docs/explanation/security: modified snapd security documentation to be SEC30 V1.3 compliant#193
Conversation
docs/explanation/security/api-authentication-and-authorization.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
This PR extends the Sphinx/MyST security documentation by adding new pages/sections covering snapd API authentication/authorization and snapd decommissioning, and by expanding existing security policy documentation (including cryptography provenance and security maintenance lifecycle details). The PR description references a follow-up to PR #179, but this review is limited to the diffs included here.
Changes:
- Add new “API authentication and authorization” and “Decommissioning” explanation pages and link them from the security index.
- Expand
security-policies.mdwith cryptography provenance notes and a new “Security maintenance” section; fix a few formatting issues in refresh awareness text. - Add a dedicated anchor in
data-locations.mdfor “Persisted data on Ubuntu Core” and update cross-references to point to it.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/reference/administration/data-locations.md | Adds an anchor label for the Ubuntu Core persisted data section to support more specific cross-references. |
| docs/explanation/security/snap-confinement.md | Adjusts the Classic confinement link (currently in a way that likely breaks the reference). |
| docs/explanation/security/security-policies.md | Adds cryptography provenance + security maintenance content; updates cross-references and refresh awareness formatting. |
| docs/explanation/security/index.md | Adds nav links/toctree entries for the new security pages (currently with a toctree filename mismatch). |
| docs/explanation/security/decomissioning.md | Introduces decommissioning guidance (currently has label whitespace + typos + structure issues, and filename spelling mismatch). |
| docs/explanation/security/api-authentication-and-authorization.md | Introduces API auth/authz overview content, including auth data location and authorization mechanisms. |
docs/explanation/security/api-authentication-and-authorization.md
Outdated
Show resolved
Hide resolved
bboozzoo
left a comment
bboozzoo
left a comment
There was a problem hiding this comment.
LGTM, assuming comments from copilot are addressed
docs/explanation/security/api-authentication-and-authorization.md
Outdated
Show resolved
Hide resolved
ernestl
force-pushed
the
ernestl/ssdlc-security-policy-update-2
branch
from
ca47c6e to
db51ce4
Compare
ernestl
changed the title
ernestl
changed the title
pedronis
left a comment
pedronis
left a comment
There was a problem hiding this comment.
one comment, need to do a pass still on api-auth-authz
pedronis
left a comment
pedronis
left a comment
There was a problem hiding this comment.
comment, let me know how you want to proceed on this, picking different examples, pointing to other docs?
docs/explanation/security/api-authentication-and-authorization.md
Outdated
Show resolved
Hide resolved
| For details of which authorization mechanism applies to each API, refer to the [snapd API documentation]. | ||
|
|
||
| [snapd API documentation]: https://snapcraft.io/docs/reference/development/snapd-rest-api/ | ||
|
|
There was a problem hiding this comment.
This is actually very good. We'll start covering diagrams (architecture) and more detailed explanation in 26.10/27.04, so this is definitely going to be useful.
pedronis
left a comment
pedronis
left a comment
There was a problem hiding this comment.
I'm not against the diagrams but the 2nd one needs a tweak
|
I did fairly heavy modification to authentication and authorization to try and have it more accurate. |
|
Authentication: 
|
|
Authorization: Note - zooming is enabled in grahams official version of mermaid support, and scale and style can be tweaked in the future. 
|
docs/explanation/security/api-authentication-and-authorization.md
Outdated
Show resolved
Hide resolved
docs/explanation/security/api-authentication-and-authorization.md
Outdated
Show resolved
Hide resolved
docs/explanation/security/api-authentication-and-authorization.md
Outdated
Show resolved
Hide resolved
pedronis
left a comment
pedronis
left a comment
There was a problem hiding this comment.
generally +1, please get Maciej to re-review if there are major changes
…e SEC0030 V1.3 compliant #docs/explanation/security: review corrections docs/explanation/security: remove diagrams docs/explanation/security: improved authentication table
ernestl
force-pushed
the
ernestl/ssdlc-security-policy-update-2
branch
from
f0f6692 to
76c30ae
Compare
|
Maciek did complete another pass. |
Follow up of WIP #179 that was accidentally merged early.
Please also look at provide feedback on #179.
Spec: SEC30
Jira: https://warthogs.atlassian.net/browse/SNAPDENG-35755