From 9eabf6cd4d6227d8abf1c7fd4e23e149257e20ac Mon Sep 17 00:00:00 2001 From: tegwick Date: Tue, 26 May 2026 07:08:25 +0200 Subject: [PATCH] Review OpenBao onboarding readiness workplans --- ...-custody-and-openbao-identity-bootstrap.md | 42 +++- ...-security-readiness-for-user-onboarding.md | 192 ++++++++++++++++++ 2 files changed, 229 insertions(+), 5 deletions(-) create mode 100644 workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md index 2422cf5..4e5964f 100644 --- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md +++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md @@ -8,7 +8,7 @@ status: active owner: codex topic_slug: netkingdom created: "2026-05-24" -updated: "2026-05-24" +updated: "2026-05-26" depends_on: - NK-WP-0006 - NK-WP-0012 @@ -111,7 +111,7 @@ blocked under T03. ```task id: NET-WP-0015-T03 -status: blocked +status: done priority: high state_hub_task_id: "56a6266a-4acd-41e6-a395-85e90a5c35c6" ``` @@ -353,11 +353,17 @@ metadata. It also detects encrypted bootstrap bundle presence and plaintext `sso-mfa/bootstrap/secrets/` exposure. This is the intended foundation for trial-mode, custody-mode, unlock/apply, and later OpenBao handover flows. +**2026-05-26:** Closed this custody-approval task after review against the +live bootstrap metadata: `platform-root` is recorded as the king credential, +MFA and KeyCape OIDC login are verified, and `temporary-single-king` custody is +explicitly approved for the pre-production OpenBao bootstrap. Remaining +hardening and user-onboarding readiness work is tracked in `NET-WP-0017`. + ### T04 - Complete Railiance OpenBao Bootstrap Ceremony ```task id: NET-WP-0015-T04 -status: blocked +status: done priority: high state_hub_task_id: "2102366e-064b-4071-8b6a-574d9d37d109" ``` @@ -367,11 +373,19 @@ the king credential model, enable audit and the first mounts/policies, create a non-root `platform-admin` access path, and revoke or offline-escrow the initial root token. +**2026-05-26:** Closed the bootstrap ceremony portion after live verification: +Railiance OpenBao is initialized, unsealed, and post-unseal verified; initial +configuration was applied; the initial OpenBao root token is recorded as +revoked; trial unseal shares were rotated; and restore-drill confirmation is +recorded in the bootstrap metadata. Declarative audit/durable audit shipping +and routine OIDC admin access remain follow-up readiness gates under +`NET-WP-0017` and `RAIL-PL-WP-0002`. + ### T05 - Provision First NetKingdom Admin Identity ```task id: NET-WP-0015-T05 -status: todo +status: done priority: high state_hub_task_id: "d2a81d7b-9964-4bd5-9b8c-ef1324e02cd4" ``` @@ -383,6 +397,12 @@ for `platform-root`, `platform-admin`, `netkingdom-admin`, and `railiance-platform-admin`. `tegwick` may receive delegated day-to-day admin roles later, but must be revocable without losing root custody. +**2026-05-26:** Closed for the bootstrap identity scope: the dedicated +`platform-root` user is recorded as created, assigned to +`net-kingdom-admins`, stored outside this repo, enrolled for MFA, and verified +through KeyCape OIDC. Richer IAM-profile claims for ordinary user onboarding +remain part of the user-onboarding readiness work in `NET-WP-0017`. + ### T06 - Bind OpenBao Admin Auth To NetKingdom IAM ```task @@ -396,11 +416,18 @@ Replace temporary operator tokens with NetKingdom IAM-backed OpenBao admin auth when the issuer and claim mapping are ready. The OpenBao root token must not be the normal admin path. +**2026-05-26:** The KeyCape `openbao-admin` client is code-defined, patched +into the live `keycape-config` Secret, rolled out, and verified without +requiring decrypted bootstrap secrets. This task remains in progress because +OpenBao `auth/keycape` still needs the fixed helper command to complete and +the MFA-backed `bao login -method=oidc -path=keycape role=platform-admin` path +still needs verification. + ### T07 - Verify Recovery, Audit, And Rotation ```task id: NET-WP-0015-T07 -status: todo +status: in_progress priority: medium state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539" ``` @@ -409,6 +436,11 @@ Confirm snapshot/restore drill, durable audit-log handling, root-token disposition, unseal/recovery rotation expectations, and the follow-up owner for adding at least one additional human escrow holder. +**2026-05-26:** Root-token disposition, unseal-key rotation, post-unseal +verification, and restore-drill confirmation are recorded. This task remains +open for declarative audit configuration/durable audit shipping, residual +taint-response closeout, and the next independent escrow holder. + ### T08 - Reset, Rotate, And Reopen Under King Oversight ```task diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md new file mode 100644 index 0000000..1100944 --- /dev/null +++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md @@ -0,0 +1,192 @@ +--- +id: NET-WP-0017 +type: workplan +title: "IT Security Readiness For User Onboarding" +domain: netkingdom +repo: net-kingdom +status: active +owner: codex +topic_slug: netkingdom +created: "2026-05-26" +updated: "2026-05-26" +depends_on: + - NET-WP-0015 + - NET-WP-0016 + - RAIL-PL-WP-0002 +--- + +# NET-WP-0017 - IT Security Readiness For User Onboarding + +## Goal + +Finish the remaining NetKingdom and Railiance security setup needed before +ordinary platform users, tenant admins, or fabric admins are onboarded. + +`NET-WP-0015` established the king credential, OpenBao bootstrap ceremony, and +guided control surface. This workplan is the narrower finish-line plan: routine +admin access must use NetKingdom identity, bootstrap-era material must be +retired or explicitly accepted, audit/recovery posture must be credible, and a +first non-root onboarding dry run must prove the lifecycle model. + +## Current Evidence + +- `platform-root` exists in LLDAP, belongs to `net-kingdom-admins`, has MFA, + and completed KeyCape OIDC login. +- Railiance OpenBao is initialized, unsealed, and post-unseal verified. +- OpenBao initial configuration was applied; `platform/` KV and Kubernetes auth + exist. +- The initial OpenBao root token is recorded as revoked. +- Trial unseal shares were rotated. +- The KeyCape `openbao-admin` client is live and verified. +- OpenBao OIDC auth configuration and MFA-backed OpenBao admin login are still + pending. +- Declarative/durable audit handling, residual taint closeout, cleanup/rotation, + and the first ordinary-user onboarding dry run are still pending. + +## Tasks + +### T01 - Finish OIDC-Backed OpenBao Admin Login + +```task +id: NET-WP-0017-T01 +status: in_progress +priority: high +``` + +Run the fixed OpenBao OIDC helper, record the non-secret completion flag, then +verify `platform-root` can complete: + +```bash +bao login -method=oidc -path=keycape role=platform-admin +``` + +The verification must prove the resulting OpenBao token has the intended +`platform-admin` policy without relying on the initial root token or a manually +minted temporary operator token. + +### T02 - Close OpenBao Audit And Recovery Production Gates + +```task +id: NET-WP-0017-T02 +status: todo +priority: high +``` + +Resolve the remaining OpenBao production-trust gates: + +- configure audit declaratively if API-managed audit remains rejected; +- confirm where audit logs are durably shipped beyond the audit PVC; +- retain non-secret restore-drill evidence and repeat the drill if any + material changed; +- record emergency seal/unseal drill evidence; and +- identify the next independent escrow holder for moving beyond temporary + single-king custody. + +### T03 - Close Trial Taint And Retire Bootstrap Admin Paths + +```task +id: NET-WP-0017-T03 +status: todo +priority: high +``` + +Review all access paths created during the trial exposure and record the +compromise response complete only after the operator has either rotated, +revoked, reset, or explicitly accepted residual risk for: + +- temporary OpenBao `platform-admin` tokens; +- bootstrap/root-token-derived paths; +- early LLDAP/Authelia/KeyCape admin credentials; +- local plaintext secret workspaces; +- bootstrap service tokens; and +- any copied command output or local shell history that may contain secret + values. + +### T04 - Harden Bootstrap Infrastructure Before User Onboarding + +```task +id: NET-WP-0017-T04 +status: todo +priority: high +``` + +Complete the minimum hardening before ordinary users are onboarded: + +- restrict direct administrative access to LLDAP and privacyIDEA to approved + operator networks or tunnels; +- verify no privileged login path bypasses MFA for platform-admin authority; +- rotate or reset bootstrap-era database, admin, and service credentials that + were created before custody was established; +- confirm host/workload checks and vulnerability scans are run or explicitly + deferred with owner/date; and +- update the bootstrap console state to `cleanup_complete` only when these + checks are recorded. + +### T05 - Implement First User Lifecycle Operator Flow + +```task +id: NET-WP-0017-T05 +status: todo +priority: high +``` + +Turn the documented user lifecycle UX into the first practical operator flow +for: + +- onboarding a scoped non-root user; +- temporarily locking that user; +- permanently offboarding that user; +- reviewing credentials and MFA state; and +- creating a fabric/tenant admin without platform-root authority. + +The flow can begin as console/UI action cards, but it must show effective +access before saving and must not expose secrets. + +### T06 - Run A Non-Root Onboarding Dry Run + +```task +id: NET-WP-0017-T06 +status: todo +priority: high +``` + +Create a test or first real non-root user using the new lifecycle flow. Verify: + +- LLDAP identity and groups; +- MFA enrollment through privacyIDEA; +- KeyCape OIDC claims; +- expected application or platform scope; +- no platform-root or OpenBao root authority; +- lock/offboard path can be exercised or simulated; and +- non-secret audit/progress evidence is recorded. + +This is the final gate before declaring the platform ready for normal user +onboarding. + +### T07 - Review And Retire Superseded Bootstrap Workplans + +```task +id: NET-WP-0017-T07 +status: todo +priority: medium +``` + +After T01-T06 complete, review `NET-WP-0015`, `NET-WP-0016`, +`RAIL-PL-WP-0002`, and older NetKingdom credential/bootstrap workplans. +Mark completed work finished or archived, and leave only longer-horizon items +such as multi-custodian upgrade, enterprise federation, dynamic database +credentials, object-storage STS vending, and application onboarding contracts. + +## Acceptance Criteria + +- Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA. +- The initial root token and temporary OpenBao admin tokens are not normal + operating paths. +- Audit, recovery, emergency seal, and restore evidence are recorded without + secret values. +- Bootstrap-era privileged credentials have been rotated, reset, revoked, or + explicitly accepted as residual risk. +- A non-root user onboarding dry run succeeds and proves lock/offboard/review + paths. +- The bootstrap console can honestly move beyond Admin Identity Integration + into cleanup and reopening.