centra
a7ec7e2158
- Created T026-practical-test task.yaml for MVP smoke testing - Added k8shost-server to flake.nix (packages, apps, overlays) - Staged all workspace directories for nix flake build - Updated flake.nix shellHook to include k8shost Resolves: T026.S1 blocker (R8 - nix submodule visibility)
1.5 KiB
1.5 KiB
IAM/Aegis Feature Gap Analysis
Date: 2025-12-08 Implementation Status: 84% (38/45 features)
Summary
Strongest implementation. Core RBAC/ABAC working. Gaps mainly in operational features.
Gap Analysis
| Feature | Spec Section | Priority | Complexity | Notes |
|---|---|---|---|---|
| Metrics/Monitoring | 12.4 | P0 | Small (1-2 days) | No Prometheus metrics. |
| Health Endpoints | 12.4 | P0 | Small (1 day) | No /health or /ready. Critical for K8s. |
| Group Management | 3.1 | P1 | Medium (3-5 days) | Groups defined but no membership logic. |
| Group Expansion in Authz | 6.1 | P1 | Medium (3-5 days) | Need to expand group memberships during authorization. |
| Audit Integration | 11.4 | P1 | Small (2 days) | Events defined but not integrated into gRPC services. |
| OIDC Principal Mapping | 11.1 | P1 | Medium (3 days) | JWT verification works but no end-to-end flow. |
| Pagination Support | 5.2 | P2 | Small (1-2 days) | List ops return empty next_page_token. |
| Authorization Tracking | 5.1 | P2 | Small (1 day) | matched_binding/role always empty (TODO in code). |
Working Features
- Authorization Service (RBAC + ABAC)
- All ABAC condition types
- Token Service (issue, validate, revoke, refresh)
- Admin Service (Principal/Role/Binding CRUD)
- Policy Evaluator with caching
- Multiple storage backends (Memory, Chainfire, FlareDB)
- JWT/OIDC verification
- mTLS support
- 7 builtin roles
Effort Estimate
P0 fixes: 2-3 days P1 fixes: 1.5-2 weeks Total: ~2-3 weeks focused development