generated from coulomb/repo-seed
Archive closed workplans to workplans/archived/ (ADR-001)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,220 +0,0 @@
|
||||
---
|
||||
id: NK-WP-0007
|
||||
type: workplan
|
||||
title: Object Storage STS Credential Vending
|
||||
domain: infotech
|
||||
repo: net-kingdom
|
||||
status: finished
|
||||
owner: codex
|
||||
topic_slug: netkingdom
|
||||
planning_priority: high
|
||||
planning_order: 7
|
||||
created: 2026-05-17
|
||||
updated: 2026-05-18
|
||||
depends_on:
|
||||
- NK-WP-0004
|
||||
- NK-WP-0005
|
||||
- NK-WP-0006
|
||||
state_hub_workstream_id: "3cbc81ec-7ad5-46cf-a4a0-fc5fe9873695"
|
||||
---
|
||||
|
||||
# NK-WP-0007 - Object Storage STS Credential Vending
|
||||
|
||||
## Goal
|
||||
|
||||
Define and implement the canonical NetKingdom pattern for vending
|
||||
short-lived object-storage credentials from verified identity and
|
||||
policy decisions.
|
||||
|
||||
The intended runtime shape is:
|
||||
|
||||
1. key-cape or Keycloak issues and verifies NetKingdom IAM Profile
|
||||
tokens.
|
||||
2. flex-auth evaluates whether the subject may receive temporary S3
|
||||
credentials for a specific bucket, prefix, action set, TTL, and
|
||||
assurance level.
|
||||
3. A small object-storage credential-vending service exchanges the
|
||||
approved identity for storage-native temporary credentials.
|
||||
4. Consumers such as artifact-store use temporary credentials without
|
||||
owning the security policy.
|
||||
|
||||
## Context
|
||||
|
||||
Artifact-store needs to consume S3-compatible credentials, but the
|
||||
credential-vending authority belongs to NetKingdom's identity and
|
||||
security architecture. The surrounding ecosystem matters:
|
||||
|
||||
- key-cape is the lightweight NetKingdom IAM Profile implementation.
|
||||
- Keycloak is the expanded-mode IAM implementation.
|
||||
- Authelia, LLDAP, and privacyIDEA are backing components in the
|
||||
lightweight stack, not object-storage policy owners.
|
||||
- flex-auth owns policy-as-code decisions, resource/action vocabulary,
|
||||
decision envelopes, delegated PDP adapters, and audit semantics.
|
||||
- OpenBao is now part of the platform stack as the runtime secret
|
||||
authority, dynamic credential broker where appropriate, and audit
|
||||
source for secret access. It can broker or store credential material,
|
||||
but it does not replace flex-auth authorization or provider-native STS
|
||||
semantics.
|
||||
- ops-warden and ops-bridge provide a useful precedent for short-lived
|
||||
credentials and actor attribution, but they are SSH-specific and
|
||||
should not be overloaded with object-storage credentials.
|
||||
- Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2 are candidate
|
||||
object-storage credential issuers.
|
||||
|
||||
## Scope
|
||||
|
||||
In scope:
|
||||
|
||||
- define the object-storage credential-vending trust model
|
||||
- define resource/action vocabulary for flex-auth
|
||||
- define claim, audience, assurance, actor, tenant, bucket, prefix,
|
||||
action, TTL, revocation, and audit requirements
|
||||
- define lightweight-mode behavior with key-cape plus Authelia, LLDAP,
|
||||
and privacyIDEA
|
||||
- define expanded-mode behavior with Keycloak
|
||||
- compare native STS paths for Ceph RGW, MinIO/AIStor, AWS STS, and
|
||||
Cloudflare R2
|
||||
- decide whether the vendor is a standalone NetKingdom service, a small
|
||||
controller, or a reusable library plus CLI
|
||||
- create consumer guidance for artifact-store and other S3 clients
|
||||
|
||||
Out of scope:
|
||||
|
||||
- implementing artifact-store S3 adapter refresh behavior
|
||||
- deploying the object-storage backend itself
|
||||
- replacing flex-auth with provider-specific bucket policies
|
||||
- putting object-storage policy inside key-cape, ops-warden, or
|
||||
ops-bridge
|
||||
- letting OpenBao root/admin authority become the object-storage policy
|
||||
model
|
||||
|
||||
## Recursive Platform Implications
|
||||
|
||||
This workplan depends on NK-WP-0006, so object-storage credential vending
|
||||
must honor the platform/tenant split:
|
||||
|
||||
- `tenant:platform` may administer the vending service, OpenBao mounts,
|
||||
storage backends, policy import pipeline, and audit retention.
|
||||
- `tenant:coulomb` and future tenants may request scoped credentials only
|
||||
for registered tenant resources.
|
||||
- flex-auth decision envelopes must include tenant id, protected-system
|
||||
id, bucket or prefix, action set, TTL, assurance evidence, obligations,
|
||||
deny reasons, and audit correlation ids.
|
||||
- CARING descriptors must mark whether a request is platform-scoped or
|
||||
tenant-scoped; platform-scoped descriptor use is rare, reviewed, and
|
||||
auditable.
|
||||
- Topaz is the first delegated PDP runtime behind flex-auth. Its data and
|
||||
policy loading must not give a tenant administrator control over
|
||||
platform policies.
|
||||
- OpenBao may broker, lease, audit, or store temporary credential
|
||||
material after flex-auth approval. OpenBao must not become the source of
|
||||
object-storage authorization policy, and tenants must not receive
|
||||
OpenBao root tokens, unseal/recovery material, platform mounts, or
|
||||
global auth-method control.
|
||||
|
||||
## Tasks
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T1
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "3b50c48f-1ab2-4631-b176-d49d9d705f1e"
|
||||
```
|
||||
|
||||
Document the target architecture in
|
||||
`docs/object-storage-sts-credential-vending.md`, including actors,
|
||||
trust boundaries, token flow, policy decision flow, credential lease
|
||||
flow, and failure modes.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T2
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "5b942d22-6f29-4975-88fb-e3e5bcaf4029"
|
||||
```
|
||||
|
||||
Define the flex-auth resource/action model for object storage:
|
||||
protected-system id, bucket resources, prefix resources, actions
|
||||
(`s3:GetObject`, `s3:PutObject`, `s3:DeleteObject`, listing,
|
||||
multipart operations), TTL limits, obligations, and deny reasons.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T3
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "8d27e5b4-9bbb-4a53-a079-0df1047d755e"
|
||||
```
|
||||
|
||||
Define the IAM Profile requirements for credential vending:
|
||||
accepted issuers, audiences, service-account subjects, human/admin
|
||||
subjects, MFA/assurance claims, emergency principals, and local-dev
|
||||
issuer restrictions.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T4
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "c0c4f297-6cff-419b-9ce3-be5537c92e93"
|
||||
```
|
||||
|
||||
Assess backend STS implementations and write a decision record covering
|
||||
Ceph RGW STS, MinIO/AIStor STS, AWS STS, Cloudflare R2 temporary
|
||||
credentials, and when OpenBao should broker, lease, audit, or store the
|
||||
resulting credential material.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T5
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "ccb10b2d-6378-4824-90b1-c31bd882d93d"
|
||||
```
|
||||
|
||||
Prototype the smallest credential-vending interface: CLI or HTTP
|
||||
request shape, normalized response shape, lease metadata, audit event,
|
||||
OpenBao lease/audit metadata where used, and a
|
||||
`credential_process`-compatible option for SDK consumers.
|
||||
|
||||
```task
|
||||
id: NK-WP-0007-T6
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "63c6859b-980e-44da-a5a6-b92a8a3225dd"
|
||||
```
|
||||
|
||||
Create integration guidance for artifact-store and other consumers:
|
||||
environment variables, `AWS_SESSION_TOKEN`, refresh behavior, sidecar or
|
||||
controller refresh options, and prohibited patterns such as long-lived
|
||||
root access keys.
|
||||
|
||||
## Implementation Review - 2026-05-18
|
||||
|
||||
Implemented as architecture and decision artifacts:
|
||||
|
||||
- `docs/object-storage-sts-credential-vending.md` defines the target
|
||||
architecture, actors, trust boundaries, token flow, flex-auth
|
||||
vocabulary, IAM Profile requirements, backend assessment, OpenBao
|
||||
role, request/response prototype, audit event, failure modes, and
|
||||
consumer guidance.
|
||||
- `docs/adr/ADR-0008-object-storage-sts-credential-vending.md` records
|
||||
the decision to use a provider-neutral NetKingdom vending boundary with
|
||||
provider-native temporary credential mechanisms where possible.
|
||||
|
||||
The implementation deliberately stops before building a live vending
|
||||
service. Service implementation belongs in a follow-up workplan once
|
||||
artifact-store has session-token/refresh support and the Railiance
|
||||
OpenBao bootstrap/unseal/break-glass work is ready.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- NetKingdom has a canonical, provider-neutral pattern for object-storage
|
||||
STS credential vending.
|
||||
- flex-auth is the policy decision point for bucket/prefix/action/TTL
|
||||
authorization.
|
||||
- OpenBao is treated as runtime secret/lease infrastructure where useful,
|
||||
not as the canonical authorization policy engine.
|
||||
- key-cape and Keycloak are treated as IAM Profile implementations, not
|
||||
object-storage policy engines.
|
||||
- ops-warden and ops-bridge remain SSH/tunnel-specific but their
|
||||
short-lived credential lessons are reused where appropriate.
|
||||
- artifact-store has enough guidance to consume temporary credentials
|
||||
without owning the vending authority.
|
||||
Reference in New Issue
Block a user