Add security architecture pattern infospace

This commit is contained in:
2026-05-19 07:12:07 +02:00
parent 3ca891de4a
commit 5bb4b40b86
81 changed files with 6836 additions and 0 deletions

View File

@@ -0,0 +1,76 @@
# Pattern: Dynamic Secrets
Status: draft
Readiness target: RL3 production
Primary owners: Railiance platform, OpenBao
## Problem
Static service credentials accumulate, drift from ownership, and remain
useful after compromise.
## Context
Use this pattern for databases, object stores, message brokers, internal
APIs, and operator workflows where credentials can be issued with a
lease and revoked after use.
## Forces
- Consumers need credentials on demand.
- Backends vary in their ability to mint short-lived credentials.
- Lease and revocation behavior must be observable.
- Application teams need stable integration contracts even when backend
credential mechanisms differ.
## Solution
Use OpenBao or a credential broker to issue scoped credentials with TTL,
lease metadata, renewal rules, and revocation. Keep parent credentials
inside the platform secret authority.
## Implementation Sketch
1. Define a protected system and role for each dynamic credential type.
2. Authenticate the caller with workload or human identity.
3. Authorize requested scope and TTL through policy.
4. Generate backend-native credentials or brokered session material.
5. Record lease id, caller, tenant, backend, and expiry.
6. Revoke credentials on expiry, deployment teardown, or incident.
## Failure Modes
| Failure | Mitigation |
| --- | --- |
| Backend does not support dynamic users | use brokered credentials or shorter static bridge with explicit exception |
| Lease renewal hides stale consumers | cap max TTL and require owner metadata |
| Parent credential exposed to apps | keep parent material only in OpenBao or broker config |
| Revocation is untested | include revocation drills in readiness gates |
## Related Capabilities
- Secrets, keys, and credentials.
- Authorization and access control.
- Observability, detection, and audit.
## Maturity
Draft. The OpenBao direction is established, but each backend needs a
verified lease and revocation story.
## Verification
- Issued credentials have owner, scope, TTL, and lease metadata.
- Revocation invalidates access at the backend.
- Expired credentials are rejected.
- Audit records link issuance and revocation to actor and tenant.
## Research Basis
Seeded by central secrets management, workload secret injection, secret
rotation, short-lived credentials, and OpenBao runtime authority.
## References
- Initial exploration: Secrets, keys, and credentials.
- Railiance OpenBao platform secrets service.