HTTP), a NATS JWT (for messaging), and a set of capabilities defining allowed operations.

Attribution Rule : A persistent policy that automatically assigns usage records to a business unit based on extension and account patterns. Rules use specificity scoring to select the best match when multiple rules apply. See Business Units & Attribution.

Bootstrap Mode : The initial state when RBAC is configured but no administrator has been designated. In bootstrap mode, all authenticated users have admin access. Exit bootstrap mode by configuring admin_group or admin_subject.

Bucket : A NATS JetStream key-value store used by Symphony and extensions for persistent data storage. Examples include api_keys, accounts, and extension-specific data buckets.

Business Unit : An organizational group (department, team, cost centre) to which usage can be attributed for chargeback and cost allocation. See Business Units & Attribution.

Capability : A subject-level permission defined on an API key. Capabilities specify which NATS subjects the key holder can publish to or subscribe from.

Catalog : In the context of Ice Flow (Iceberg replication), a metadata service that tracks Iceberg tables. Catalogs manage table schemas, partitions, and snapshots.

Chargeback : The process of aggregating attributed usage by business unit and generating cost allocation reports for internal billing. See Cost Attribution.

Control Plane : The Symphony server component that handles authentication, extension registration, API routing, and NATS account management. Extensions connect to the control plane to operate.

Deployment Key : A unique cryptographic identifier derived from each Symphony deployment's operator keypair. Included in licenses to prevent license reuse across deployments.

Dimension : A named measurement reported by an extension for usage tracking (e.g., tables_replicated, bytes_transferred_gb). Dimensions are converted to units using rates defined in the active license.

Enforcement State : The current license capacity status: OK, Warning, or Unlicensed. Determines whether extensions can operate normally or are disabled due to exhausted capacity. Includes per-extension lists indicating which extensions are in a grace period (grace_extensions) and which are disabled (disabled_extensions).

Extension : A program that connects to Symphony to provide additional functionality. Extensions can add UI pages, microservice endpoints, menu items, widgets, metrics, and storage. They can be written in Python, Java, Go, or Rust.

Grace Period : A vendor-defined duration (grace_period_days) after licensed units are exhausted or the license expiry date passes, during which covered extensions continue to operate with a Warning status before enforcement is applied.

Groups Claim : An OIDC token claim (typically named groups) containing the user's group memberships from the identity provider. Used by Symphony for RBAC role assignment. See OIDC Configuration.

Heartbeat : A periodic status update published by extensions every 30 seconds to indicate health and connectivity. Used for real-time status tracking in the UI. See Status.

Identity Provider (IdP) : An external service (Keycloak, Okta, Azure AD, Google Workspace) that authenticates users and provides OIDC tokens for Symphony.

JetStream : The NATS persistence layer used by Symphony for key-value stores, streams, and object storage. JetStream provides at-least-once delivery and data durability.

JWT (JSON Web Token) : A signed token used in Symphony's security model. The JWT chain includes operator JWTs, account JWTs, and user JWTs, each level constraining the permissions of the next.

Log Capture : The mechanism that bridges extension logging frameworks (Python logging, Go slog, Java Logback) into the OTLP log format for centralized collection by the Observability Extension.

Menu : A navigation entry in the Symphony UI sidebar. Extensions can register menu items to provide quick access to their pages.

Metrics : OTLP (OpenTelemetry) measurements emitted by the platform and extensions. The Observability Extension collects metrics over NATS and can export them to backends such as Prometheus, Grafana, or InfluxDB.

Microservice : A NATS-based service endpoint provided by an extension. Microservices use the NATS micro protocol for request-reply communication with automatic load balancing.

MIME Type : A content type identifier that determines how a resource is rendered in the Symphony UI. Types include text/symphony-jsx (transpiled React), text/symphony-module (importable shared code), text/html+htmx (HTMX shell with auth and theme), text/html+symphony (sandboxed HTML with platform access), text/html (sandboxed HTML), text/html;profile=mcp-app (MCP app), and text/markdown (rendered documentation).

Monitor : In the context of Ice Flow, a process that watches for changes in an Iceberg catalog and triggers replication when new data arrives.

NATS : The messaging system embedded in Symphony. NATS provides publish-subscribe messaging, request-reply patterns, and JetStream persistence.

OpenID Connect (OIDC) : A standardized authentication protocol used by Symphony for user authentication. Provides integration with external identity providers such as Keycloak, Okta, and Azure AD. See OIDC Configuration.

Operator JWT : The root of trust in the NATS security hierarchy. The operator signs account JWTs and defines the trust boundary for the Symphony instance.

OTLP (OpenTelemetry Protocol) : A standardized protocol for collecting and exporting metrics, logs, and traces. Used by Symphony's Observability Extension to collect telemetry from extensions over NATS and export to external backends. See Observability.

Page : A React/TypeScript component provided by an extension that is transpiled and rendered in the Symphony UI. Pages are associated with routes.

PKCE (Proof Key for Code Exchange) : A security extension to the OAuth 2.0 authorization code flow used by Symphony's OIDC implementation to prevent authorization code interception attacks.

Prefix : The unique identifier for an extension, used in NATS subjects (e.g., cirata.extensions.<prefix>.>) and URL routes.

RBAC (Role-Based Access Control) : An optional security layer that maps OIDC group claims to Symphony roles, providing centralized permission management. See Role-Based Access Control.

Replication : In the context of Ice Flow, the process of copying data and metadata from a source to a target, maintaining consistency and supporting incremental updates.

Resource : A piece of content registered by an extension with Symphony, such as a UI page (ui://), help documentation (help://), or widget (widget://). The MIME type of the resource determines how it is rendered.

Role : A named set of subject permissions and extension visibility rules. Roles define the maximum capabilities that users assigned to the role can request in their API keys.

Route : A URL path in the Symphony UI that maps to a page. Extensions register routes to make their pages accessible.

Scope : In the NATS subject hierarchy, the part of a subject that determines which accounts or operations it relates to (e.g., cirata.extensions.myext.> scopes to a specific extension). In the context of Ice Flow, a scope is a named filter that selects which Iceberg tables to include in a replication or monitor, using table name patterns or regular expressions.

Service : A NATS microservice endpoint exposed by an extension. Services can be discovered dynamically and are accessible through NATS messaging or proxied through the REST API.

Service Discovery : The NATS mechanism for dynamically discovering available extensions and their services without manual configuration.

Session Idle Timeout : A configurable duration (default 30 minutes) of user inactivity after which the OIDC session expires and re-authentication is required.

Soft Quota : An advisory usage limit (in units) for a business unit. Not enforced, but provides a reference point for tracking expected consumption against actual usage.

Span : An individual unit of work in a distributed trace, representing the timing and causal relationships of operations. Spans are organized hierarchically with parent-child relationships.

Subject : A NATS messaging address used for publish-subscribe and request-reply communication. Subjects use . as a separator and support * (single token) and > (multi-token) wildcards.

Symphony Bridge : The JavaScript library injected into text/html+symphony resources that provides platform API access via the window.symphony object using postMessage. See HTML + Symphony Bridge.

SymphonyContext : A React Context object providing access to NATS messaging, KV storage, navigation, and platform information in text/symphony-jsx resources. See Symphony JSX.

Telemetry : Metrics, logs, and traces emitted by Symphony and extensions using the OpenTelemetry standard for observability. See Observability.

Tenant Isolation : The security mechanism that isolates users from each other through separate NATS accounts, preventing unauthorized access to other users' data and resources. See Security Model.

Token : The bearer token portion of an API key, used in the Authorization: Bearer <token> HTTP header for REST API authentication.

Trace Context : W3C standard metadata (trace ID, span ID, flags) propagated across service boundaries to correlate related operations in distributed systems.

Unit : The standardized measure of licensed capacity. Raw dimension measurements (e.g., tables replicated, bytes transferred) are converted to units using rates defined in the active license.

User JWT : A cryptographic token signed by an account's key that defines an individual user's or API key's permissions. Embedded in API key credentials as part of the JWT chain.

Warehouse : In the context of Ice Flow (Iceberg replication), a storage location for Iceberg table data files (Parquet, ORC, Avro).

Widget : A UI component provided by an extension for use on the Symphony dashboard. Users can arrange widgets to create a customized dashboard view.