generated from coulomb/repo-seed
Workplan sketch out and statehub registration
This commit is contained in:
128
workplans/FLEX-WP-0004-delegated-pdp-and-directory-adapters.md
Normal file
128
workplans/FLEX-WP-0004-delegated-pdp-and-directory-adapters.md
Normal file
@@ -0,0 +1,128 @@
|
||||
---
|
||||
id: FLEX-WP-0004
|
||||
type: workplan
|
||||
title: "Delegated PDP and Directory Adapters"
|
||||
domain: netkingdom
|
||||
status: todo
|
||||
owner: flex-auth
|
||||
topic_slug: flex-auth
|
||||
planning_priority: P2
|
||||
planning_order: 40
|
||||
depends_on_workplans:
|
||||
- FLEX-WP-0002
|
||||
related_workplans:
|
||||
- FLEX-WP-0003
|
||||
created: "2026-05-04"
|
||||
updated: "2026-05-04"
|
||||
state_hub_workstream_id: "99a82976-d376-42b0-89cc-c44e01c0bec6"
|
||||
---
|
||||
|
||||
# FLEX-WP-0004: Delegated PDP and Directory Adapters
|
||||
|
||||
## Purpose
|
||||
|
||||
Let flex-auth coordinate established authorization and directory systems while
|
||||
remaining the stable control plane for protected systems.
|
||||
|
||||
The standalone core must work first. This workplan adds delegated backends and
|
||||
provider examples after flex-auth's own request, decision, registry, and audit
|
||||
vocabulary are stable.
|
||||
|
||||
## P4.1 - Evaluate Topaz as MVP delegated backend
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0004-T001
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "9046418c-2b78-42c6-8bfa-76d6ed0050dd"
|
||||
```
|
||||
|
||||
Evaluate Topaz because it combines a local directory, relation modeling, and
|
||||
OPA/Rego policy evaluation.
|
||||
|
||||
Output: spike notes, mapping examples, pros/cons, and recommendation.
|
||||
|
||||
## P4.2 - Add relationship PDP adapter boundary
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0004-T002
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "b77a0b70-b492-46ba-badf-8c2eebe006aa"
|
||||
```
|
||||
|
||||
Define and implement adapter contracts for OpenFGA and SpiceDB-style checks:
|
||||
|
||||
- tuple/resource mapping
|
||||
- inherited access
|
||||
- batch/list operations
|
||||
- consistency metadata
|
||||
- error and stale-data diagnostics
|
||||
|
||||
## P4.3 - Add rule PDP adapter boundary
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0004-T003
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "4e4e5e45-c05a-4a31-8126-f0c7676b1e6c"
|
||||
```
|
||||
|
||||
Define and implement adapter contracts for OPA/Rego and Cedar-style policies:
|
||||
|
||||
- principal/action/resource/context mapping
|
||||
- policy package versioning
|
||||
- test fixtures
|
||||
- obligations and diagnostics
|
||||
|
||||
## P4.4 - Add Keycloak Authorization Services adapter path
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0004-T004
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "8d3bbc28-985b-4dd7-9fb8-f9a858eb5a6b"
|
||||
```
|
||||
|
||||
Document and spike Keycloak Authorization Services integration for
|
||||
Keycloak-centric deployments without making Keycloak the only resource-policy
|
||||
source of truth.
|
||||
|
||||
## P4.5 - Add Entra/Graph and SCIM group resolver adapters
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0004-T005
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "4fc3fb91-8763-453e-8e54-36178cb11efd"
|
||||
```
|
||||
|
||||
Implement directory group resolver patterns for:
|
||||
|
||||
- Microsoft Graph group overage
|
||||
- SCIM provisioning
|
||||
- LDAP/AD
|
||||
- Keycloak admin API
|
||||
|
||||
Each resolver must expose freshness, source, and overage metadata.
|
||||
|
||||
## P4.6 - Add delegated-mode operations docs
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0004-T006
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "491260f9-b4d7-46fe-8220-d358597db33a"
|
||||
```
|
||||
|
||||
Document deployment, failure modes, caching, fail-closed/fail-open policy,
|
||||
consistency, and audit behavior for delegated backends.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
- flex-auth can delegate decisions to at least one external PDP in a controlled
|
||||
adapter shape.
|
||||
- Directory group freshness and overage are explicit.
|
||||
- Backend changes do not alter the protected-system-facing flex-auth API.
|
||||
- Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs are documented with
|
||||
practical guidance.
|
||||
Reference in New Issue
Block a user