mirror of
https://github.com/trustgraph-ai/trustgraph.git
synced 2026-04-25 00:16:23 +02:00
IAM secure bootstrap options
This commit is contained in:
Cyber MacGeddon
parent
832a030703
commit
8348b7728b
5 changed files with 266 additions and 27 deletions
|
|
@ -248,6 +248,46 @@ Passwords, API-key plaintext, and signing-key private material are
|
|||
never returned in any response other than the explicit one-time
|
||||
responses above (`reset-password`, `create-api-key`, `bootstrap`).
|
||||
|
||||
## Bootstrap modes
|
||||
|
||||
`iam-svc` requires a bootstrap mode to be chosen at startup. There is
|
||||
no default — an unset or invalid mode causes the service to refuse
|
||||
to start. The purpose is to force the operator to make an explicit
|
||||
security decision rather than rely on an implicit "safe" fallback.
|
||||
|
||||
| Mode | Startup behaviour | `bootstrap` operation | Suitability |
|
||||
|---|---|---|---|
|
||||
| `token` | On first start with empty tables, auto-seeds the `default` workspace, admin user, admin API key (using the operator-provided `--bootstrap-token`), and an initial signing key. No-op on subsequent starts. | Refused — returns `auth-failed` / `"auth failure"` regardless of caller. | Production, any public-exposure deployment. |
|
||||
| `bootstrap` | No startup seeding. Tables remain empty until the `bootstrap` operation is invoked over the pub/sub bus (typically via `tg-bootstrap-iam`). | Live while tables are empty. Generates and returns the admin API key once. Refused (`auth-failed`) once tables are populated. | Dev / compose up / CI. **Not safe under public exposure** — any caller reaching the gateway's `/api/v1/iam` forwarder before the operator can cause a token to be issued to them. Operators choosing this mode accept that risk. |
|
||||
|
||||
### Error masking
|
||||
|
||||
In both modes, any refused invocation of the `bootstrap` operation
|
||||
returns the same error (`auth-failed` / `"auth failure"`). A caller
|
||||
cannot distinguish:
|
||||
|
||||
- "service is in token mode"
|
||||
- "service is in bootstrap mode but already bootstrapped"
|
||||
- "operation forbidden"
|
||||
|
||||
This matches the general IAM error-policy stance (see `iam.md`) and
|
||||
prevents externally enumerating IAM's state.
|
||||
|
||||
### Bootstrap-token lifecycle
|
||||
|
||||
The bootstrap token — whether operator-supplied (`token` mode) or
|
||||
service-generated (`bootstrap` mode) — is a one-time credential. It
|
||||
is stored as admin's single API key, tagged `name="bootstrap"`. The
|
||||
operator's first admin action after bootstrap should be:
|
||||
|
||||
1. Create a durable admin user and API key (or issue a durable API
|
||||
key to the bootstrap admin).
|
||||
2. Revoke the bootstrap key via `revoke-api-key`.
|
||||
3. Remove the bootstrap token from any deployment configuration.
|
||||
|
||||
The `name="bootstrap"` marker makes bootstrap keys easy to detect in
|
||||
tooling (e.g. a `tg-list-api-keys` filter).
|
||||
|
||||
## HTTP forwarding (initial integration)
|
||||
|
||||
For the initial gateway integration — before the IAM service is
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue