)]}' { "commit": "32d73486f4ea778cd3ea58e2d579e862cf67fb9c", "tree": "78e3444e0b55df55f512415dbfd34977cdca2350", "parents": [ "6c4199afe4dc4d446679b862f528e840e60925df" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Feb 01 23:49:17 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Feb 01 23:49:17 2021 +0100" }, "message": "metropolis: introduce AAA.Escrow RPC\n\nThis is a combined proto change and design document RFC.\n\nThis implements a generic \u0027Escrow\u0027 methid, used to allow external\nentities to log into a Metropolis cluster. This flow\u0027s subject vaguely\ncorresponds to \u0027Entity\u0027 objects from the Lifecycle DD, but this will be\nmore precisely defined in a subsequent change which introduces the\nactual entities objects, the way they\u0027re identified, and the way they\u0027re\nstored in the cluster.\n\nIn addition, this formalizes the part of the LDD in which entities are\nable to perform hardware attestation on nodes. The hardware attestation\npart is not fully implemented, but is placed within the bounds of the\nEscrow streaming RPC. Entities might also be able to performs this\nhardware attestation in a separate RPC call (having already requested a\nshort-lived certificate permitting access to RPC), but this is not yet\nsure.\n\nThis design, is in a way, a modernized version of GSSAPI. It assumes it\nruns over a confidential channel (TLS), and that it only ever returns\nx509 certificates emitted for the requesting client. It is also designed\nto handle flows that we expect to use within Metropolis.\n\nThis design has some known limitations:\n\n1) Limited decisionmaking abitility by the server to decide which proofs\n are needed - ie., the server cannot change its mind what other proofs\n are needed as the client presents some. Currently the server can\n decide the proofs only based on the parameters given by the client,\n and the initial context of the connection, ie. its originating\n address and the presented TLS certificate.\n2) Limited expressibility of required proofs to the client, currently\n all listed must be fulfilled.\n\nThis, however, can be extended as the protocol evolves, and can continue\nto support simple clients that handle only this protocol. Especially 2)\nmight be limiting us from preventing things like accepting emergency\ncertificates without necessarily needing an OIDC login, even though OIDC\nlogins are required for other kinds of certificates. We are explicitly\ntrying to keep things simple for now, and just not write ourselves into\na corner here.\n\nFinally, this API should cover all scenarios expressed within T865 -\nminus the entity storage part within the cluster.\n\nTest Plan: Proto change and review process.\n\nX-Origin-Diff: phab/D698\nGitOrigin-RevId: 92892b5522a4d41d572fd4c10f24d26f72919aeb\n", "tree_diff": [ { "type": "modify", "old_id": "993d3dcaef2b3f287f8a97da8f2543beab6a90b5", "old_mode": 33188, "old_path": "metropolis/proto/api/BUILD.bazel", "new_id": "e7b4cc733fec2a21a7b6145eba982cf4370642ad", "new_mode": 33188, "new_path": "metropolis/proto/api/BUILD.bazel" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "e469d0db986316f527baa95d798820ff9c915c68", "new_mode": 33188, "new_path": "metropolis/proto/api/aaa.proto" }, { "type": "modify", "old_id": "cc43918e7b4076ed22219154b8581adf9c18f2bc", "old_mode": 33188, "old_path": "metropolis/proto/common/common.proto", "new_id": "4a570a86c0e789fd7261ffd36cc0be36d73c8c5f", "new_mode": 33188, "new_path": "metropolis/proto/common/common.proto" } ] }