Skip to content

Restrict usage of private keys for signature

#395 (closed) left out ACL for usage of private keys managed by signing workers. But we need to implement this. We need to be able to control "who/what can execute a signing task with a particular key".

It seems likely that we will want to control this at the workspace level, i.e. a specific key can only be used by work requests which are part of a pre-determined set of workspaces.

Keys that would be generated by the GenerateKey task would, by default, only be usable in the workspace where they have been generated.

For keys that have been created externally, the management command used to import/register the key needs to grow parameter to be able to specify the workspaces that are allowed to use the key.

For all registered keys, we need management commands to tweak the set of allowed workspaces and possibly also some ways for workspace admin users to change those (i.e. without resorting to debusine admin level management command).

Open questions / design considerations :

  • Maybe design the data structure in an extensible way so that it's possible to add further restrictions? At some point, we might want to be able to restrict usage to a specific group of users inside a workspace.
  • In the signing database, do we record the workspace by ID or name (scope:workspace) ? The ID is stable, workspace can be renamed. => likely by ID. But the command line interface would use the name obviously.

(This is not strictly part of %STF M4: workflow for security team but I'm putting it there to make sure it gets scheduled sooner rather than later)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information