generated from coulomb/repo-seed
Add OpenBao runtime secret authority; complete NK-WP-0006/0007/0008
Refine the recursive platform security architecture to make OpenBao the canonical runtime secret authority, with SOPS/age, K8s Secrets, and the emergency bundle reframed as bootstrap/delivery/break-glass mechanisms. - credential-management standard v0.2: add OpenBao runtime authority section, rotation rules, and prohibited patterns (OpenBao-as-PDP, tenant platform-root) - platform-identity-security-architecture: mark implemented; add flex-auth/Topaz implications, Coulomb onboarding path, and a production-readiness checklist - NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary - NK-WP-0006/0007: status -> done with implementation reviews; add recursive platform/tenant split and OpenBao broker/audit role for object-storage STS vending - NK-WP-0008: status -> done; repoint corpus to infospace-bench - new ADR-0007 (orchestration boundary), ADR-0008 (STS vending boundary), and the object-storage STS credential-vending architecture Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -4,13 +4,13 @@ type: workplan
|
||||
title: Object Storage STS Credential Vending
|
||||
domain: netkingdom
|
||||
repo: net-kingdom
|
||||
status: proposed
|
||||
status: done
|
||||
owner: codex
|
||||
topic_slug: netkingdom
|
||||
planning_priority: high
|
||||
planning_order: 7
|
||||
created: 2026-05-17
|
||||
updated: 2026-05-17
|
||||
updated: 2026-05-18
|
||||
depends_on:
|
||||
- NK-WP-0004
|
||||
- NK-WP-0005
|
||||
@@ -50,6 +50,11 @@ security architecture. The surrounding ecosystem matters:
|
||||
lightweight stack, not object-storage policy owners.
|
||||
- flex-auth owns policy-as-code decisions, resource/action vocabulary,
|
||||
decision envelopes, delegated PDP adapters, and audit semantics.
|
||||
- OpenBao is now part of the platform stack as the runtime secret
|
||||
authority, dynamic credential broker where appropriate, and audit
|
||||
source for secret access. It can broker or store credential material,
|
||||
but it does not replace flex-auth authorization or provider-native STS
|
||||
semantics.
|
||||
- ops-warden and ops-bridge provide a useful precedent for short-lived
|
||||
credentials and actor attribution, but they are SSH-specific and
|
||||
should not be overloaded with object-storage credentials.
|
||||
@@ -80,12 +85,38 @@ Out of scope:
|
||||
- replacing flex-auth with provider-specific bucket policies
|
||||
- putting object-storage policy inside key-cape, ops-warden, or
|
||||
ops-bridge
|
||||
- letting OpenBao root/admin authority become the object-storage policy
|
||||
model
|
||||
|
||||
## Recursive Platform Implications
|
||||
|
||||
This workplan depends on NK-WP-0006, so object-storage credential vending
|
||||
must honor the platform/tenant split:
|
||||
|
||||
- `tenant:platform` may administer the vending service, OpenBao mounts,
|
||||
storage backends, policy import pipeline, and audit retention.
|
||||
- `tenant:coulomb` and future tenants may request scoped credentials only
|
||||
for registered tenant resources.
|
||||
- flex-auth decision envelopes must include tenant id, protected-system
|
||||
id, bucket or prefix, action set, TTL, assurance evidence, obligations,
|
||||
deny reasons, and audit correlation ids.
|
||||
- CARING descriptors must mark whether a request is platform-scoped or
|
||||
tenant-scoped; platform-scoped descriptor use is rare, reviewed, and
|
||||
auditable.
|
||||
- Topaz is the first delegated PDP runtime behind flex-auth. Its data and
|
||||
policy loading must not give a tenant administrator control over
|
||||
platform policies.
|
||||
- OpenBao may broker, lease, audit, or store temporary credential
|
||||
material after flex-auth approval. OpenBao must not become the source of
|
||||
object-storage authorization policy, and tenants must not receive
|
||||
OpenBao root tokens, unseal/recovery material, platform mounts, or
|
||||
global auth-method control.
|
||||
|
||||
## Tasks
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T1
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "3b50c48f-1ab2-4631-b176-d49d9d705f1e"
|
||||
```
|
||||
@@ -97,7 +128,7 @@ flow, and failure modes.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T2
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "5b942d22-6f29-4975-88fb-e3e5bcaf4029"
|
||||
```
|
||||
@@ -109,7 +140,7 @@ multipart operations), TTL limits, obligations, and deny reasons.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T3
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "8d27e5b4-9bbb-4a53-a079-0df1047d755e"
|
||||
```
|
||||
@@ -121,30 +152,31 @@ issuer restrictions.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T4
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "c0c4f297-6cff-419b-9ce3-be5537c92e93"
|
||||
```
|
||||
|
||||
Assess backend STS implementations and write a decision record covering
|
||||
Ceph RGW STS, MinIO/AIStor STS, AWS STS, Cloudflare R2 temporary
|
||||
credentials, and whether OpenBao/Vault should broker any of these
|
||||
directly.
|
||||
credentials, and when OpenBao should broker, lease, audit, or store the
|
||||
resulting credential material.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T5
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "ccb10b2d-6378-4824-90b1-c31bd882d93d"
|
||||
```
|
||||
|
||||
Prototype the smallest credential-vending interface: CLI or HTTP
|
||||
request shape, normalized response shape, lease metadata, audit event,
|
||||
and a `credential_process`-compatible option for SDK consumers.
|
||||
OpenBao lease/audit metadata where used, and a
|
||||
`credential_process`-compatible option for SDK consumers.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T6
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "63c6859b-980e-44da-a5a6-b92a8a3225dd"
|
||||
```
|
||||
@@ -154,12 +186,32 @@ environment variables, `AWS_SESSION_TOKEN`, refresh behavior, sidecar or
|
||||
controller refresh options, and prohibited patterns such as long-lived
|
||||
root access keys.
|
||||
|
||||
## Implementation Review - 2026-05-18
|
||||
|
||||
Implemented as architecture and decision artifacts:
|
||||
|
||||
- `docs/object-storage-sts-credential-vending.md` defines the target
|
||||
architecture, actors, trust boundaries, token flow, flex-auth
|
||||
vocabulary, IAM Profile requirements, backend assessment, OpenBao
|
||||
role, request/response prototype, audit event, failure modes, and
|
||||
consumer guidance.
|
||||
- `docs/adr/ADR-0008-object-storage-sts-credential-vending.md` records
|
||||
the decision to use a provider-neutral NetKingdom vending boundary with
|
||||
provider-native temporary credential mechanisms where possible.
|
||||
|
||||
The implementation deliberately stops before building a live vending
|
||||
service. Service implementation belongs in a follow-up workplan once
|
||||
artifact-store has session-token/refresh support and the Railiance
|
||||
OpenBao bootstrap/unseal/break-glass work is ready.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- NetKingdom has a canonical, provider-neutral pattern for object-storage
|
||||
STS credential vending.
|
||||
- flex-auth is the policy decision point for bucket/prefix/action/TTL
|
||||
authorization.
|
||||
- OpenBao is treated as runtime secret/lease infrastructure where useful,
|
||||
not as the canonical authorization policy engine.
|
||||
- key-cape and Keycloak are treated as IAM Profile implementations, not
|
||||
object-storage policy engines.
|
||||
- ops-warden and ops-bridge remain SSH/tunnel-specific but their
|
||||
|
||||
Reference in New Issue
Block a user