Close delegated prod applier pilot
This commit is contained in:
parent
2db4d1afe1
commit
38936d8fd6
5 changed files with 79 additions and 27 deletions
|
|
@ -10,7 +10,7 @@ topic_slug: railiance
|
|||
planning_priority: high
|
||||
planning_order: 8
|
||||
created: "2026-06-28"
|
||||
updated: "2026-06-30"
|
||||
updated: "2026-07-01"
|
||||
depends_on_workplans:
|
||||
- RAIL-PL-WP-0002
|
||||
- RAILIANCE-WP-0005
|
||||
|
|
@ -99,7 +99,7 @@ Start with one production candidate policy, for example
|
|||
- allow `create`, `update`, and `read` on approved credential-broker issuer
|
||||
policy names such as `credential-broker-*-issuer`;
|
||||
- allow `create`, `update`, and `read` on selected auth role prefixes such as
|
||||
`auth/netkingdom/role/*-workload-kv-read`,
|
||||
`auth/netkingdom/role/*` with local dry-run role-name constraints,
|
||||
`auth/kubernetes/role/*`, and `auth/token/roles/credential-broker-*`;
|
||||
- allow read/list only where needed for idempotent verification;
|
||||
- deny broad `sys/*`, `auth/*`, `platform/*`, `identity/*`, `root`, and
|
||||
|
|
@ -208,11 +208,17 @@ disallows `root` and `platform-admin`, disables the default policy, and does not
|
|||
issue tokens by itself. Live non-production apply and denial evidence remains
|
||||
the closeout gate.
|
||||
|
||||
**2026-07-01:** Applied the updated non-production metadata-only policy
|
||||
and bounded `auth/token/roles/credential-change-nonprod-applier` role to live
|
||||
OpenBao. The role attaches only `credential-change-nonprod-applier`, disables
|
||||
the default policy, and disallows `root` / `platform-admin`; T03 remains open
|
||||
until a non-production lane apply and denial probe are recorded.
|
||||
|
||||
## T04 - Add production metadata applier with human approval gate
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0008-T04
|
||||
status: progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "414abd65-22d3-420f-994d-f7fdd1302db5"
|
||||
```
|
||||
|
|
@ -249,11 +255,22 @@ uses service tokens, disables default policy attachment, and keeps token issuanc
|
|||
outside the setup script. Production closure still needs a live run and
|
||||
capability evidence using this constrained identity.
|
||||
|
||||
**2026-07-01:** Updated the delegated applier ACLs to use the OpenBao-matchable
|
||||
`auth/netkingdom/role/*` path while keeping role-name and bound-claim
|
||||
constraints in the local CCR dry-run. Applied the live prod/nonprod applier
|
||||
policies and token roles, then issued a 15-minute
|
||||
`credential-change-prod-applier` child token and used it to run
|
||||
`scripts/credential-change.py applier-apply CCR-2026-0001`. The delegated
|
||||
run wrote the workload KV policy and OIDC role metadata without
|
||||
`platform-admin`. A `sys/capabilities-self` probe on
|
||||
`platform/data/workloads/coulomb/whynot-design/npm-publish` returned
|
||||
`deny`, and the matching short-lived child token accessor was revoked.
|
||||
|
||||
## T05 - Close the whynot-design pilot
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0008-T05
|
||||
status: wait
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "18f34c95-4d2b-4a08-a5ad-5ab700ff9dfe"
|
||||
```
|
||||
|
|
@ -270,6 +287,12 @@ Acceptance:
|
|||
- `CCR-2026-0001` can move to `active`.
|
||||
- ops-warden can mark `whynot-design-npm-publish` ready/resolvable.
|
||||
|
||||
**2026-07-01:** Closed the whynot-design pilot. `CCR-2026-0001` is
|
||||
active, the front-door metadata is ready/resolvable, prior approved-custody
|
||||
provisioning plus positive and negative verification are recorded without
|
||||
secret values, and the delegated prod applier evidence is now recorded on the
|
||||
CCR.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
- Routine approved OpenBao metadata changes no longer require broad
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue