docs: add secret management documentation [skip-ci] #542
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Conflicts: # docs/decisions/20230518-data-isolation-for-multitenancy.md
|
Atala PRISM Code Coverage
Minimum allowed coverage is Generated by 🐒 cobertura-action against a3d7503 |
|
@yshyn-iohk , don't forget to update sidebar to include this correctly into the website. |
|
@antonbaliasnikov will do. |
patlo-iog
reviewed
Jun 6, 2023
patlo-iog
reviewed
Jun 6, 2023
|
|
||
| ### PRISM Agent Logical Isolation | ||
| Each instance of the PRISM agent needs to have access to the secrets but must be isolated from other agents at the same environment. | ||
| Vault namespaces are used to achieve this goal, so each agent has its own namespace and can access only its own secrets. |
There was a problem hiding this comment.
Doesn't the namespace require Vault Enterprise? 🤔
There was a problem hiding this comment.
namespaces look like its indeed Enterprise. Perhaps adding a policy limiting tenant-id/* for each agent?
There was a problem hiding this comment.
@womfoo is right. My bad, I will correct the documentation.
https://developer.hashicorp.com/vault/tutorials/enterprise/namespaces
Comment on lines
25
to
26
| - Wallet Account - application account used by the Wallet to authenticate itself to the Vault service | ||
| - Tenant Account - user account used by the user to authenticate mobile or WEB application to the PRISM Platform. |
There was a problem hiding this comment.
I think I need a bit more context
- is the wallet referring to a separate application than the agent? is it referring to edge wallets?
- for the mobile/web apps, are they consumers/clients of the agent? is the PRISM platform something different than the agent API?
There was a problem hiding this comment.
The Wallet refers to the logical entity inside the Agent.
Currently, the Prism Agent supports single-tenant mode only and instance-par-tenant logical and physical isolation.
In the multi-tenant mode, a single Agent can manage multiple tenants.
Each tenant must have a wallet with the assets.
So, the wallet in this documentation refers to the managed wallet. All secret materials and assets are stored in the cloud, and the cloud agent can access the wallet and all its assets. The edge wallet refers to the web, mobile, or desktop application. We don't support this now.
Currently, web/mobile applications are clients of the agent.
There was a problem hiding this comment.
I think, it makes sense to remove the term Tennant Account
The Wallet account is clear enough for SSI domain.
bvoiturier
reviewed
Jun 9, 2023
| There are following types of the secrets in the PRISM Platform: | ||
| - seed: a secret used to derive cryptographic keys | ||
| - private key: a secret used to sign data | ||
| - public key: a secret used to verify signatures |
There was a problem hiding this comment.
Is this the place where AnonCreds Link Secrets would be stored as well?
There was a problem hiding this comment.
and it's also a place where we can store the private part of the credential definintion
patlo-iog
force-pushed
the
ATL-4173-secret-management-documentation
branch
from
6db48ec
to
5945798
Compare
patlo-iog
force-pushed
the
ATL-4173-secret-management-documentation
branch
from
5945798
to
4bddef3
Compare
womfoo
reviewed
Jun 15, 2023
womfoo
reviewed
Jun 15, 2023
womfoo
reviewed
Jun 15, 2023
| In the single-tenant configuration, the PRISM Agent uses a single Vault namespace, a single Wallet and a single Vault account to authenticate itself to the Vault service. | ||
| In the multi-tenant configuration, the PRISM Agent manages multiple Wallets, each Wallet is associated with a single tenant. | ||
| Multi-tenant configuration is used to achieve logical data separation between tenants, so each Wallet can access only its own secrets. | ||
| The Wallet is identified by the tenant ID and represented by the account in the Vault service. |
There was a problem hiding this comment.
Might be out-of-scope for this change, but where is the source of truth for tenants? Will this be somewhere in a env var/config file/database table etc?
There was a problem hiding this comment.
I will remove the User and Tenant accounts and leave the Wallet account only.
The Wallet account will be configured in the Vault dynamically
patlo-iog
approved these changes
Jun 16, 2023
| The keys material of the DID peer can be stored by the following path: | ||
|
|
||
| ```mermaid | ||
| <tenant-id>/dids/peer/<did-ref>/keys/<key-purpose> value=<base64-encoded-value> <metadata> |
There was a problem hiding this comment.
Ah, the dids/peer is slightly different from the merged PR. I guess we'll have to align this during multi-tenancy
patlo-iog
changed the title
yshyn-iohk
changed the title
yshyn-iohk
added a commit
that referenced
this pull request
Aug 18, 2023
…repo subject to the Developer Certificate of Origin (DCO), Version 1.1. 81a2ad9 docs: removed secret-storage from the Tutorials section. (#559) [skip-ci] 130abbd docs: fix secret storage documentation page (#556) 4f413a3 docs: add secret management documentation [skip-ci] (#542) 885870d Fix ATL-4830 verification policies update (#549) f6d1fd4 docs: compose the ADR for DID-linked resources. ATL-3186 [skip-ci] (#518) dc54af8 docs: ADR for data isolation for multi-tenancy (#531) 357273d docs: ADR for HD key derivation in the PRISM v2 (#529) 64b0a2a fix(prism-agent): Alight the error responses according to RFC7807. ATL-3962 (#480) 7fa2e1a fix(prism-agent) Align VerificationPolicy OAS ATL-3909 (#473) 8d42fb1 fix: update mercury to 0.21.0 979b609 chore: update mercury dependency to 0.21.0 (#458) d3a8d15 feat(prism-agent) update schema logic - agent part. ATL-3164 (#452) 6e22bfc feat(pollux): update credential schema logic (#450) ATL-3164 68b8e4a docs: credential schema introduction, creation, update, and delete. ATL-3548 (#443) 91902ce feat(prism-agent): Add OAS specification to the schema registry endpoint. ATL-3164 (#438) 32f9e83 feat(prism-agent): CredentialSchema DAL, model, service and repositor… (#425) 79352f0 feat(pollux): CredentialSchema DAL, model, service and repository #2 (#424) 6e941da docs(pollux): add credential-schema.md to docusaurus (#407) ffa5f7e feat(pollux): CredentialSchema service, repository and sql (#416) c96f804 doc(pollux): verification policy documentation (#384) 1e47ba1 doc(pollux): add schema registry documentation. ATL-1334 (#296) 142ff55 feat(prism-agent): integrate VerificationPolicy DAL into the agent, update OAS and implement REST API for verification policies (#369) b290a18 feat(pollux): implement the DAL for CRUD on the verifiable policy entity. ATL-2478 (#368) edaab33 docs: ADR Quill library for sql statement generation (#318) 3d0c642 feat(prism-agent): implement DAL for the credential schema. ATL-1334 e0831e8 feat(pollux): fix the lookup count in the credential schema DAL (#315) f43320f feat(pollux): add dal for the credential schema ATL-1342 (#298) 6903afa fix(prism-agent): switch datetime format to offsetdatetime. ATL-2723 (#243) e13a1bd fix(connect): bump mercury version to 1.10.1 and touch README.md ee27755 fix(pollux): upgrade mercury lib to 1.10.1 cdd4772 fix(castor): README.md is added to increase the version of the castor library 5ffb0cc fix(mercury): simple commit to increase the version of mercury library 403eb38 feat(prism-agent): verification policies pagination. ATL-1334 (#205) 726e2d9 feat(prism-agent): implement pagination with navigation for schema-registry (#195) 4528c57 feat(pollux): alight the OAS for schema registry (#189) 16d5fdb feat(pollux): cleanup the code of IssueCredentialApi 79170f8 feat(pollux): cleanup the OAS from Issue Credentials and other unused tags d75b36b feat(pollux): schema registry lookup and verification policies REST API ATL-1334 (#168) b3cf828 feat(apollo): add schema registry to the agent using Tapir library. ATL-1334 (#94) 8d8bf56 doc(adr): use Tapir library as a DLS for OAS (#51) 496337b ATL-1334 feat(pollux): add sandbox project to play with Tapir and schema-registry (#62) 95667ba doc(pollux): add JWT encoding and Present Proof endpoints (#37) 234bc06 [ATL-1388] doc(pollux): add Revocation Registry API, remove v1 from the path, apply changes after review (#14) e47242c [ATL-1001] doc: add examples of OpenAPI specification of well-known competitors (#23) 22e37cf doc(pollux): add Pollux open-api specification (schema and issue-credentials) (#8) Signed-off-by: Yurii Shynbuiev <yurii.shynbuiev@iohk.io>
antonbaliasnikov
pushed a commit
that referenced
this pull request
Aug 21, 2023
…repo subject to the Developer Certificate of Origin (DCO), Version 1.1. 81a2ad9 docs: removed secret-storage from the Tutorials section. (#559) [skip-ci] 130abbd docs: fix secret storage documentation page (#556) 4f413a3 docs: add secret management documentation [skip-ci] (#542) 885870d Fix ATL-4830 verification policies update (#549) f6d1fd4 docs: compose the ADR for DID-linked resources. ATL-3186 [skip-ci] (#518) dc54af8 docs: ADR for data isolation for multi-tenancy (#531) 357273d docs: ADR for HD key derivation in the PRISM v2 (#529) 64b0a2a fix(prism-agent): Alight the error responses according to RFC7807. ATL-3962 (#480) 7fa2e1a fix(prism-agent) Align VerificationPolicy OAS ATL-3909 (#473) 8d42fb1 fix: update mercury to 0.21.0 979b609 chore: update mercury dependency to 0.21.0 (#458) d3a8d15 feat(prism-agent) update schema logic - agent part. ATL-3164 (#452) 6e22bfc feat(pollux): update credential schema logic (#450) ATL-3164 68b8e4a docs: credential schema introduction, creation, update, and delete. ATL-3548 (#443) 91902ce feat(prism-agent): Add OAS specification to the schema registry endpoint. ATL-3164 (#438) 32f9e83 feat(prism-agent): CredentialSchema DAL, model, service and repositor… (#425) 79352f0 feat(pollux): CredentialSchema DAL, model, service and repository #2 (#424) 6e941da docs(pollux): add credential-schema.md to docusaurus (#407) ffa5f7e feat(pollux): CredentialSchema service, repository and sql (#416) c96f804 doc(pollux): verification policy documentation (#384) 1e47ba1 doc(pollux): add schema registry documentation. ATL-1334 (#296) 142ff55 feat(prism-agent): integrate VerificationPolicy DAL into the agent, update OAS and implement REST API for verification policies (#369) b290a18 feat(pollux): implement the DAL for CRUD on the verifiable policy entity. ATL-2478 (#368) edaab33 docs: ADR Quill library for sql statement generation (#318) 3d0c642 feat(prism-agent): implement DAL for the credential schema. ATL-1334 e0831e8 feat(pollux): fix the lookup count in the credential schema DAL (#315) f43320f feat(pollux): add dal for the credential schema ATL-1342 (#298) 6903afa fix(prism-agent): switch datetime format to offsetdatetime. ATL-2723 (#243) e13a1bd fix(connect): bump mercury version to 1.10.1 and touch README.md ee27755 fix(pollux): upgrade mercury lib to 1.10.1 cdd4772 fix(castor): README.md is added to increase the version of the castor library 5ffb0cc fix(mercury): simple commit to increase the version of mercury library 403eb38 feat(prism-agent): verification policies pagination. ATL-1334 (#205) 726e2d9 feat(prism-agent): implement pagination with navigation for schema-registry (#195) 4528c57 feat(pollux): alight the OAS for schema registry (#189) 16d5fdb feat(pollux): cleanup the code of IssueCredentialApi 79170f8 feat(pollux): cleanup the OAS from Issue Credentials and other unused tags d75b36b feat(pollux): schema registry lookup and verification policies REST API ATL-1334 (#168) b3cf828 feat(apollo): add schema registry to the agent using Tapir library. ATL-1334 (#94) 8d8bf56 doc(adr): use Tapir library as a DLS for OAS (#51) 496337b ATL-1334 feat(pollux): add sandbox project to play with Tapir and schema-registry (#62) 95667ba doc(pollux): add JWT encoding and Present Proof endpoints (#37) 234bc06 [ATL-1388] doc(pollux): add Revocation Registry API, remove v1 from the path, apply changes after review (#14) e47242c [ATL-1001] doc: add examples of OpenAPI specification of well-known competitors (#23) 22e37cf doc(pollux): add Pollux open-api specification (schema and issue-credentials) (#8) Signed-off-by: Yurii Shynbuiev <yurii.shynbuiev@iohk.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Documentation for secret management using Vault service
The following aspects are covered (clickable):
Fixes ATL-4173 and ATL-4876
Checklist
My PR contains...
My changes...
Documentation
Tests