MÓDULO GATEWAY.Art¶
Operator entry proxy — LDAP+SAML+passkey + RBAC + audit + OBP acceptor.
Function¶
The single entry point for operators reaching the bench dashboard. Provides: - Auth (LDAP / SAML / passkey) - RBAC role mapping (operator → tier — Free / Pro / Team+ / Enterprise) - Audit log of every operator action - OBP reverse-tunnel acceptor (per ADR 0022)
Identity¶
| Element | Value |
|---|---|
| Plane | MGMT-light (cloud-portable) |
| Internal code | gateway-proxy |
| K8s namespace | gateway-art |
| OOBI slot | .250 |
| Operator-side iface | dual-NIC: eth0 (operator/Internet) + vxlan0 (OOBI) |
RBAC roles¶
| Role | Tier | Can... |
|---|---|---|
viewer |
Free | read-only telemetry, no test runs |
operator |
Pro | run tests, basic config |
team-lead |
Team+ | KALI/DoYour, OBP authorization, vault writes |
admin |
Enterprise | DDPB unlock, mode change, audit log access |
auditor |
any | audit log read-only, even production-blocked features |
Tier → role mapping enforced at GATEWAY (not at individual MÓDULO).
Operator controls¶
/admin/gateway— auth provider config (LDAP/SAML/passkey)/admin/audit— audit log search + export/admin/obp/authorize— initiate OBP reverse-tunnel session
Key telemetry¶
gateway_auth_attempts_total{provider, status}gateway_active_sessions_total{role}gateway_audit_records_totalgateway_obp_sessions_active
Notes¶
GATEWAY is the only MÓDULO that talks to the operator-side network. All other MÓDULOs reach the operator through GATEWAY's reverse proxy (so audit + RBAC enforce uniformly).
Related¶
- ADR 0022 — OBP acceptor
- OBP primer
- Patent claim family — claims #1..#12 (DOM/OOBI/GATEWAY/RELAY)