Add OpenBao runtime secret authority; complete NK-WP-0006/0007/0008

Refine the recursive platform security architecture to make OpenBao the
canonical runtime secret authority, with SOPS/age, K8s Secrets, and the
emergency bundle reframed as bootstrap/delivery/break-glass mechanisms.

- credential-management standard v0.2: add OpenBao runtime authority
  section, rotation rules, and prohibited patterns (OpenBao-as-PDP,
  tenant platform-root)
- platform-identity-security-architecture: mark implemented; add
  flex-auth/Topaz implications, Coulomb onboarding path, and a
  production-readiness checklist
- NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary
- NK-WP-0006/0007: status -> done with implementation reviews; add
  recursive platform/tenant split and OpenBao broker/audit role for
  object-storage STS vending
- NK-WP-0008: status -> done; repoint corpus to infospace-bench
- new ADR-0007 (orchestration boundary), ADR-0008 (STS vending
  boundary), and the object-storage STS credential-vending architecture

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-05-20 22:51:20 +02:00
parent b49631acef
commit 7b211acd57
10 changed files with 1150 additions and 69 deletions

View File

@@ -4,13 +4,13 @@ type: workplan
title: Object Storage STS Credential Vending
domain: netkingdom
repo: net-kingdom
status: proposed
status: done
owner: codex
topic_slug: netkingdom
planning_priority: high
planning_order: 7
created: 2026-05-17
updated: 2026-05-17
updated: 2026-05-18
depends_on:
- NK-WP-0004
- NK-WP-0005
@@ -50,6 +50,11 @@ security architecture. The surrounding ecosystem matters:
lightweight stack, not object-storage policy owners.
- flex-auth owns policy-as-code decisions, resource/action vocabulary,
decision envelopes, delegated PDP adapters, and audit semantics.
- OpenBao is now part of the platform stack as the runtime secret
authority, dynamic credential broker where appropriate, and audit
source for secret access. It can broker or store credential material,
but it does not replace flex-auth authorization or provider-native STS
semantics.
- ops-warden and ops-bridge provide a useful precedent for short-lived
credentials and actor attribution, but they are SSH-specific and
should not be overloaded with object-storage credentials.
@@ -80,12 +85,38 @@ Out of scope:
- replacing flex-auth with provider-specific bucket policies
- putting object-storage policy inside key-cape, ops-warden, or
ops-bridge
- letting OpenBao root/admin authority become the object-storage policy
model
## Recursive Platform Implications
This workplan depends on NK-WP-0006, so object-storage credential vending
must honor the platform/tenant split:
- `tenant:platform` may administer the vending service, OpenBao mounts,
storage backends, policy import pipeline, and audit retention.
- `tenant:coulomb` and future tenants may request scoped credentials only
for registered tenant resources.
- flex-auth decision envelopes must include tenant id, protected-system
id, bucket or prefix, action set, TTL, assurance evidence, obligations,
deny reasons, and audit correlation ids.
- CARING descriptors must mark whether a request is platform-scoped or
tenant-scoped; platform-scoped descriptor use is rare, reviewed, and
auditable.
- Topaz is the first delegated PDP runtime behind flex-auth. Its data and
policy loading must not give a tenant administrator control over
platform policies.
- OpenBao may broker, lease, audit, or store temporary credential
material after flex-auth approval. OpenBao must not become the source of
object-storage authorization policy, and tenants must not receive
OpenBao root tokens, unseal/recovery material, platform mounts, or
global auth-method control.
## Tasks
```task
id: NK-WP-0007-T1
status: todo
status: done
priority: high
state_hub_task_id: "3b50c48f-1ab2-4631-b176-d49d9d705f1e"
```
@@ -97,7 +128,7 @@ flow, and failure modes.
```task
id: NK-WP-0007-T2
status: todo
status: done
priority: high
state_hub_task_id: "5b942d22-6f29-4975-88fb-e3e5bcaf4029"
```
@@ -109,7 +140,7 @@ multipart operations), TTL limits, obligations, and deny reasons.
```task
id: NK-WP-0007-T3
status: todo
status: done
priority: high
state_hub_task_id: "8d27e5b4-9bbb-4a53-a079-0df1047d755e"
```
@@ -121,30 +152,31 @@ issuer restrictions.
```task
id: NK-WP-0007-T4
status: todo
status: done
priority: medium
state_hub_task_id: "c0c4f297-6cff-419b-9ce3-be5537c92e93"
```
Assess backend STS implementations and write a decision record covering
Ceph RGW STS, MinIO/AIStor STS, AWS STS, Cloudflare R2 temporary
credentials, and whether OpenBao/Vault should broker any of these
directly.
credentials, and when OpenBao should broker, lease, audit, or store the
resulting credential material.
```task
id: NK-WP-0007-T5
status: todo
status: done
priority: medium
state_hub_task_id: "ccb10b2d-6378-4824-90b1-c31bd882d93d"
```
Prototype the smallest credential-vending interface: CLI or HTTP
request shape, normalized response shape, lease metadata, audit event,
and a `credential_process`-compatible option for SDK consumers.
OpenBao lease/audit metadata where used, and a
`credential_process`-compatible option for SDK consumers.
```task
id: NK-WP-0007-T6
status: todo
status: done
priority: medium
state_hub_task_id: "63c6859b-980e-44da-a5a6-b92a8a3225dd"
```
@@ -154,12 +186,32 @@ environment variables, `AWS_SESSION_TOKEN`, refresh behavior, sidecar or
controller refresh options, and prohibited patterns such as long-lived
root access keys.
## Implementation Review - 2026-05-18
Implemented as architecture and decision artifacts:
- `docs/object-storage-sts-credential-vending.md` defines the target
architecture, actors, trust boundaries, token flow, flex-auth
vocabulary, IAM Profile requirements, backend assessment, OpenBao
role, request/response prototype, audit event, failure modes, and
consumer guidance.
- `docs/adr/ADR-0008-object-storage-sts-credential-vending.md` records
the decision to use a provider-neutral NetKingdom vending boundary with
provider-native temporary credential mechanisms where possible.
The implementation deliberately stops before building a live vending
service. Service implementation belongs in a follow-up workplan once
artifact-store has session-token/refresh support and the Railiance
OpenBao bootstrap/unseal/break-glass work is ready.
## Acceptance Criteria
- NetKingdom has a canonical, provider-neutral pattern for object-storage
STS credential vending.
- flex-auth is the policy decision point for bucket/prefix/action/TTL
authorization.
- OpenBao is treated as runtime secret/lease infrastructure where useful,
not as the canonical authorization policy engine.
- key-cape and Keycloak are treated as IAM Profile implementations, not
object-storage policy engines.
- ops-warden and ops-bridge remain SSH/tunnel-specific but their