epic: authentication & authorization system (Vault dynamic secrets, service accounts, users, path ACLs) #79

Open
opened 2026-07-02 00:20:46 +10:00 by unkinben · 0 comments
Owner

Currently the management API and proxy are fully open. Build an auth/authz system, default-open (no behaviour change until enabled).

Components

  1. New project: Vault dynamic secret provider — a Vault secrets-engine plugin that generates time-limited artifactapi tokens, so the Terraform provider can request short-lived credentials to make config changes.
  2. artifactapi auth backend — an endpoint Vault authenticates to (via a shared trust: static bootstrap token / mTLS / signed request) to mint time-limited tokens.
  3. Principals
    • Service accounts: static tokens + Vault-generated dynamic tokens.
    • Users: authenticate via external IdP (LDAP/OIDC), integrated with the UI (session/login).
  4. ACL system: capability grants on paths. Path form remote/<remote-name>/<path-in-remote>; capabilities read, write, delete, create. Also cover management resources (remotes/virtuals/etc.).
  5. Default policy: all open — parity with today until an admin turns enforcement on.

Deliverables (tracked as sub-PRs)

  • Design doc (this repo, docs/auth.md) — reviewed first
  • Token + principal data model & storage
  • Auth middleware with default-open enforcement + ACL evaluation
  • Service-account + static-token management API
  • Vault mint endpoint + trust mechanism
  • Vault dynamic secret provider plugin (new repo)
  • OIDC/LDAP user login + UI integration
  • Terraform provider: consume Vault-issued tokens

Cross-repo: terraform-vault (K8s auth role, policies), argocd-apps (deploy Vault plugin / SA).

Currently the management API and proxy are fully open. Build an auth/authz system, default-open (no behaviour change until enabled). ## Components 1. **New project: Vault dynamic secret provider** — a Vault secrets-engine plugin that generates time-limited artifactapi tokens, so the Terraform provider can request short-lived credentials to make config changes. 2. **artifactapi auth backend** — an endpoint Vault authenticates to (via a shared trust: static bootstrap token / mTLS / signed request) to mint time-limited tokens. 3. **Principals** - Service accounts: static tokens + Vault-generated dynamic tokens. - Users: authenticate via external IdP (LDAP/OIDC), integrated with the UI (session/login). 4. **ACL system**: capability grants on paths. Path form `remote/<remote-name>/<path-in-remote>`; capabilities `read`, `write`, `delete`, `create`. Also cover management resources (remotes/virtuals/etc.). 5. **Default policy: all open** — parity with today until an admin turns enforcement on. ## Deliverables (tracked as sub-PRs) - [ ] Design doc (this repo, docs/auth.md) — reviewed first - [ ] Token + principal data model & storage - [ ] Auth middleware with default-open enforcement + ACL evaluation - [ ] Service-account + static-token management API - [ ] Vault mint endpoint + trust mechanism - [ ] Vault dynamic secret provider plugin (new repo) - [ ] OIDC/LDAP user login + UI integration - [ ] Terraform provider: consume Vault-issued tokens Cross-repo: terraform-vault (K8s auth role, policies), argocd-apps (deploy Vault plugin / SA).
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/artifactapi#79