generated from coulomb/repo-seed
Add OpenBao runtime secret authority; complete NK-WP-0006/0007/0008
Refine the recursive platform security architecture to make OpenBao the canonical runtime secret authority, with SOPS/age, K8s Secrets, and the emergency bundle reframed as bootstrap/delivery/break-glass mechanisms. - credential-management standard v0.2: add OpenBao runtime authority section, rotation rules, and prohibited patterns (OpenBao-as-PDP, tenant platform-root) - platform-identity-security-architecture: mark implemented; add flex-auth/Topaz implications, Coulomb onboarding path, and a production-readiness checklist - NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary - NK-WP-0006/0007: status -> done with implementation reviews; add recursive platform/tenant split and OpenBao broker/audit role for object-storage STS vending - NK-WP-0008: status -> done; repoint corpus to infospace-bench - new ADR-0007 (orchestration boundary), ADR-0008 (STS vending boundary), and the object-storage STS credential-vending architecture Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
# Platform Identity and Security Architecture
|
||||
|
||||
Status: draft architecture baseline for NetKingdom/Railiance/Coulomb
|
||||
Date: 2026-05-17
|
||||
Status: implemented architecture baseline for NetKingdom/Railiance/Coulomb
|
||||
Date: 2026-05-18
|
||||
|
||||
## Purpose
|
||||
|
||||
@@ -305,6 +305,86 @@ Possible responsibilities:
|
||||
This orchestration layer should build on Railiance capabilities rather
|
||||
than bypassing the Railiance stack boundaries.
|
||||
|
||||
ADR-0007 records the current decision: keep orchestration in Railiance
|
||||
playbooks for now, with NetKingdom defining the trust-state model,
|
||||
readiness checks, OpenBao boundaries, and security semantics.
|
||||
|
||||
## flex-auth And Topaz Implications
|
||||
|
||||
flex-auth work must preserve the recursive boundary between platform
|
||||
control-plane resources and tenant resources.
|
||||
|
||||
Required implications:
|
||||
|
||||
- CARING descriptors must include scope and tenant metadata for
|
||||
tenant-scoped access, and must mark rare platform-scoped access
|
||||
explicitly.
|
||||
- Policy packages must distinguish `tenant:platform` policy from
|
||||
tenant-local packages such as `tenant:coulomb`.
|
||||
- Decision envelopes must carry subject, issuer, audience, tenant,
|
||||
protected-system id, resource, action, requested TTL where relevant,
|
||||
assurance evidence, obligations, deny reasons, and audit correlation
|
||||
ids.
|
||||
- Topaz is a delegated PDP runtime behind flex-auth. It must not become
|
||||
the canonical policy model, identity provider, or platform control
|
||||
plane.
|
||||
- Audit and explain records must be durable enough to reconstruct why a
|
||||
platform-root, secret, credential, or tenant-administration decision was
|
||||
allowed or denied.
|
||||
- Platform-root guardrails must deny tenant administrators the ability to
|
||||
alter IAM Profile semantics, OpenBao platform mounts/auth methods,
|
||||
flex-auth policy import pipelines, Topaz runtime configuration, or
|
||||
platform audit retention.
|
||||
|
||||
OpenBao secret access and dynamic credential requests follow the same
|
||||
authorization rule: identity proves the actor or workload, flex-auth
|
||||
decides whether the request is permitted, and OpenBao stores, issues,
|
||||
leases, audits, and revokes the secret material.
|
||||
|
||||
## Coulomb Tenant Onboarding Path
|
||||
|
||||
The first Coulomb tenant onboarding path should be repeatable before it
|
||||
becomes automated:
|
||||
|
||||
1. Register `tenant:coulomb` as a tenant distinct from
|
||||
`tenant:platform`.
|
||||
2. Map Coulomb human, service, and agent principals to IAM Profile claims
|
||||
with issuer, audience, subject, group, tenant, and assurance evidence.
|
||||
3. Register Coulomb protected systems and resources in flex-auth with
|
||||
stable protected-system ids.
|
||||
4. Import tenant-scoped policy packages and CARING descriptors for
|
||||
Coulomb resources.
|
||||
5. Initialize the delegated PDP runtime, starting with Topaz, using only
|
||||
the policy packages approved for the tenant and platform boundary.
|
||||
6. Provision Coulomb workload secret paths, Kubernetes auth roles, or
|
||||
delivery mechanisms in OpenBao without granting access to platform
|
||||
mounts, unseal/recovery material, or global auth configuration.
|
||||
7. Run audit readiness checks before admitting production traffic:
|
||||
identity issuance, flex-auth decision envelope, Topaz health,
|
||||
OpenBao audit event, workload enforcement event, and correlation id.
|
||||
|
||||
The onboarding path is complete when a Coulomb workload can authenticate,
|
||||
receive a scoped authorization decision, obtain only the allowed secret or
|
||||
short-lived credential, enforce the decision locally, and produce an
|
||||
auditable record without receiving platform-root authority.
|
||||
|
||||
## Production Readiness Checks
|
||||
|
||||
Before the security platform is production-ready, each trust state needs
|
||||
an explicit check:
|
||||
|
||||
| Area | Readiness check |
|
||||
| --- | --- |
|
||||
| MFA and identity | key-cape or Keycloak issues IAM Profile-compatible tokens; privacyIDEA or the selected MFA provider enforces required assurance for privileged actions |
|
||||
| Bootstrap and recovery | age/SOPS material, emergency bundle, and break-glass credentials are present, tested, and separated from tenant administration |
|
||||
| OpenBao runtime secrets | OpenBao is initialized, unsealed or auto-unsealed by the approved mechanism, backed up, audited, and using scoped auth methods and mounts |
|
||||
| Secret rotation | service, database, OpenBao-issued, and break-glass rotation paths have documented blast radius and verification steps |
|
||||
| flex-auth policy state | platform and tenant policy packages are versioned, reviewable, imported, and explainable |
|
||||
| Topaz runtime | delegated PDP health, data freshness, policy load status, and fail-closed behavior are verified |
|
||||
| Tenant onboarding | `tenant:coulomb` resources, claims, policies, OpenBao paths, and audit correlation are registered and tested |
|
||||
| Audit sink | identity, flex-auth, Topaz, OpenBao, Kubernetes, and workload audit records land in durable storage with restore/drill coverage |
|
||||
| Break-glass | emergency access works when normal identity is unavailable and produces a post-event review record |
|
||||
|
||||
## Open Questions
|
||||
|
||||
- Where is the durable audit log stored for platform-root decisions?
|
||||
|
||||
Reference in New Issue
Block a user