feat(credential): Implement ADR 0019 phases 1-2#897
Merged
Conversation
|
🦢 Load Test Results Goose Attack ReportPlan Overview
Request Metrics
Response Time Metrics
Status Code Metrics
Transaction Metrics
Scenario Metrics
Error Metrics
|
|
| Branch | claude/adr-0019-keystone-compat-nfzp1z |
| Testbed | ubuntu-latest |
🚨 1 Alert
| Benchmark | Measure Units | View | Benchmark Result (Result Δ%) | Upper Boundary (Limit %) |
|---|---|---|---|---|
| Command_Serde/unpack/delete_index | Latency nanoseconds (ns) | 📈 plot 🚷 threshold 🚨 alert (🔔) | 197.29 ns(+22.46%)Baseline: 161.10 ns | 196.39 ns (100.46%) |
Click to view all benchmark results
| Benchmark | Latency | Benchmark Result nanoseconds (ns) (Result Δ%) | Upper Boundary nanoseconds (ns) (Limit %) |
|---|---|---|---|
| Command_Serde/apply/remove | 📈 view plot 🚷 view threshold | 164,060.00 ns(-41.49%)Baseline: 280,376.14 ns | 1,684,691.51 ns (9.74%) |
| Command_Serde/apply/set | 📈 view plot 🚷 view threshold | 151,990.00 ns(-34.22%)Baseline: 231,071.44 ns | 981,751.11 ns (15.48%) |
| Command_Serde/pack/delete | 📈 view plot 🚷 view threshold | 120.56 ns(-0.05%)Baseline: 120.62 ns | 140.74 ns (85.66%) |
| Command_Serde/pack/delete_index | 📈 view plot 🚷 view threshold | 112.57 ns(+2.28%)Baseline: 110.06 ns | 128.38 ns (87.69%) |
| Command_Serde/pack/set | 📈 view plot 🚷 view threshold | 193.38 ns(-0.03%)Baseline: 193.43 ns | 229.05 ns (84.43%) |
| Command_Serde/pack/set_index | 📈 view plot 🚷 view threshold | 113.09 ns(+2.93%)Baseline: 109.88 ns | 127.74 ns (88.53%) |
| Command_Serde/unpack/delete | 📈 view plot 🚷 view threshold | 233.63 ns(+20.94%)Baseline: 193.17 ns | 233.80 ns (99.93%) |
| Command_Serde/unpack/delete_index | 📈 view plot 🚷 view threshold 🚨 view alert (🔔) | 197.29 ns(+22.46%)Baseline: 161.10 ns | 196.39 ns (100.46%) |
| Command_Serde/unpack/set | 📈 view plot 🚷 view threshold | 273.45 ns(+4.48%)Baseline: 261.73 ns | 321.83 ns (84.97%) |
| Command_Serde/unpack/set_index | 📈 view plot 🚷 view threshold | 164.85 ns(+3.27%)Baseline: 159.63 ns | 193.77 ns (85.07%) |
| Payload_encryption/pack/remove_cmd | 📈 view plot 🚷 view threshold | 116.94 ns(-1.08%)Baseline: 118.22 ns | 150.87 ns (77.51%) |
| Payload_encryption/pack/set_cmd | 📈 view plot 🚷 view threshold | 231.57 ns(+12.41%)Baseline: 206.01 ns | 270.08 ns (85.74%) |
| Payload_encryption/unpack/remove_cmd | 📈 view plot 🚷 view threshold | 208.96 ns(+1.83%)Baseline: 205.20 ns | 246.33 ns (84.83%) |
| Payload_encryption/unpack/set_cmd | 📈 view plot 🚷 view threshold | 290.45 ns(+5.92%)Baseline: 274.22 ns | 337.48 ns (86.06%) |
| Raft_1Node_Latency/prefix/1node | 📈 view plot 🚷 view threshold | 2,435,900.00 ns(-14.14%)Baseline: 2,837,166.72 ns | 5,737,702.11 ns (42.45%) |
| Raft_1Node_Latency/read/1node | 📈 view plot 🚷 view threshold | 42,822.00 ns(+471.56%)Baseline: 7,492.15 ns | 44,235.97 ns (96.80%) |
| Raft_1Node_Latency/remove/1node | 📈 view plot 🚷 view threshold | 411,910.00 ns(-24.12%)Baseline: 542,833.12 ns | 2,292,366.03 ns (17.97%) |
| Raft_1Node_Latency/write/1node | 📈 view plot 🚷 view threshold | 415,250.00 ns(-26.12%)Baseline: 562,057.81 ns | 2,124,856.65 ns (19.54%) |
| build_snapshot/default | 📈 view plot 🚷 view threshold | 111,710.00 ns(+6.66%)Baseline: 104,730.22 ns | 161,605.99 ns (69.12%) |
| fernet token/project | 📈 view plot 🚷 view threshold | 1,419.20 ns(+2.11%)Baseline: 1,389.84 ns | 1,610.77 ns (88.11%) |
| get_data_keyspace | 📈 view plot 🚷 view threshold | 0.31 ns(-0.31%)Baseline: 0.32 ns | 0.37 ns (85.63%) |
| get_db | 📈 view plot 🚷 view threshold | 0.32 ns(+1.05%)Baseline: 0.32 ns | 0.37 ns (86.91%) |
| get_fernet_token_timestamp/project | 📈 view plot 🚷 view threshold | 143.66 ns(-1.31%)Baseline: 145.56 ns | 179.35 ns (80.10%) |
| get_keyspace | 📈 view plot 🚷 view threshold | 4.43 ns(-6.16%)Baseline: 4.72 ns | 8.75 ns (50.66%) |
Foundational credentials provider (EC2/TOTP/custom blob storage): core traits plus SQL/Fernet backend. Phases 3-9 (HTTP API routes, OS-EC2 legacy endpoints, /v3/ec2tokens signing, TOTP auth-pipeline integration, cascading-delete wiring, keystone-manage CLI, OPA policies) not included. core-types/core: - New `credential` module: Credential/CredentialCreate/ CredentialUpdate/CredentialListParameters DTOs, CredentialProviderError. - CredentialBackend/CredentialApi traits + CredentialService: EC2 id = SHA-256(blob.access) computed pre-backend-call for audit events, UUID id otherwise, 400 on missing user_id under system scope, access/trust_id/app_cred_id/access_token_id in blob immutable on update (CVE-2020-12691). - Wired into ServiceState/PluginManager; new EventPayload::Credential variant for audit dispatch. credential-driver-sql (new crate): - SeaORM entity for `credential` table. Per ADR 0019 the table is owned exclusively by Python Keystone's alembic migrations, so SqlDriver::setup() is a deliberate no-op unlike every other SQL driver here. test_support creates the table for this crate's tests only. - fernet.rs: setup/load/rotate per corrected ADR 0019 rotation — staged key `0` promoted by rename to `old_primary + 1`, outgoing primary kept for decryption, fresh key staged, files beyond MAX_ACTIVE_KEYS (3, hardcoded) pruned oldest-first. key_hash = SHA-1 over raw base64url key-file bytes (not decoded key), matching keystone/credential/providers/fernet/core.py. Null Key detection refuses to load unless insecure_allow_null_key set. - CRUD backend (create/get/list/update/delete, delete-for-user/ -project, EC2 access-key lookup via SHA-256 hash); reads `[credential]` config fresh per call via ServiceState.config_manager, matching identity-driver-sql. Config: new `[credential]` section (driver, key_repository default /etc/keystone/credential-keys/, insecure_allow_null_key). Assisted-By-By: Claude Sonnet 5 <noreply@anthropic.com> Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
544900c to
e5ead2a
Compare
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Foundational credentials provider (EC2/TOTP/custom blob storage):
core traits plus SQL/Fernet backend. Phases 3-9 (HTTP API routes,
OS-EC2 legacy endpoints, /v3/ec2tokens signing, TOTP auth-pipeline
integration, cascading-delete wiring, keystone-manage CLI, OPA
policies) not included.
core-types/core:
credentialmodule: Credential/CredentialCreate/CredentialUpdate/CredentialListParameters DTOs,
CredentialProviderError.
= SHA-256(blob.access) computed pre-backend-call for audit events,
UUID id otherwise, 400 on missing user_id under system scope,
access/trust_id/app_cred_id/access_token_id in blob immutable on
update (CVE-2020-12691).
EventPayload::Credential variant for audit dispatch.
credential-driver-sql (new crate):
credentialtable. Per ADR 0019 the table isowned exclusively by Python Keystone's alembic migrations, so
SqlDriver::setup() is a deliberate no-op unlike every other SQL
driver here. test_support creates the table for this crate's tests
only.
staged key
0promoted by rename toold_primary + 1, outgoingprimary kept for decryption, fresh key staged, files beyond
MAX_ACTIVE_KEYS (3, hardcoded) pruned oldest-first. key_hash =
SHA-1 over raw base64url key-file bytes (not decoded key), matching
keystone/credential/providers/fernet/core.py. Null Key detection
refuses to load unless insecure_allow_null_key set.
-project, EC2 access-key lookup via SHA-256 hash); reads
[credential]config fresh per call viaServiceState.config_manager, matching identity-driver-sql.
Config: new
[credential]section (driver, key_repository default/etc/keystone/credential-keys/, insecure_allow_null_key).
Co-Authored-By: Claude Sonnet 5 noreply@anthropic.com
Signed-off-by: Artem Goncharov artem.goncharov@gmail.com