RFCs
The following is a list of Requests for Comments (RFCs, a form of design documentation) agreed upon by the community and the OpenBao Technical Steering Committee.
Accepted
- Authenticated rekey, to make the rekey root and rekey recovery keys endpoints authenticated and additionally authorized by a token and its policy.
- Declarative Self-Initialization, to allow operators
to define initial mounts, auth, policies, and audit logs from a static
configuration applied once on early startup, preventing the need to call
manual
sys/initexcept with manual unseal mechanisms.
Landed
- Paginated lists, for adding pagination to the user-facing API and storage backends. This landed in PR #170.
mlockremoval, to remove themlocksyscall from OpenBao. This landed in PR #363.- Discontinue enforcing signed commits, for allowing users to contribute without GPG/SSH signing their commits.
- Transactional storage, for supporting safer
storage semantics in
physical.Backendandlogical.Storagefor use by Core and plugins. This landed in several parts concluding in PR #292. - SCAN operation, for supporting recursive lists as a native operation and as an ACL capability. This landed in PR #763.
- ACME TLS Listeners, for supporting just-in-time certificate acquisition for TLS-enabled listeners via the ACME protocol. This landed in PR #857.
- Safely limit pagination via ACL policies,
adding a new ACL policy parameter,
pagination_limit, to restrict the size of list and scan operation requests. This landed in PR #802. - Split the mount table using transactional storage, removes mount table limits, allowing potentially hundreds of thousands of mounts on a single scaled-up server. This landed in 622.
- SSH CA Multi-issuer, adds support for multiple issuers on SSH secret engine mounts. Landed in 880.
- Using CEL Roles For JWT/OIDC Auth, adds support for CEL roles in JWT Auth Landed in 769
- Using CEL Roles For PKI cert issuance/sign policies, adds support for CEL roles in PKI Landed in 794
- Filtering list and scan results to only results visible by the client token. This landed in PR #1389.
- Static Auto-Unseal, introducing a new
auto-unseal mechanism,
static, which loads keys from the environment, filesystem, or directly in the configuration file. Landed in PR #1425. - Support inline authentication for non-leased operations, to discuss how to incorporate authentication sent via the main operation, without returning or storing the resulting token, for operations that do not create leases. Landed in PR #1433.
Strategic
- Best Practices for Integrating CEL in Auth, Secrets, and Elsewhere, to discuss how Google's Common Expression Language should be integrated into OpenBao.