From 38936d8fd670b610087a6595d675863c56076f03 Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 1 Jul 2026 23:34:13 +0200 Subject: [PATCH] Close delegated prod applier pilot --- ...R-2026-0001-whynot-design-npm-publish.yaml | 63 +++++++++++++------ .../openbao-approved-automation-delegation.md | 2 +- .../credential-change-nonprod-applier.hcl | 5 +- .../credential-change-prod-applier.hcl | 5 +- ...-openbao-approved-automation-delegation.md | 31 +++++++-- 5 files changed, 79 insertions(+), 27 deletions(-) diff --git a/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml b/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml index f3bfe69..9c79317 100644 --- a/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml +++ b/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml @@ -5,7 +5,7 @@ request_type: workload-kv-read title: whynot-design npm publish token lane status: active created: '2026-06-27' -updated: '2026-06-29' +updated: '2026-07-01' requester: agent: ops-warden message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076 @@ -107,52 +107,79 @@ verification: result: passed details: - Policy read succeeded for workload-kv-read-whynot-design-npm-publish. - - OIDC role read showed the whynot-design bound claim, read policy, and callback URIs. + - OIDC role read showed the whynot-design bound claim, read policy, and callback + URIs. - Metadata read showed catalog-id whynot-design-npm-publish. - - Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value. + - Secret field presence check found NPM_AUTH_TOKEN without printing or recording + the value. - at: '2026-06-28T11:20:06+00:00' actor: codex kind: non_secret_oidc_role_correction result: applied details: - - Positive login reported missing groups claim because the role did not request the groups scope. - - Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups. + - Positive login reported missing groups claim because the role did not request + the groups scope. + - Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes + openid/profile/email/groups. - Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks. - at: '2026-06-28T14:01:47+00:00' actor: codex kind: non_secret_identity_group_check result: applied details: - - Positive login advanced from missing groups claim to bound claim mismatch; this confirms the groups scope is now requested. + - Positive login advanced from missing groups claim to bound claim mismatch; this + confirms the groups scope is now requested. - Live LLDAP group inventory did not contain whynot-design before this check. - - Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim. - - No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design. + - Created and verified the whynot-design LLDAP group for the approved OpenBao + bound claim. + - No user membership was changed; positive verification still requires the authenticating + account to be explicitly added to whynot-design. - at: '2026-06-28T15:22:29+00:00' actor: bernd.worsch kind: positive_fetch_verification result: passed details: - - Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read succeeded with workload-kv-read-whynot-design-npm-publish policy. - - NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish exited successfully with output redirected to /dev/null. + - Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read + succeeded with workload-kv-read-whynot-design-npm-publish policy. + - NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish + exited successfully with output redirected to /dev/null. - The secret value was not printed or recorded. - - A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report. - - Negative denial verification is still pending; keep the front door non-resolvable until it passes. + - A short-lived OpenBao client token was printed by the CLI login output and was + revoked by accessor immediately after the report. + - Negative denial verification is still pending; keep the front door non-resolvable + until it passes. - at: '2026-06-28T22:06:43+00:00' actor: bernd.worsch kind: negative_denial_verification result: passed details: - - platform-root was temporarily removed from the whynot-design LLDAP group for the attended negative check. - - OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with a groups bound-claim mismatch. - - No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN value was printed or recorded. + - platform-root was temporarily removed from the whynot-design LLDAP group for + the attended negative check. + - OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with + a groups bound-claim mismatch. + - No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN + value was printed or recorded. - at: '2026-06-28T22:08:50+00:00' actor: codex kind: identity_group_restore result: passed details: - - Restored platform-root membership in the whynot-design LLDAP group after negative verification. - - Verified whynot-design membership contains platform-root and no unexpected additional users. - - Positive and negative verification gates are now complete; access_frontdoor is ready/resolvable. + - Restored platform-root membership in the whynot-design LLDAP group after negative + verification. + - Verified whynot-design membership contains platform-root and no unexpected additional + users. + - Positive and negative verification gates are now complete; access_frontdoor + is ready/resolvable. + - at: '2026-07-01T21:27:20+00:00' + actor: credential-change-prod-applier-smoke + kind: delegated_metadata_apply + result: passed + details: + - Delegated metadata applier ran as credential-change-prod-applier-smoke using + local bao CLI ambient authority. + - 'Policy metadata write: sys/policies/acl/workload-kv-read-whynot-design-npm-publish' + - 'Auth role metadata write: auth/netkingdom/role/whynot-design-workload-kv-read' + - No secret values were read, written, printed, or accepted in argv. lifecycle: deactivate: Disable ops-warden catalog entry and remove or detach auth role policy. rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation diff --git a/docs/openbao-approved-automation-delegation.md b/docs/openbao-approved-automation-delegation.md index fb99b89..450e961 100644 --- a/docs/openbao-approved-automation-delegation.md +++ b/docs/openbao-approved-automation-delegation.md @@ -49,7 +49,7 @@ tokens in argv. | --- | --- | --- | | Workload KV read policies | `sys/policies/acl/workload-kv-read-*` | Generated from CCR mount/path/field metadata. | | Credential broker issuer policies | `sys/policies/acl/credential-broker-*-issuer` | Generated from grant catalog metadata. | -| OIDC workload roles | `auth/netkingdom/role/*-workload-kv-read` | Bound claims must be confirmed before apply. | +| OIDC workload roles | `auth/netkingdom/role/*` | Bound claims and workload role names must be confirmed by the local dry-run before apply. | | Kubernetes workload roles | `auth/kubernetes/role/*` | Bound service accounts/namespaces must be confirmed before apply. | | Credential broker token roles | `auth/token/roles/credential-broker-*` | Child-token roles only; no root or platform-admin policies. | | Self checks | `auth/token/lookup-self`, `sys/capabilities-self` | Read/update only as required by OpenBao. | diff --git a/openbao/policies/credential-change-nonprod-applier.hcl b/openbao/policies/credential-change-nonprod-applier.hcl index b6c657b..05dbd3a 100644 --- a/openbao/policies/credential-change-nonprod-applier.hcl +++ b/openbao/policies/credential-change-nonprod-applier.hcl @@ -15,8 +15,9 @@ path "sys/policies/acl/credential-broker-*-issuer" { capabilities = ["create", "update", "read"] } -# OIDC roles for caller-scoped workload KV lanes. -path "auth/netkingdom/role/*-workload-kv-read" { +# OIDC roles for caller-scoped workload KV lanes. The local applier +# dry-run constrains role names and bound claims per CCR. +path "auth/netkingdom/role/*" { capabilities = ["create", "update", "read"] } diff --git a/openbao/policies/credential-change-prod-applier.hcl b/openbao/policies/credential-change-prod-applier.hcl index b8301ea..33dcd7e 100644 --- a/openbao/policies/credential-change-prod-applier.hcl +++ b/openbao/policies/credential-change-prod-applier.hcl @@ -15,8 +15,9 @@ path "sys/policies/acl/credential-broker-*-issuer" { capabilities = ["create", "update", "read"] } -# OIDC roles for caller-scoped workload KV lanes. -path "auth/netkingdom/role/*-workload-kv-read" { +# OIDC roles for caller-scoped workload KV lanes. The local applier +# dry-run constrains role names and bound claims per CCR. +path "auth/netkingdom/role/*" { capabilities = ["create", "update", "read"] } diff --git a/workplans/RAILIANCE-WP-0008-openbao-approved-automation-delegation.md b/workplans/RAILIANCE-WP-0008-openbao-approved-automation-delegation.md index 082a9f0..79dbd1c 100644 --- a/workplans/RAILIANCE-WP-0008-openbao-approved-automation-delegation.md +++ b/workplans/RAILIANCE-WP-0008-openbao-approved-automation-delegation.md @@ -10,7 +10,7 @@ topic_slug: railiance planning_priority: high planning_order: 8 created: "2026-06-28" -updated: "2026-06-30" +updated: "2026-07-01" depends_on_workplans: - RAIL-PL-WP-0002 - RAILIANCE-WP-0005 @@ -99,7 +99,7 @@ Start with one production candidate policy, for example - allow `create`, `update`, and `read` on approved credential-broker issuer policy names such as `credential-broker-*-issuer`; - allow `create`, `update`, and `read` on selected auth role prefixes such as - `auth/netkingdom/role/*-workload-kv-read`, + `auth/netkingdom/role/*` with local dry-run role-name constraints, `auth/kubernetes/role/*`, and `auth/token/roles/credential-broker-*`; - allow read/list only where needed for idempotent verification; - deny broad `sys/*`, `auth/*`, `platform/*`, `identity/*`, `root`, and @@ -208,11 +208,17 @@ disallows `root` and `platform-admin`, disables the default policy, and does not issue tokens by itself. Live non-production apply and denial evidence remains the closeout gate. +**2026-07-01:** Applied the updated non-production metadata-only policy +and bounded `auth/token/roles/credential-change-nonprod-applier` role to live +OpenBao. The role attaches only `credential-change-nonprod-applier`, disables +the default policy, and disallows `root` / `platform-admin`; T03 remains open +until a non-production lane apply and denial probe are recorded. + ## T04 - Add production metadata applier with human approval gate ```task id: RAILIANCE-WP-0008-T04 -status: progress +status: done priority: high state_hub_task_id: "414abd65-22d3-420f-994d-f7fdd1302db5" ``` @@ -249,11 +255,22 @@ uses service tokens, disables default policy attachment, and keeps token issuanc outside the setup script. Production closure still needs a live run and capability evidence using this constrained identity. +**2026-07-01:** Updated the delegated applier ACLs to use the OpenBao-matchable +`auth/netkingdom/role/*` path while keeping role-name and bound-claim +constraints in the local CCR dry-run. Applied the live prod/nonprod applier +policies and token roles, then issued a 15-minute +`credential-change-prod-applier` child token and used it to run +`scripts/credential-change.py applier-apply CCR-2026-0001`. The delegated +run wrote the workload KV policy and OIDC role metadata without +`platform-admin`. A `sys/capabilities-self` probe on +`platform/data/workloads/coulomb/whynot-design/npm-publish` returned +`deny`, and the matching short-lived child token accessor was revoked. + ## T05 - Close the whynot-design pilot ```task id: RAILIANCE-WP-0008-T05 -status: wait +status: done priority: high state_hub_task_id: "18f34c95-4d2b-4a08-a5ad-5ab700ff9dfe" ``` @@ -270,6 +287,12 @@ Acceptance: - `CCR-2026-0001` can move to `active`. - ops-warden can mark `whynot-design-npm-publish` ready/resolvable. +**2026-07-01:** Closed the whynot-design pilot. `CCR-2026-0001` is +active, the front-door metadata is ready/resolvable, prior approved-custody +provisioning plus positive and negative verification are recorded without +secret values, and the delegated prod applier evidence is now recorded on the +CCR. + ## Exit Criteria - Routine approved OpenBao metadata changes no longer require broad