feat: implement per-user token auth for Vault (#18)#36
feat: implement per-user token auth for Vault (#18)#36jh-lee-cryptolab merged 6 commits intomainfrom
Conversation
Replace single shared VAULT_TOKENS with per-user token system: - TokenStore with in-memory auth + async YAML persistence - Admin HTTP server on internal unix socket for token/role CRUD - runevault CLI (vault_admin_cli.py) for admin operations - Per-role top_k, rate limiting, scope enforcement - VAULT_TEAM_SECRET for shared DEK derivation (backward compat) - Specific gRPC error codes (UNAUTHENTICATED, RESOURCE_EXHAUSTED, etc.) - Per-user label in Prometheus metrics New files: token_store.py, admin_server.py, vault_admin_cli.py Tests: 38 passing (test_token_store.py, test_admin_server.py) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add per-user monitoring: resolve username before gRPC handlers so Prometheus user label reflects actual identity instead of "unknown" - Change CLI --expires-days to --expires with duration syntax (90d, 12w, 6m) to match issue spec - Add rate_limit format validation on role create/update to prevent deferred crashes during gRPC request handling - Remove misleading delete_role CLI warning (server already rejects deletion when tokens reference the role) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Rename vault_token → team_secret across all Terraform configs (AWS/GCP/OCI) - Replace VAULT_TOKENS env var with VAULT_TEAM_SECRET in startup scripts - Add config volume mount and generate vault-roles.yml/vault-tokens.yml so cloud instances boot in per-user mode instead of legacy single-token - Add runevault CLI alias and docker group setup for admin user Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jh-lee-cryptolab
force-pushed
the
issue-18-per-user-auth
branch
from
83e78b8 to
ab732bc
Compare
Unix socket bind failed with PermissionError in Docker due to /var/run ownership. Switch to a standard HTTP server on localhost:8081, which is not exposed in docker-compose and remains container-internal only. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…onfig files (#18) Remove hardcoded role seeding from cloud-init.yaml; TokenStore now auto-persists default roles/tokens YAML on first boot when files don't exist yet. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… member (#18) AWS cloud-init was missing vault-roles.yml/vault-tokens.yml generation. Also fix GCP/OCI startup scripts to use 'member' role instead of 'agent'. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jh-lee-cryptolab
requested review from
couragehong,
esifea,
heeyeon01 and
sunchuljung
jh-lee-cryptolab
removed request for
couragehong,
esifea,
heeyeon01 and
sunchuljung
|
Additional changes planned for metadata DEK architecture: Motivation: The current design derives a single shared DEK from
|
2 participants
Summary
runevaultCLI (issue, revoke, list)vault-tokens.yml,vault-roles.yml)VAULT_TOKENSenv var with deprecation warningVAULT_TOKENS→VAULT_TEAM_SECRET, add config volumes andrunevaultaliasDesign decisions
Metadata DEK: per-agent → single team key
Previously, metadata DEKs were issued per
agent_id. With per-user tokens, every user withdecrypt_metadatascope can decrypt metadata — so per-agent DEKs provide no meaningful isolation. If any single DEK is compromised, the attacker gains access to the same data that all other DEKs protect. Switched to a singleteam_secret-based metadata key to simplify key management without reducing effective security.Test plan
pytest tests/unit/test_token_store.py— token lifecycle, role CRUD, rate limiting, persistencepytest tests/unit/test_admin_server.py— admin HTTP API over unix socketpytest tests/unit/test_auth.py— token validation, scope enforcementrunevault token issue/list/revokesmoke testCloses #18