generated from coulomb/repo-seed
tegwick
1865e0744e
Add credential routing, actor patterns, security map, OpenBao SSH checklist, and policy-gated signing design. Update registry and SCOPE; record INTENT↔SCOPE reassessment (C3 completeness).
3.7 KiB
3.7 KiB
NetKingdom Security Map (ops-warden view)
Date: 2026-06-17
Condensed literacy guide for ops-warden stewards and development workers.
Canonical source remains net-kingdom/docs/platform-identity-security-architecture.md.
ops-warden implements the operational SSH lane and documents how the other lanes connect.
Planes
Bootstrap plane railiance-infra, railiance-cluster, net-kingdom bootstrap
Platform control key-cape, flex-auth, OpenBao, Topaz, railiance-platform
Tenant plane railiance-apps, coulomb workloads, future tenants
Operational access ops-warden (SSH certs), ops-bridge (tunnels)
Component map
| Component | Answers | Credential types | ops-warden |
|---|---|---|---|
| key-cape | Who are you? (lightweight IAM) | OIDC tokens, MFA | Route — do not issue |
| Keycloak | Who are you? (expanded IAM) | OIDC/SAML federation | Route — do not issue |
| privacyIDEA | MFA / step-up | OTP, hardware tokens | Route — do not issue |
| flex-auth | May you do this action? | Policy decisions, audit envelopes | Future SSH pre-sign; route today |
| Topaz | PDP runtime for flex-auth | Authorization evaluations | Route — do not issue |
| OpenBao | Runtime secret authority | API keys, DB creds, leases, K8s auth | SSH engine signing backend only |
| ops-warden | SSH ops access | Short-lived SSH certificates | Own and issue |
| ops-bridge | Tunnel transport | Uses certs via cert_command | Consumer |
| railiance-infra | Host enforcement | auth_principals, sshd | Route — deploy hosts |
| railiance-platform | Platform deploy | OpenBao, Postgres, ingress | Route — do not deploy from warden |
Credential lanes (summary)
| Lane | Owner | Lifetime | Worker entrypoint |
|---|---|---|---|
| Identity | key-cape / Keycloak | Session / token TTL | Login / OIDC |
| Authorization | flex-auth | Per request | Policy API / embedded PEP |
| Runtime secrets | OpenBao | Lease-bound | bao CLI, K8s ESO, app integration |
| SSH operational | ops-warden | adm 48h / agt 24h / atm 8h | warden sign |
| Tunnel | ops-bridge | Session | bridge + cert_command |
Full routing: wiki/CredentialRouting.md.
Trust flow (simplified)
Worker request
-> Identity? key-cape / Keycloak
-> Authorized? flex-auth
-> Secret material? OpenBao
-> SSH cert? ops-warden
-> Tunnel? ops-bridge (cert from warden)
-> Host accepts? railiance-infra principals
OpenBao does not replace identity or authorization. flex-auth decides; OpenBao stores/issues; ops-warden signs SSH certs when host reachability is the need.
NetKingdom documents to watch
| Document | Why ops-warden cares |
|---|---|
platform-identity-security-architecture.md |
Planes, secret path, SSH path |
responsibility-map.md |
Operational SSH dependency section |
platform-identity-security-architecture.md |
Operational SSH Path section |
platform-root-custody.md |
OpenBao ceremony — not warden's job |
object-storage-sts-credential-vending.md |
S3 creds — never warden |
canon/standards/iam-profile_v0.2.md |
Claims for future policy-gated sign |
When these change, update ops-warden wiki and wiki/CredentialRouting.md.
Recursive platform rule
Tenant admins (including tenant:coulomb) must not gain platform-root
authority. ops-warden SSH actors should use narrow principals for agent
and automation work — not platform-admin equivalents on hosts.
See also
INTENT.mdwiki/CredentialRouting.mdwiki/PolicyGatedSigning.md(future flex-auth hook)net-kingdom/docs/platform-identity-security-architecture.md