RFCs

The following is a list of Requests for Comments (RFCs, a form of design documentation) agreed upon by the community and the OpenBao Technical Steering Committee.

Accepted

• Authenticated rekey, to make the rekey root and rekey recovery keys endpoints authenticated and additionally authorized by a token and its policy.
• Declarative Self-Initialization, to allow operators to define initial mounts, auth, policies, and audit logs from a static configuration applied once on early startup, preventing the need to call manual sys/init except with manual unseal mechanisms.
• External Key Configuration for KMS and HSM Access, to add support for secure key material storage and interaction from secrets engines like PKI, Transit, and SSH.
• Web UI Modernization, for rewriting OpenBao’s web UI from EmberJS to React to create a modern, secure, and extensible interface.

Landed

• Paginated lists, for adding pagination to the user-facing API and storage backends. This landed in PR #170.
• mlock removal, to remove the mlock syscall from OpenBao. This landed in PR #363.
• Discontinue enforcing signed commits, for allowing users to contribute without GPG/SSH signing their commits.
• Transactional storage, for supporting safer storage semantics in physical.Backend and logical.Storage for use by Core and plugins. This landed in several parts concluding in PR #292.
• SCAN operation, for supporting recursive lists as a native operation and as an ACL capability. This landed in PR #763.
• ACME TLS Listeners, for supporting just-in-time certificate acquisition for TLS-enabled listeners via the ACME protocol. This landed in PR #857.
• Safely limit pagination via ACL policies, adding a new ACL policy parameter, pagination_limit, to restrict the size of list and scan operation requests. This landed in PR #802.
• Split the mount table using transactional storage, removes mount table limits, allowing potentially hundreds of thousands of mounts on a single scaled-up server. This landed in 622.
• SSH CA Multi-issuer, adds support for multiple issuers on SSH secret engine mounts. Landed in 880.
• Using CEL Roles For JWT/OIDC Auth, adds support for CEL roles in JWT Auth Landed in 769
• Using CEL Roles For PKI cert issuance/sign policies, adds support for CEL roles in PKI Landed in 794
• Filtering list and scan results to only results visible by the client token. This landed in PR #1389.
• Static Auto-Unseal, introducing a new auto-unseal mechanism, static, which loads keys from the environment, filesystem, or directly in the configuration file. Landed in PR #1425.
• Support inline authentication for non-leased operations, to discuss how to incorporate authentication sent via the main operation, without returning or storing the resulting token, for operations that do not create leases. Landed in PR #1433.

Strategic

• Best Practices for Integrating CEL in Auth, Secrets, and Elsewhere, to discuss how Google's Common Expression Language should be integrated into OpenBao.