Introduction to the Security Kernel¶
The Security Kernel (SK) microservice provides role-based authorization and secrets management for Tapis. Authentication is based on JSON Web Tokens (JWTs) managed by the Authentication subsystem.
SK uses a PostgreSQL database to store its authorization data and the open source version of HashiCorp Vault as its secrets backend. In the sections that follow, we discuss SK’s authorization and secrets model, interfaces and capabilities. The actual SK REST APIs can be found here.
SK uses HashiCorp Vault as is backend database for storing and managing secrets. There is no direct access to Vault for users or services–all access comes through SK. SK allows secrets to be created, read, versioned, deleted and destroyed by reflecting in its API the capabilities of Vault’s version 2 Key/Value secrets engine.
SK overlays Vault’s native capabilities with its own typed secrets model. The basic idea is that SK requires users to provide a secretType and secretName on most of its calls. Using this information, SK calculates the virtual paths (i.e., locations) in Vault being referenced. Users do not need to understand Vault’s naming scheme and SK has complete control of where secrets reside inside of Vault. The following table lists the secret types supported by SK.
Password used by services to acquire their JWTs
JWT Signing Key
Tenant-specific JWT signing key used by Tokens service
Credentials used by services to access their databases
Credentials for accessing Tapis systems
Only the User secret type can be used by Tapis users; the rest are reserved for Tapis services only. Currently, SK only allows a single secret to be referenced by each secretType/secretName combination. Otherwise, the full capabilities of the underlying Vault secrets engine is reflected in the SK secrets API.