stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
86f29d580c6f4d902e6ae04c8f9b43abfa7514a5
git.stella-ops.org/docs/modules/excititor/operations/provider-credentials.md
master 86f29d580c feat(excititor): continuation — orchestrator test coverage + doc reconciliation 
Follow-up to commit 7efa424fe (EXCITITOR-CFG-01/02/03). Captures the
continuation edits that landed alongside/after the initial commit:

- VexIngestOrchestrator.cs: additional effective-settings resolver
  hardening (+63 lines).
- DefaultVexProviderRunner.cs: worker-path settings merge refinement.
- VexIngestOrchestratorTests.cs (new): focused test coverage for the
  effective-settings + blocked-readiness path.
- DefaultVexProviderRunnerTests.cs: corresponding worker-path coverage.
- TASKS.md entries updated in both test projects.

Docs reconciliation:
- provider-credentials.md (new): operator credential-entry dossier
  mirroring the Concelier source-credentials.md pattern.
- provider-control-plane.md: cross-link updates.
- ops/connector-setup-guide.md: authoritative-inventory pointers updated
  to reference the new credential dossiers; microsoft-entra API-permission
  steps generalized to "your MSRC onboarding flow" (MSRC Security Updates
  API availability varies by tenant).
- SPRINT_20260422_007 execution log appended.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 07:32:58 +03:00

6.4 KiB
Raw Blame History

Excititor Provider Credential Entry

Last updated: 2026-04-22

1. Purpose

Excititor now supports operator-supplied provider settings through the product surfaces operators already use:

  • Web UI provider management
  • stella vex providers configure ... in the CLI

Host configuration and environment variables remain compatibility fallbacks, but the primary operator path for supported credential-sensitive Excititor providers is persisted provider configuration owned by Stella Ops itself.

2. Operator entry paths

Web UI

Use:

  • Ops -> Integrations -> Advisory & VEX Sources -> VEX Providers

Then:

  1. Open the provider card.
  2. Open Provider Configuration.
  3. Enter or update the provider fields.
  4. Save the configuration.

Sensitive values never round-trip back to the browser. A stored secret is shown only as retained state. Leaving a password field blank keeps the retained secret. Explicitly checking the clear control removes the stored secret.

CLI

Inspect current persisted provider configuration:

stella vex providers configure excititor:cisco --server https://excititor.example.internal
stella vex providers configure excititor:suse-rancher --server https://excititor.example.internal
stella vex providers configure excititor:msrc --server https://excititor.example.internal

Update a provider:

stella vex providers configure excititor:cisco \
  --server https://excititor.example.internal \
  --set metadataUri=https://mirror.example.internal/cisco/provider-metadata.json \
  --set apiToken=...

stella vex providers configure excititor:suse-rancher \
  --server https://excititor.example.internal \
  --set discoveryUri=https://mirror.example.internal/rancher/vexhub.json \
  --set tokenEndpoint=https://auth.example.internal/oauth2/token \
  --set clientId=... \
  --set clientSecret=...

stella vex providers configure excititor:msrc \
  --server https://excititor.example.internal \
  --set tenantId=... \
  --set clientId=... \
  --set clientSecret=...

Clear stored fields:

stella vex providers configure excititor:msrc \
  --server https://excititor.example.internal \
  --clear clientSecret

Notes:

  • --set accepts key=value.
  • The current CLI path places literal values on the command line. If shell-history exposure is unacceptable for a secret, prefer the Web UI path or use an operator-approved secure shell/history procedure.

3. Blocked providers

If an operator enables a provider that still lacks required credentials or has an invalid persisted configuration, Excititor preserves the enable intent but reports the provider as blocked.

  • enabled=true means the operator wants the provider scheduled once it becomes usable.
  • readiness=blocked means the provider is intentionally on hold because required configuration is still missing or invalid.
  • Manual provider runs and batch ingest flows return a blocked result instead of pretending the provider is runnable.
  • Scheduled worker runs skip blocked providers and record the configuration reason instead of treating missing credentials as transient retry failures.

Current blocked codes:

  • PROVIDER_CONFIG_REQUIRED
  • PROVIDER_CONFIG_INVALID

4. Credential acquisition matrix

Provider Where to sign in or look What to create or capture Can the config be skipped? Entitlement / paywall notes
excititor:cisco Public Cisco CSAF metadata by default. Optional authenticated path depends on your Cisco API / mirror arrangement. Usually nothing for the default public path. Optionally capture metadataUri override and apiToken if your Cisco path requires bearer auth. Yes, for the default public Cisco CSAF metadata path. Configure it only when overriding the metadata URI or when your Cisco endpoint requires a token. No StellaOps-side paywall for the public path. Any token requirement depends on your Cisco-side arrangement, mirror, or entitlement.
excititor:suse-rancher Your Rancher Hub / SUSE-auth deployment, plus the corresponding identity provider or token service. discoveryUri, and when auth is required: tokenEndpoint, clientId, clientSecret, optional audience. Sometimes. Anonymous discovery is allowed only if the hub is intentionally exposed that way. Otherwise the authenticated fields are required together. No StellaOps-side paywall. Access depends on your Rancher Hub deployment and the identity provider that fronts it.
excititor:msrc https://entra.microsoft.com -> App registrations tenantId, clientId, clientSecret; optionally scope override if you are not using the default MSRC API scope. Not for the online MSRC client-credential path. No separate documented MSRC paywall, but you need a Microsoft Entra tenant plus permission to register the app and grant the required consent.
excititor:oci-openvex Registry, identity provider, cosign/PKI authority, and any offline artifact staging path used by your deployment. Not yet supported through the persisted UI/CLI scalar config path. No. This remains blocked pending the artifact-backed OCI configuration design. Depends on your registry, cosign, and offline bundle environment.

5. What operators should actually look for

Cisco CSAF

  • No login is needed for the default public Cisco CSAF metadata path.
  • Only collect metadataUri when pointing Excititor at an approved internal mirror.
  • Only collect apiToken when your Cisco-side path or mirror explicitly requires a bearer token.

SUSE Rancher VEX Hub

  • Rancher hub discovery document URI
  • OAuth or OIDC token endpoint when the hub requires authentication
  • Client ID and client secret for the hub reader application
  • Optional audience value when your token service requires it

Microsoft MSRC

  • Microsoft Entra Directory (tenant) ID
  • Microsoft Entra Application (client) ID
  • A newly created Client secret value
  • Confirm the app consent and scope expected by your MSRC onboarding process before storing the values in Stella Ops

OCI OpenVEX

  • No persisted UI/CLI credential path exists yet for the binary material used by OCI OpenVEX.
  • Keep using host-config compatibility mode until the artifact-backed configuration design lands.

6. References