coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1865e0744e6aedbdece0b2047dd507d1fdfb1e32
ops-warden/wiki/PolicyGatedSigning.md
tegwick 1865e0744e WARDEN-WP-0006: NetKingdom stewardship docs and alignment 
Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
2026-06-17 08:22:45 +02:00

3.2 KiB
Raw Blame History

Policy-Gated SSH Signing (design)

Date: 2026-06-17
Status: design only — not implemented in WARDEN-WP-0006

Today warden sign authorizes via inventory allow-list and TTL policy only. This document proposes flex-auth integration so SSH issuance matches the NetKingdom authorization path before OpenBao/SSH engine signing.

Problem

Inventory-only gating is sufficient for early ops but weak for:

  • many agents and automations across tenants
  • temporary elevation without inventory edits
  • unified audit with flex-auth decision envelopes
  • aligning SSH issuance with IAM Profile claims

Target flow (v2)

warden sign <actor> --pubkey <path>
        |
        v
Load actor from inventory (type, principals, ttl)
        |
        v
Obtain identity claims (optional v2.1)
  OIDC token / env-injected JWT from key-cape session
        |
        v
flex-auth Evaluate
  resource: ssh-certificate / actor:<name>
  action: sign
  context: tenant, principal list, pubkey fingerprint, requestor
        |
        +-- DENY -> CAError with flex-auth explanation
        |
        v ALLOW
CABackend.sign()  (local or OpenBao SSH engine)
        |
        v
Append signatures.log (+ optional flex-auth audit correlation id)

flex-auth request shape (proposed)

Field Source
subject IAM Profile sub or service identity
tenant tenant:platform or tenant:coulomb
resource ssh-cert:actor/<actor-name>
action sign
context.principals From inventory
context.actor_type adm | agt | atm
context.pubkey_fingerprint SHA256 of pubkey
context.ttl_hours Requested TTL

Decision envelope should return allow | deny and audit_correlation_id stored in signatures.log.

Versioning

Version Gate Notes
v1 (today) Inventory + TTL max Shipped
v2 flex-auth required for backend: vault production Config flag
v2.1 Identity claims required for adm signs OIDC from key-cape
v3 Tenant-scoped policies per tenant:* NK recursive rule

Configuration sketch (future)

# warden.yaml — not implemented
policy:
  enabled: true
  flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080
  require_identity_for_adm: true
  fail_closed: true

fail_closed: true — if flex-auth unreachable, deny sign (no silent bypass).

What stays in inventory (v2)

  • Actor registration (name, type, default principals, default TTL)
  • Host reference documentation
  • Scorecard local checks

flex-auth decides whether this sign request is allowed now; inventory defines what the actor is allowed to request.

Non-goals (this design)

  • flex-auth implementation changes in WP-0006
  • Replacing OpenBao SSH engine with flex-auth
  • Storing flex-auth policies in ops-warden repo

Implementation follow-up

Promote to WARDEN-WP-0007 (proposed) after:

  1. flex-auth resource type for ssh-certificate agreed
  2. NK platform policy for platform vs tenant sign paths
  3. Operator approval for fail_closed production behavior

See also

  • flex-auth/INTENT.md
  • wiki/CredentialRouting.md
  • net-kingdom/docs/platform-identity-security-architecture.md
Reference in New Issue View Git Blame Copy Permalink