Brazz-Nossel is IronBucket's precision-forged S3-compatible proxy service, built with Spring Cloud Gateway. It channels object storage traffic with identity awareness, policy-governed enforcement, and full audit traceability—one stream at a time.
Yes, we know it’s spelled “nozzle.” But this one’s special.
- Receive S3-compatible requests (
GET /bucket/key,PUT,DELETE, etc.) - Extract identity context from Sentinel-Gear via OIDC/JWT claims
- Enforce Git-governed policies by consulting the Policy Engine
- Route valid requests to S3 backends like MinIO, Ceph, or AWS S3
- Emit structured audit logs for every access decision
| Layer | Tooling |
|---|---|
| Proxy Core | Spring Cloud Gateway (WebFlux) |
| Auth Context | OIDC tokens passed from upstream |
| Policy Calls | REST to policy-engine module |
| S3 Routing | AWS SDK v2 + dynamic targets |
| Audit Logs | Structured JSON via SLF4J |
To run Brazz-Nossel locally:
cd brazz-nossel
./gradlew bootRunPrerequisites:
- Sentinel-Gear running (handles OIDC login)
- Policy Engine accessible
- Upstream S3-compatible backend (e.g., MinIO)
- Sample policy repo loaded via Steel-Hammer
Secure by default.
Observable in every step.
Pluggable beyond buckets.
Brazz-Nossel may start with S3, but it's designed to govern any object-like data flow—backed by Git, shaped by policy, and enforced by identity.
- Dry-run mode: Simulate policy evaluation without forwarding
- Multi-target support: Dynamically route based on bucket origin
- Native metrics: Per-identity request counters and latencies
- Deny templates: JSON explanations for all rejections
Part of the IronBucket Project:
- 🛠 Infrastructure:
steel-hammer/ - 🛡 Gateway:
sentinel-gear/ - 🔩 Proxy:
brazz-nossel/ - 🧠 Policy Engine:
policy-engine/