Technical Overview
GatePlane leverages Vault/OpenBao to provide conditional Just-In-Time (JIT) access management, without re-inventing the wheels of authentication, authorization, monitoring and integrating with a number of popular software.
GatePlane currently consists of the Vault/OpenBao plugins below:
Plugins can be mounted under any Vault/OpenBao path (e.g: auth/some-path/access), exactly as any Vault/OpenBao plugin (e.g: userpass, jwt, etc), and access to their endpoints can be controlled via standard Vault/OpenBao policies (see for Vault/OpenBao).
These plugins allow Vault/OpenBao Entities the following flows:
- Create Access Requests (
update auth/some-path/access/request) - List Access Requests (
list auth/some-path/access/request) - Approve Access Requests (
update auth/some-path/access/approve) - Claim Access Requests (
update auth/some-path/access/claim) - Revoke Access Requests ⏳
For all plugins, flows are identical and the API is thorougly documented under HTTP API section.
Access Control on Plugin Flows
As plugins are mounted in Vault/OpenBao paths, the builtin Vault/OpenBao policy system can be used to allow (or restrict) access for specific Entities to specific plugin flows. Hence, it is possible to create a policy that can only request accesses (e.g: path "<plugin-path>/request" {capabilities=["read,update"]}) and not be able to approve any, and vice-versa (e.g: path "<plugin-path>/approve" {capabilities=["update"]}).