docs: authentication & authorization system design (epic #79) #95
Reference in New Issue
Block a user
Delete Branch "benvin/auth-design-doc"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Part of #79
Why
The management API and proxy are fully open. Before writing security-sensitive code, this establishes the architecture for review.
What
docs/auth.mdcovers:aapi_-prefixed, stored only as SHA-256.(path_pattern, capability)grants; resource paths likeremote/<remote>/<path>andadmin/...; capabilitiesread/create/write/delete; route→(resource,capability) mapping.AUTH_ENFORCE=falsedefault; observe-only middleware; anonymous principal seeded with*so enabling enforcement still stays open until grants are tightened.vault-plugin-secrets-artifactapiengine modelled onvault-plugin-secrets-litellm(vault/sdk, OpenBao-compatible).service_accounts/auth_tokens/acl_grantstables.Next
On approval I will implement phase 1 (data model + observe-only principal resolution), which changes no behaviour.
No code changes; docs only.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.