[RBAC PR 2 follow-up] Verify break-glass readiness#2340
Open
philipfweiss wants to merge 1 commit into
Open
Conversation
✅ Deploy Preview for thriving-cassata-78ae72 canceled.
|
Fail startup when restrictive RBAC lacks its configured admins, seed the local recovery account, and emit distinct bounded bypass audit events.
philipfweiss
force-pushed
the
rbac-breakglass-readiness
branch
from
July 18, 2026 00:45
0fb2a07 to
42dac97
Compare
philipfweiss
marked this pull request as ready for review
July 18, 2026 01:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tracking: #2234 (step 2 follow-up in the RBAC enablement sequence).
Restrictive RBAC depends on an admin recovery path, but the server can start while the configured user has
is_admin=false. That can lock every operator out, while bypass use is difficult to identify in ordinary authorization logs.Why this was missed initially: #2232 manually promoted
djbefore testing the bypass, so it proved recovery only after a valid admin already existed. It did not exercise cold startup with a missing or invalid admin, or check for a machine-distinct audit event.This PR makes the recovery path an activation prerequisite:
RBAC_REQUIRE_ADMIN=true, requires every configuredRBAC_ADMIN_USERSentry to exist as a human user withis_admin=true.djas an admin, updates existing local rows idempotently, and waits fordb-seedbefore starting the server.datajunction.audit.rbacwithevent=rbac_admin_bypass, actor fields, request count, andreason=admin_bypass.Permissive deployments remain unchanged when admin readiness is disabled. Restrictive deployments fail before serving requests when the configured admin set is missing or invalid. Admin promotion remains an operations and seed concern; this adds no public promotion API.
Verification:
db-seedbefore the server, the seededdjrow was an admin, and startup verified the configured admin.