Nobody thinks of directory services like LDAP or Active Directory as fonts of innovation. But to Amazon, they are a starting point for building an entirely new option.
A new public offering from Amazon called Cloud Directory aims to take the ho-hum idea behind a directory service—a hierarchical database—and endow it with features that are useful to a wider range of applications.
Move fast, change things—but don’t break them
Cloud Directory is essentially a hierarchical database designed to allow the data stored inside to be seen via multiple hierarchies. Amazon cites as an example a company org chart that can be navigated by multiple criteria, such as by geography or reporting structure.
Many of Cloud Directory’s behaviors are designed around the idea that multiple applications need to work elegantly with a given database. Cloud Directory’s schema is extensible, in the manner of a NoSQL database. But applications can define private schema extensions, so any attributes they add aren’t seen by other apps and won’t unintentionally gum up their works.
The same kind of behavior applies to policies on Cloud Directory databases, which can be set on a per-application basis. One potential drawback is that policies aren’t interpreted by Cloud Directory, rather it “provides a framework for your application to evaluate policy assignments,” according to Amazon.
Amazon says this is a boon, claiming it makes possible “[defining] inheritance rules for your policies without granting Cloud Directory visibility into your security or permissions model.”
According to a company blog post, Cloud Directory has already been used to power other Amazon services like AWS Organizations. “Because it plays such a crucial role within AWS, it was designed with scalability, high availability, and security in mind (data is encrypted at rest and while in transit),” the blog post states.
In addition to those three attributes, future-proofing is another aspect of Cloud Directory that Amazon singles out in its post. Changes to the database’s schema can be made nondestructively and confined to a particular application, and schemas can be tagged as mutable or immutable to separate in-development ones from those published and in-use.
Directory services in the cloud have generally offered hosted instances of LDAP or Active Directory, as featured by both Microsoft Azure and Amazon Web Services. But Cloud Directory takes a slightly different tact. Rather than simply offer a spiced-up version of an existing directory service, Amazon is offering a “building block”—its own words—for use in supporting new applications.
Amazon Cloud Directory is still in its early stages, and many features are still missing. There doesn’t appear to be direct integration with other, more conventional directories, except perhaps via the API or by manually syncing data via JSON. Another valuable feature, integration with AWS CloudFormation, also has yet to be announced.