Operator Management Service — Security Model
Status: populated Owner: Platform Engineering + Security Last updated: 2026-04-18 Companion: 13 Security · ADR-0001 Kong
1. Authentication
Admin API (via Kong)
- Kong
jwtplugin validates admin JWTs (Firebase / auth-service JWKS). - Required claim:
scopecontainsops:admin. - Service re-validates
X-Admin-Idpresence; rejects if absent.
Internal API (mTLS)
- No Kong route.
- Mutual TLS enforced at Kubernetes service mesh (Istio/Linkerd) or via custom NestJS middleware verifying peer certificate against cluster CA.
- Callers: smpp-connector (credentials), routing-engine (operator list).
2. Authorization
| Scope | Action |
|---|---|
ops:admin | All admin CRUD (create/update/delete operators, rules, TPS) |
ops:read | GET-only admin endpoints (read-only operator list) |
| Internal mTLS identity | Credentials endpoint + internal operator list |
No tenant isolation layer: operator config is platform-level, not per-tenant. All admin actions are audit-logged.
3. Credential Security (Vault)
- SMPP passwords written to Vault path
secret/ops/operators/{operatorId}/credentials. - Service authenticates to Vault via Kubernetes Service Account JWT (Vault Kubernetes auth method).
- Vault policy
ops-service-policypermits only this service's SA to read/write undersecret/ops/operators/*. - Password is never logged, never included in event payloads, never returned in admin API responses (write-only from admin perspective).
- Vault token rotated automatically by Vault Agent sidecar (TTL 1h, renewal at 50%).
4. Encryption
| Class | Mechanism |
|---|---|
| In-flight (admin) | TLS 1.2+ via Kong + Cloudflare |
| In-flight (internal) | mTLS (service mesh) |
| At rest (PG) | Transparent disk encryption (AWS EBS / GCP PD) |
| Secrets | Vault — never in env files or Kubernetes Secrets for passwords |
5. Audit
- All admin write operations (create, update, delete) emit
audit.admin.v1event (owned by audit service). - Health state transitions logged to
ops.operator_health_log(tamper-evident append-only pattern). - Admin actions include
createdBy/updatedBycolumns populated from JWTsubclaim.
6. Threat Model
| Threat | Control |
|---|---|
| Admin JWT compromise | Short-lived JWT (15 min); scope ops:admin restricted to ops team IdP group |
| SMPP password exfiltration via API | Password never in PG or API responses; Vault-only; audit on read |
| Rogue service calling internal credentials endpoint | mTLS + Kubernetes NetworkPolicy restricts to allowed namespaces |
| Malicious routing rule injection | Admin scope required; all changes NATS-broadcast for out-of-band monitoring |
| Vault path traversal | Service SA policy is path-scoped; no wildcard on secret/ root |
| Soft-delete bypass (re-activating deleted operator) | PATCH endpoint refuses activation of deleted_at IS NOT NULL rows (requires new CREATE) |
| Log injection via operator name field | Name sanitized (alphanumeric + limited punctuation) at VO construction |
7. Network Policy
# Kubernetes NetworkPolicy (conceptual)
ingress:
- from: kong-namespace (admin API)
- from: smpp-connector-namespace (internal credentials)
- from: routing-engine-namespace (internal operator list)
egress:
- to: vault-namespace (port 8200)
- to: postgresql (port 5432)
- to: redis (port 6379)
- to: nats (port 4222)