Add credential-change delegated applier flow
This commit is contained in:
parent
c626bfcf15
commit
a95236d2e5
21 changed files with 2705 additions and 119 deletions
40
openbao/policies/credential-change-nonprod-applier.hcl
Normal file
40
openbao/policies/credential-change-nonprod-applier.hcl
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
# Non-production metadata applier for reviewed credential changes.
|
||||
#
|
||||
# This policy is intended for build/test/staging OpenBao lanes after a
|
||||
# non-production mount or namespace is declared. It intentionally keeps the same
|
||||
# no-secret-value rule as production; generated test secrets still require a
|
||||
# separately approved non-production value path.
|
||||
|
||||
# Workload KV read-lane policies generated from approved CCRs.
|
||||
path "sys/policies/acl/workload-kv-read-*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# Credential broker issuer policies generated from approved grant metadata.
|
||||
path "sys/policies/acl/credential-broker-*-issuer" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# OIDC roles for caller-scoped workload KV lanes.
|
||||
path "auth/netkingdom/role/*-workload-kv-read" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# Kubernetes roles for in-cluster workload and provider-secret lanes.
|
||||
path "auth/kubernetes/role/*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# Token roles for approved credential-broker child-token issuers.
|
||||
path "auth/token/roles/credential-broker-*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# Self-checks and capability introspection only.
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "sys/capabilities-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
41
openbao/policies/credential-change-prod-applier.hcl
Normal file
41
openbao/policies/credential-change-prod-applier.hcl
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
# Production metadata applier for reviewed credential changes.
|
||||
#
|
||||
# This policy intentionally permits only non-secret OpenBao metadata writes for
|
||||
# approved CCRs. Secret value paths under platform/data are not granted here.
|
||||
# The local credential-change applier-dry-run command must validate the CCR
|
||||
# before this policy is used for any live mutation.
|
||||
|
||||
# Workload KV read-lane policies generated from approved CCRs.
|
||||
path "sys/policies/acl/workload-kv-read-*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# Credential broker issuer policies generated from approved grant metadata.
|
||||
path "sys/policies/acl/credential-broker-*-issuer" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# OIDC roles for caller-scoped workload KV lanes.
|
||||
path "auth/netkingdom/role/*-workload-kv-read" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# Kubernetes roles for in-cluster workload and provider-secret lanes. The local
|
||||
# applier dry-run constrains role names and bound service accounts per CCR.
|
||||
path "auth/kubernetes/role/*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# Token roles for approved credential-broker child-token issuers.
|
||||
path "auth/token/roles/credential-broker-*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
|
||||
# Self-checks and capability introspection only.
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "sys/capabilities-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue