coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1865e0744e6aedbdece0b2047dd507d1fdfb1e32
ops-warden/wiki/PolicyGatedSigning.md
tegwick 1865e0744e WARDEN-WP-0006: NetKingdom stewardship docs and alignment 
Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
2026-06-17 08:22:45 +02:00

129 lines
3.2 KiB
Markdown
Raw Blame History

# Policy-Gated SSH Signing (design)
Date: 2026-06-17
Status: **design only** — not implemented in WARDEN-WP-0006
Today `warden sign` authorizes via **inventory allow-list** and TTL policy only.
This document proposes flex-auth integration so SSH issuance matches the
NetKingdom authorization path before OpenBao/SSH engine signing.
---
## Problem
Inventory-only gating is sufficient for early ops but weak for:
- many agents and automations across tenants
- temporary elevation without inventory edits
- unified audit with flex-auth decision envelopes
- aligning SSH issuance with IAM Profile claims
---
## Target flow (v2)
```text
warden sign <actor> --pubkey <path>
|
v
Load actor from inventory (type, principals, ttl)
|
v
Obtain identity claims (optional v2.1)
OIDC token / env-injected JWT from key-cape session
|
v
flex-auth Evaluate
resource: ssh-certificate / actor:<name>
action: sign
context: tenant, principal list, pubkey fingerprint, requestor
|
+-- DENY -> CAError with flex-auth explanation
|
v ALLOW
CABackend.sign() (local or OpenBao SSH engine)
|
v
Append signatures.log (+ optional flex-auth audit correlation id)
```
---
## flex-auth request shape (proposed)
| Field | Source |
| --- | --- |
| `subject` | IAM Profile `sub` or service identity |
| `tenant` | `tenant:platform` or `tenant:coulomb` |
| `resource` | `ssh-cert:actor/<actor-name>` |
| `action` | `sign` |
| `context.principals` | From inventory |
| `context.actor_type` | adm \| agt \| atm |
| `context.pubkey_fingerprint` | SHA256 of pubkey |
| `context.ttl_hours` | Requested TTL |
Decision envelope should return `allow` \| `deny` and `audit_correlation_id`
stored in `signatures.log`.
---
## Versioning
| Version | Gate | Notes |
| --- | --- | --- |
| **v1 (today)** | Inventory + TTL max | Shipped |
| **v2** | flex-auth required for `backend: vault` production | Config flag |
| **v2.1** | Identity claims required for `adm` signs | OIDC from key-cape |
| **v3** | Tenant-scoped policies per `tenant:*` | NK recursive rule |
---
## Configuration sketch (future)
```yaml
# warden.yaml — not implemented
policy:
enabled: true
flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080
require_identity_for_adm: true
fail_closed: true
```
`fail_closed: true` — if flex-auth unreachable, deny sign (no silent bypass).
---
## What stays in inventory (v2)
- Actor registration (name, type, default principals, default TTL)
- Host reference documentation
- Scorecard local checks
flex-auth decides **whether this sign request is allowed now**; inventory
defines **what the actor is allowed to request**.
---
## Non-goals (this design)
- flex-auth implementation changes in WP-0006
- Replacing OpenBao SSH engine with flex-auth
- Storing flex-auth policies in ops-warden repo
---
## Implementation follow-up
Promote to **WARDEN-WP-0007** (proposed) after:
1. flex-auth resource type for `ssh-certificate` agreed
2. NK platform policy for platform vs tenant sign paths
3. Operator approval for `fail_closed` production behavior
---
## See also
- `flex-auth/INTENT.md`
- `wiki/CredentialRouting.md`
- `net-kingdom/docs/platform-identity-security-architecture.md`
Reference in New Issue View Git Blame Copy Permalink