coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ed2cc17165342e1bf5d1da324113e421ddd6f7b8
net-kingdom/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md

209 lines
7.0 KiB
Markdown
Raw Blame History

---
id: NET-WP-0017
type: workplan
title: "IT Security Readiness For User Onboarding"
domain: netkingdom
repo: net-kingdom
status: active
owner: codex
topic_slug: netkingdom
created: "2026-05-26"
updated: "2026-05-29"
depends_on:
- NET-WP-0015
- NET-WP-0016
- RAIL-PL-WP-0002
state_hub_workstream_id: "385de708-fd59-4bab-a4f4-28c1c476b3ea"
---
# NET-WP-0017 - IT Security Readiness For User Onboarding
## Goal
Finish the remaining NetKingdom and Railiance security setup needed before
ordinary platform users, tenant admins, or fabric admins are onboarded.
`NET-WP-0015` established the king credential, OpenBao bootstrap ceremony, and
guided control surface. This workplan is the narrower finish-line plan: routine
admin access must use NetKingdom identity, bootstrap-era material must be
retired or explicitly accepted, audit/recovery posture must be credible, and a
first non-root onboarding dry run must prove the lifecycle model.
## Current Evidence
- `platform-root` exists in LLDAP, belongs to `net-kingdom-admins`, has MFA,
and completed KeyCape OIDC login.
- Railiance OpenBao is initialized, unsealed, and post-unseal verified.
- OpenBao initial configuration was applied; `platform/` KV and Kubernetes auth
exist.
- The initial OpenBao root token is recorded as revoked.
- Trial unseal shares were rotated.
- The KeyCape `openbao-admin` client is live and verified, including the public
`https://kc.coulomb.social` route and certificate.
- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is
still pending.
- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
and the first ordinary-user onboarding dry run are still pending.
## Tasks
### T01 - Finish OIDC-Backed OpenBao Admin Login
```task
id: NET-WP-0017-T01
status: in_progress
priority: high
state_hub_task_id: "9b087bbd-631b-4316-b94d-a8265a05b065"
```
Run the fixed OpenBao OIDC helper, record the non-secret completion flag, then
verify `platform-root` can complete:
```bash
bao login -method=oidc -path=keycape role=platform-admin
```
The verification must prove the resulting OpenBao token has the intended
`platform-admin` policy without relying on the initial root token or a manually
minted temporary operator token.
**2026-05-29:** DNS and ACME issuance for `kc.coulomb.social` are healthy:
cert-manager issued `kc-tls`, and `sso-mfa/k8s/keycape/verify-openbao-client.sh`
passes against the live KeyCape route. `configure-openbao-oidc.sh` has applied
the OpenBao `auth/keycape` OIDC configuration and `platform-admin` role. The
remaining T01 gate is the human browser login with MFA and a token lookup that
shows the expected OpenBao `platform-admin` policy.
### T02 - Close OpenBao Audit And Recovery Production Gates
```task
id: NET-WP-0017-T02
status: todo
priority: high
state_hub_task_id: "909944bd-843a-4a63-8c87-536cea052a88"
```
Resolve the remaining OpenBao production-trust gates:
- configure audit declaratively if API-managed audit remains rejected;
- confirm where audit logs are durably shipped beyond the audit PVC;
- retain non-secret restore-drill evidence and repeat the drill if any
material changed;
- record emergency seal/unseal drill evidence; and
- identify the next independent escrow holder for moving beyond temporary
single-king custody.
### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
```task
id: NET-WP-0017-T03
status: todo
priority: high
state_hub_task_id: "a6cd4325-8f3b-46bb-b810-ca816c35cb29"
```
Review all access paths created during the trial exposure and record the
compromise response complete only after the operator has either rotated,
revoked, reset, or explicitly accepted residual risk for:
- temporary OpenBao `platform-admin` tokens;
- bootstrap/root-token-derived paths;
- early LLDAP/Authelia/KeyCape admin credentials;
- local plaintext secret workspaces;
- bootstrap service tokens; and
- any copied command output or local shell history that may contain secret
values.
### T04 - Harden Bootstrap Infrastructure Before User Onboarding
```task
id: NET-WP-0017-T04
status: todo
priority: high
state_hub_task_id: "12c31f76-68f4-4d2b-853a-f3185cfc761c"
```
Complete the minimum hardening before ordinary users are onboarded:
- restrict direct administrative access to LLDAP and privacyIDEA to approved
operator networks or tunnels;
- verify no privileged login path bypasses MFA for platform-admin authority;
- rotate or reset bootstrap-era database, admin, and service credentials that
were created before custody was established;
- confirm host/workload checks and vulnerability scans are run or explicitly
deferred with owner/date; and
- update the bootstrap console state to `cleanup_complete` only when these
checks are recorded.
### T05 - Implement First User Lifecycle Operator Flow
```task
id: NET-WP-0017-T05
status: todo
priority: high
state_hub_task_id: "aec3ac45-18be-4b04-a863-0c8c70693739"
```
Turn the documented user lifecycle UX into the first practical operator flow
for:
- onboarding a scoped non-root user;
- temporarily locking that user;
- permanently offboarding that user;
- reviewing credentials and MFA state; and
- creating a fabric/tenant admin without platform-root authority.
The flow can begin as console/UI action cards, but it must show effective
access before saving and must not expose secrets.
### T06 - Run A Non-Root Onboarding Dry Run
```task
id: NET-WP-0017-T06
status: todo
priority: high
state_hub_task_id: "c149b2f0-c9ee-4c95-a1df-b25ed0d20579"
```
Create a test or first real non-root user using the new lifecycle flow. Verify:
- LLDAP identity and groups;
- MFA enrollment through privacyIDEA;
- KeyCape OIDC claims;
- expected application or platform scope;
- no platform-root or OpenBao root authority;
- lock/offboard path can be exercised or simulated; and
- non-secret audit/progress evidence is recorded.
This is the final gate before declaring the platform ready for normal user
onboarding.
### T07 - Review And Retire Superseded Bootstrap Workplans
```task
id: NET-WP-0017-T07
status: todo
priority: medium
state_hub_task_id: "e9ceafb2-14c0-4352-9ac7-e31628feb045"
```
After T01-T06 complete, review `NET-WP-0015`, `NET-WP-0016`,
`RAIL-PL-WP-0002`, and older NetKingdom credential/bootstrap workplans.
Mark completed work finished or archived, and leave only longer-horizon items
such as multi-custodian upgrade, enterprise federation, dynamic database
credentials, object-storage STS vending, and application onboarding contracts.
## Acceptance Criteria
- Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA.
- The initial root token and temporary OpenBao admin tokens are not normal
operating paths.
- Audit, recovery, emergency seal, and restore evidence are recorded without
secret values.
- Bootstrap-era privileged credentials have been rotated, reset, revoked, or
explicitly accepted as residual risk.
- A non-root user onboarding dry run succeeds and proves lock/offboard/review
paths.
- The bootstrap console can honestly move beyond Admin Identity Integration
into cleanup and reopening.
Reference in New Issue View Git Blame Copy Permalink