Close delegated prod applier pilot
This commit is contained in:
@@ -5,7 +5,7 @@ request_type: workload-kv-read
|
||||
title: whynot-design npm publish token lane
|
||||
status: active
|
||||
created: '2026-06-27'
|
||||
updated: '2026-06-29'
|
||||
updated: '2026-07-01'
|
||||
requester:
|
||||
agent: ops-warden
|
||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
@@ -107,52 +107,79 @@ verification:
|
||||
result: passed
|
||||
details:
|
||||
- Policy read succeeded for workload-kv-read-whynot-design-npm-publish.
|
||||
- OIDC role read showed the whynot-design bound claim, read policy, and callback URIs.
|
||||
- OIDC role read showed the whynot-design bound claim, read policy, and callback
|
||||
URIs.
|
||||
- Metadata read showed catalog-id whynot-design-npm-publish.
|
||||
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value.
|
||||
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording
|
||||
the value.
|
||||
- at: '2026-06-28T11:20:06+00:00'
|
||||
actor: codex
|
||||
kind: non_secret_oidc_role_correction
|
||||
result: applied
|
||||
details:
|
||||
- Positive login reported missing groups claim because the role did not request the groups scope.
|
||||
- Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups.
|
||||
- Positive login reported missing groups claim because the role did not request
|
||||
the groups scope.
|
||||
- Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes
|
||||
openid/profile/email/groups.
|
||||
- Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks.
|
||||
- at: '2026-06-28T14:01:47+00:00'
|
||||
actor: codex
|
||||
kind: non_secret_identity_group_check
|
||||
result: applied
|
||||
details:
|
||||
- Positive login advanced from missing groups claim to bound claim mismatch; this confirms the groups scope is now requested.
|
||||
- Positive login advanced from missing groups claim to bound claim mismatch; this
|
||||
confirms the groups scope is now requested.
|
||||
- Live LLDAP group inventory did not contain whynot-design before this check.
|
||||
- Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim.
|
||||
- No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design.
|
||||
- Created and verified the whynot-design LLDAP group for the approved OpenBao
|
||||
bound claim.
|
||||
- No user membership was changed; positive verification still requires the authenticating
|
||||
account to be explicitly added to whynot-design.
|
||||
- at: '2026-06-28T15:22:29+00:00'
|
||||
actor: bernd.worsch
|
||||
kind: positive_fetch_verification
|
||||
result: passed
|
||||
details:
|
||||
- Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read succeeded with workload-kv-read-whynot-design-npm-publish policy.
|
||||
- NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish exited successfully with output redirected to /dev/null.
|
||||
- Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read
|
||||
succeeded with workload-kv-read-whynot-design-npm-publish policy.
|
||||
- NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish
|
||||
exited successfully with output redirected to /dev/null.
|
||||
- The secret value was not printed or recorded.
|
||||
- A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report.
|
||||
- Negative denial verification is still pending; keep the front door non-resolvable until it passes.
|
||||
- A short-lived OpenBao client token was printed by the CLI login output and was
|
||||
revoked by accessor immediately after the report.
|
||||
- Negative denial verification is still pending; keep the front door non-resolvable
|
||||
until it passes.
|
||||
- at: '2026-06-28T22:06:43+00:00'
|
||||
actor: bernd.worsch
|
||||
kind: negative_denial_verification
|
||||
result: passed
|
||||
details:
|
||||
- platform-root was temporarily removed from the whynot-design LLDAP group for the attended negative check.
|
||||
- OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with a groups bound-claim mismatch.
|
||||
- No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN value was printed or recorded.
|
||||
- platform-root was temporarily removed from the whynot-design LLDAP group for
|
||||
the attended negative check.
|
||||
- OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with
|
||||
a groups bound-claim mismatch.
|
||||
- No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN
|
||||
value was printed or recorded.
|
||||
- at: '2026-06-28T22:08:50+00:00'
|
||||
actor: codex
|
||||
kind: identity_group_restore
|
||||
result: passed
|
||||
details:
|
||||
- Restored platform-root membership in the whynot-design LLDAP group after negative verification.
|
||||
- Verified whynot-design membership contains platform-root and no unexpected additional users.
|
||||
- Positive and negative verification gates are now complete; access_frontdoor is ready/resolvable.
|
||||
- Restored platform-root membership in the whynot-design LLDAP group after negative
|
||||
verification.
|
||||
- Verified whynot-design membership contains platform-root and no unexpected additional
|
||||
users.
|
||||
- Positive and negative verification gates are now complete; access_frontdoor
|
||||
is ready/resolvable.
|
||||
- at: '2026-07-01T21:27:20+00:00'
|
||||
actor: credential-change-prod-applier-smoke
|
||||
kind: delegated_metadata_apply
|
||||
result: passed
|
||||
details:
|
||||
- Delegated metadata applier ran as credential-change-prod-applier-smoke using
|
||||
local bao CLI ambient authority.
|
||||
- 'Policy metadata write: sys/policies/acl/workload-kv-read-whynot-design-npm-publish'
|
||||
- 'Auth role metadata write: auth/netkingdom/role/whynot-design-workload-kv-read'
|
||||
- No secret values were read, written, printed, or accepted in argv.
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation
|
||||
|
||||
@@ -49,7 +49,7 @@ tokens in argv.
|
||||
| --- | --- | --- |
|
||||
| Workload KV read policies | `sys/policies/acl/workload-kv-read-*` | Generated from CCR mount/path/field metadata. |
|
||||
| Credential broker issuer policies | `sys/policies/acl/credential-broker-*-issuer` | Generated from grant catalog metadata. |
|
||||
| OIDC workload roles | `auth/netkingdom/role/*-workload-kv-read` | Bound claims must be confirmed before apply. |
|
||||
| OIDC workload roles | `auth/netkingdom/role/*` | Bound claims and workload role names must be confirmed by the local dry-run before apply. |
|
||||
| Kubernetes workload roles | `auth/kubernetes/role/*` | Bound service accounts/namespaces must be confirmed before apply. |
|
||||
| Credential broker token roles | `auth/token/roles/credential-broker-*` | Child-token roles only; no root or platform-admin policies. |
|
||||
| Self checks | `auth/token/lookup-self`, `sys/capabilities-self` | Read/update only as required by OpenBao. |
|
||||
|
||||
@@ -15,8 +15,9 @@ path "sys/policies/acl/credential-broker-*-issuer" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# OIDC roles for caller-scoped workload KV lanes.
|
||||
path "auth/netkingdom/role/*-workload-kv-read" {
|
||||
# OIDC roles for caller-scoped workload KV lanes. The local applier
|
||||
# dry-run constrains role names and bound claims per CCR.
|
||||
path "auth/netkingdom/role/*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
|
||||
@@ -15,8 +15,9 @@ path "sys/policies/acl/credential-broker-*-issuer" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# OIDC roles for caller-scoped workload KV lanes.
|
||||
path "auth/netkingdom/role/*-workload-kv-read" {
|
||||
# OIDC roles for caller-scoped workload KV lanes. The local applier
|
||||
# dry-run constrains role names and bound claims per CCR.
|
||||
path "auth/netkingdom/role/*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ topic_slug: railiance
|
||||
planning_priority: high
|
||||
planning_order: 8
|
||||
created: "2026-06-28"
|
||||
updated: "2026-06-30"
|
||||
updated: "2026-07-01"
|
||||
depends_on_workplans:
|
||||
- RAIL-PL-WP-0002
|
||||
- RAILIANCE-WP-0005
|
||||
@@ -99,7 +99,7 @@ Start with one production candidate policy, for example
|
||||
- allow `create`, `update`, and `read` on approved credential-broker issuer
|
||||
policy names such as `credential-broker-*-issuer`;
|
||||
- allow `create`, `update`, and `read` on selected auth role prefixes such as
|
||||
`auth/netkingdom/role/*-workload-kv-read`,
|
||||
`auth/netkingdom/role/*` with local dry-run role-name constraints,
|
||||
`auth/kubernetes/role/*`, and `auth/token/roles/credential-broker-*`;
|
||||
- allow read/list only where needed for idempotent verification;
|
||||
- deny broad `sys/*`, `auth/*`, `platform/*`, `identity/*`, `root`, and
|
||||
@@ -208,11 +208,17 @@ disallows `root` and `platform-admin`, disables the default policy, and does not
|
||||
issue tokens by itself. Live non-production apply and denial evidence remains
|
||||
the closeout gate.
|
||||
|
||||
**2026-07-01:** Applied the updated non-production metadata-only policy
|
||||
and bounded `auth/token/roles/credential-change-nonprod-applier` role to live
|
||||
OpenBao. The role attaches only `credential-change-nonprod-applier`, disables
|
||||
the default policy, and disallows `root` / `platform-admin`; T03 remains open
|
||||
until a non-production lane apply and denial probe are recorded.
|
||||
|
||||
## T04 - Add production metadata applier with human approval gate
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0008-T04
|
||||
status: progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "414abd65-22d3-420f-994d-f7fdd1302db5"
|
||||
```
|
||||
@@ -249,11 +255,22 @@ uses service tokens, disables default policy attachment, and keeps token issuanc
|
||||
outside the setup script. Production closure still needs a live run and
|
||||
capability evidence using this constrained identity.
|
||||
|
||||
**2026-07-01:** Updated the delegated applier ACLs to use the OpenBao-matchable
|
||||
`auth/netkingdom/role/*` path while keeping role-name and bound-claim
|
||||
constraints in the local CCR dry-run. Applied the live prod/nonprod applier
|
||||
policies and token roles, then issued a 15-minute
|
||||
`credential-change-prod-applier` child token and used it to run
|
||||
`scripts/credential-change.py applier-apply CCR-2026-0001`. The delegated
|
||||
run wrote the workload KV policy and OIDC role metadata without
|
||||
`platform-admin`. A `sys/capabilities-self` probe on
|
||||
`platform/data/workloads/coulomb/whynot-design/npm-publish` returned
|
||||
`deny`, and the matching short-lived child token accessor was revoked.
|
||||
|
||||
## T05 - Close the whynot-design pilot
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0008-T05
|
||||
status: wait
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "18f34c95-4d2b-4a08-a5ad-5ab700ff9dfe"
|
||||
```
|
||||
@@ -270,6 +287,12 @@ Acceptance:
|
||||
- `CCR-2026-0001` can move to `active`.
|
||||
- ops-warden can mark `whynot-design-npm-publish` ready/resolvable.
|
||||
|
||||
**2026-07-01:** Closed the whynot-design pilot. `CCR-2026-0001` is
|
||||
active, the front-door metadata is ready/resolvable, prior approved-custody
|
||||
provisioning plus positive and negative verification are recorded without
|
||||
secret values, and the delegated prod applier evidence is now recorded on the
|
||||
CCR.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
- Routine approved OpenBao metadata changes no longer require broad
|
||||
|
||||
Reference in New Issue
Block a user