Blastwall treats privileged automation like dispatched work. AAP sends the work order, IdM keeps the records that say who may go where, eigenstate.ipa reads those records into inventory facts, and SELinux is the boundary at the job site.
The important move is to make privileged automation prove it is in the right shape before it reaches the host. The automation identity has to be recognized centrally, allowed to arrive, mapped into the right SELinux user, granted scoped sudo, selected by AAP, and then confined when it becomes root.
Why IdM Matters
IdM can look like a login database if you only see usernames and hostnames. Blastwall uses it as a records system for privileged automation: who the automation identity is, which hosts are in scope, what login path is allowed, which SELinux badge the session receives, what sudo may delegate, and which verified coverage marker AAP can read before launch.
That record chain matters because SELinux enforcement happens on the managed host, but the decision to send automation there happens earlier. I want AAP to see enough central state to avoid launching a sensitive workflow at a host that is missing the expected identity, access, mapping, or coverage.
Dispatch Analogy
I use one analogy throughout: dispatched work to a controlled job site. The job terms make the control chain easier to follow; each row ends with the actual Blastwall dependency.
| Analogy | IdM/AAP Object | Blastwall Consequence |
|---|---|---|
| Dispatcher | AAP workflow | Launches only after the inventory and preflight say the target is suitable. |
| Work order | AAP job template | Carries the operator-visible task, credentials, inventory source, and recorded output. |
| Records office | IdM | Holds the identity, access, sudo, SELinux map, host group, and marker records. |
| Query desk | eigenstate.ipa | Turns IdM records into inventory facts AAP can act on. |
| Dispatch checklist | Preflight | Fails closed before runtime proof when the target is missing required state. |
| Job site | Managed host | Receives the mapped login session and performs local enforcement. |
| Site boundary | SELinux policy | Denies exploit surfaces for the confined automation subject. |
| Inspection tag | Host marker | Lets AAP prefer hosts with verified policy coverage, without replacing live enforcement. |
That keeps the parts in their natural lanes. AAP does not become an IdM parser. IdM does not author SELinux policy. SELinux does not know about Controller workflow intent. Each system contributes the control it is already good at.
The IdM Records
The IdM model is deliberately ordinary. Blastwall does not need an exotic identity shape; it needs a consistent relationship between the automation identity, the managed host, and the SELinux user map.
| Record | Plain Meaning | What It Decides |
|---|---|---|
| Automation group | A named set of automation identities. | Which identities belong to the Blastwall automation population. |
| Managed-host group | A named set of eligible hosts. | Which hosts are candidates for that automation population. |
| HBAC rule | The central "may enter" rule. | Whether the identity is allowed to log in to the host through the expected service, such as SSH. |
| SELinux user map | The badge handed to the login session. | Which SELinux user the login receives. In this PoC, that is blastwall_u:s0. |
| Sudo rule | The delegated privilege record. | Which root actions are delegated after login, while the SELinux role and type remain constrained. |
| Host marker | An inspection tag written after verification. | Which verified policy version and deny scopes AAP can prefer before running a job. |
Real Object Map
The analogy is only a warmup. This table maps the job-site language back to the current lab object names.
| Job-Site Term | Blastwall Object | Where It Appears |
|---|---|---|
| Automation crew | svc-ansible-runner | Kerberos principal, IdM user, Ansible proof, AAP runtime credential. |
| Dispatcher | Blastwall runtime verification | AAP workflow template. |
| Records office | IdM / FreeIPA | HBAC, sudo, SELinux user map, groups, host markers. |
| Query desk | eigenstate.ipa | AAP inventory source and Ansible read-side gate. |
| Job site | mirror-registry.workshop.lan | Selected current host in the recorded proof. |
| Inspection tag | Host marker | IdM-visible verified coverage fact consumed by inventory sync. |
Concrete Walkthrough
In the lab, think of svc-ansible-runner as the automation crew and mirror-registry.workshop.lan as the job site. A valid Blastwall run needs the following chain to line up:
- The automation identity is a member of the Blastwall automation group.
- The managed host is a member of the Blastwall managed-host group.
- The HBAC rule says that identity may enter that host through SSH.
- The SELinux user map says the login receives
blastwall_u:s0. - The sudo rule allows the delegated root work the workflow needs.
- The verified host marker says the expected Blastwall policy coverage is present.
- AAP preflight selects the host only when the records agree.
After login, the session can still become UID 0 through sudo, but it remains in blastwall_u:blastwall_r:blastwall_t:s0. That is the point of the model: central records shape the arrival, and host-local SELinux policy limits what the privileged automation subject can do after it arrives.
AAP Selection
The workflow should know whether a host is suitable before it starts the runtime proof. That suitability is not a single patched/unpatched bit. It is the combination of identity membership, host membership, HBAC, SELinux mapping, sudo policy, and optional coverage markers.
AAP asks which hosts are current
-> eigenstate.ipa reads IdM state
-> IdM returns identity, access, sudo, SELinux map, and marker state
-> AAP selects suitable hosts
-> SELinux enforces the mapped sessionThe host marker is only a claim AAP can read after verification writes it. It is useful for target selection, but it does not replace live HBAC, sudo, SELinux mapping, or runtime denial checks.
Runtime Boundary
After AAP selects the host, the local system still makes the decisive enforcement decision. SSSD and pam_selinux apply the IdM SELinux user map at login. Sudo can reach UID 0, but the session remains inside blastwall_u:blastwall_r:blastwall_t:s0.
AAP, IdM, and eigenstate.ipa do not perform the kernel denial. They make the arrival conditions explicit. The host-local SELinux boundary denies the exploit surfaces for that confined automation subject.
Failure Modes
Each failure points to a specific missing or weak record.
| Missing Or Weak State | Operator Symptom | Where To Look |
|---|---|---|
| Automation group membership | The identity is not part of the Blastwall automation population. | IdM group membership and credential smoke output. |
| Hostgroup membership | The host is visible but not eligible for the workflow. | IdM hostgroup and eigenstate.ipa inventory facts. |
| HBAC rule | SSH access fails or preflight refuses the target. | blastwall-ssh and SSSD login behavior. |
| SELinux user map | The login does not receive blastwall_u:s0. | blastwall-root-local-map, SSSD, and id -Z. |
| Sudo rule | Root delegation fails, or the delegated command set is broader than intended. | blastwall-root-local-sudo and self-protection proof. |
| Host marker | AAP sees stale coverage or rejects the host before verification. | Inventory sync, preflight selected/stale host output, and local verification job. |
Where To See It
AAP Demo shows the Controller side: inventory sync, preflight, launch, node status, and job stdout. Ansible Demo shows the bootstrap side: IdM object creation, policy rollout, direct probe output, audit evidence, and self-protection.