fix(policy): Mention manager field (#155)

c-r33d · web-flow · commit 45e97764d598 · 2025-11-03T21:12:46.000-05:00
1.) Add an important note, describing that the `name` field for key
managers is no longer used. Users should instead use the `manager`
field.
2.) Pin links directly to a sha to avoid shift
diff --git a/docs/components/policy/keymanagement/base_key.md b/docs/components/policy/keymanagement/base_key.md
@@ -13,7 +13,7 @@ A base key, or default key, is a key that will be used when no grants or key map
 You must have admin permission to use any key operations.
 :::
 
-When using the [kas-registry proto](https://github.com/opentdf/platform/blob/main/service/policy/kasregistry/key_access_server_registry.proto#L659-L662) and an active connection to the platform you can use the above base key rpcs to set and retrieve the base key.
+When using the [kas-registry proto](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/kasregistry/key_access_server_registry.proto#L692-L696) and an active connection to the platform you can use the above base key rpcs to set and retrieve the base key.
 
 [otdfctl base key](https://github.com/opentdf/otdfctl/tree/main/docs/man/policy/kas-registry/key/base) provides documentation on how to set / get base keys with the OpenTDF CLI.
 
@@ -28,4 +28,4 @@ When using the [kas-registry proto](https://github.com/opentdf/platform/blob/mai
 
 :::note
 In upcoming versions of the SDK, post v0.5.0, the SDK will prefer to error when no base key is set; instead of falling back.
-:::
+:::
diff --git a/docs/components/policy/keymanagement/index.md b/docs/components/policy/keymanagement/index.md
@@ -47,7 +47,7 @@ The primary difference is that the **Key Manager** needs to reach out to the KMS
 
 ## What is different with the new key architecture?
 
-1. Previously, when starting the platform users would be expected to populate the [startup yaml file](https://github.com/opentdf/platform/blob/main/opentdf-dev.yaml#L150-L158) with asymmetric keys that would be used by KAS for and decryption. Now keys, or their reference, should be stored/registered with the platform via the [kas-registry](https://github.com/opentdf/platform/blob/main/service/policy/kasregistry/key_access_server_registry.proto#L644-L656).
+1. Previously, when starting the platform users would be expected to populate the [startup yaml file](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/opentdf-dev.yaml#L160-L171) with asymmetric keys that would be used by KAS for and decryption. Now keys, or their reference, should be stored/registered with the platform via the [kas-registry key endpoints](https://github.com/opentdf/platform/blob/main/service/policy/kasregistry/key_access_server_registry.proto#L678-L699).
 2. Endpoints for easier management of keys through the kas-registry.
    1. Create/Read/Update
    2. Key Rotation
diff --git a/docs/components/policy/keymanagement/key_managers.md b/docs/components/policy/keymanagement/key_managers.md
@@ -13,11 +13,17 @@ A key manager is essentially a client that is used for either performing cryptog
 
 ## How do I register a key manager?
 
-If you have written your own key manager, you can register it with KAS by providing its factory method with a [server option](https://github.com/opentdf/platform/blob/main/service/pkg/server/options.go#L131) (.so), during server startup. By providing a way to instantiate an object of your key manager type we will then use it when necessary. You will also need to configure KAS to use the new key manager. This is done through provider configuration file (.cfg).
+If you have written your own key manager, you can register it with KAS by providing its factory method with a [server option](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/pkg/server/options.go#L141-L164) (.so), during server startup. By providing a way to instantiate an object of your key manager type we will then use it when necessary. You will also need to configure KAS to use the new key manager. This is done through provider configuration file (.cfg).
+
+:::important
+As of [Service v0.10.0](https://github.com/opentdf/platform/releases/tag/service%2Fv0.10.0) the use of the `name` field is not used for mapping a key to an implementation of that manager. Instead,
+the new [manager](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/keymanagement/key_management.proto#L22) field is used for this purpose. The `name` should
+now be treated as a friendly name.
+:::
 
 ### Provider configurations
 
-Provider configurations are a way of entangling a key to a specific manager. The [key management proto](https://github.com/opentdf/platform/blob/main/service/policy/keymanagement/key_management.proto#L76) provides specifics on what RPCs are available as well as what is expected within each call. One of the most important parts of the provider configuration is the **name** field. The **name** field is what KAS will look for when trying to instantiate a specific manager. If no manager with that name is found, KAS will attempt to use the default manager.
+Provider configurations are a way of entangling a key to a specific manager. The [key management proto](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/keymanagement/key_management.proto) provides specifics on what RPCs are available as well as what is expected within each call. One of the most important parts of the provider configuration is the **manager** field. The **manager** field is what KAS will look for when trying to instantiate a specific manager. If no manager with that name is found, KAS will attempt to use the default manager.
 
 The basic flow is as follows:
 :::note
@@ -33,13 +39,13 @@ sequenceDiagram
     KAS->>+Platform: Retrieve key (key id=r1)
     Platform->>+KAS: Returns key
     KAS->>+KAS: Get name of provider config from key
-    KAS->>+KAS: Instantiate key manager from provider name
+    KAS->>+KAS: Instantiate key manager from provider's manager field
     KAS->>+Key Manager: Decrypt data encryption key
     Key Manager->>+KAS: Return decrypted key
     KAS->>+SDK: Return rewrapped data encryption key
 ```
 
-When registering your provider configuration and your key manager the name must match. For example, the [basic manager name](https://github.com/opentdf/platform/blob/main/service/internal/security/basic_manager.go#L23) is **opentdf.io/basic**. For example, if you create a manager with name **opentdf.io/aws**, you would need to create a provider configuration with the same name and tie it to a key when creating the key. In addition, when registering the manager you need to pass in the same name as what the provider configuration expects.
+When creating your provider configuration and registering your key manager the [name](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/trust/key_manager.go#L50) given in the manager factory, must match the [manager](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/keymanagement/key_management.proto#L22) field given to the provider configuration. For example, if you register a manager with name **opentdf.io/aws** you would need to create a provider configuration with **opentdf.io/aws** as the `manager` field and tie it to a key when creating the key.
 
 :::important
 If private keys are meant to be stored within the platform database,
@@ -55,6 +61,6 @@ You cannot delete provider configurations that are tied to keys.
 
 ## Helpful links
 
-- [key manager interface](https://github.com/opentdf/platform/blob/main/service/trust/key_manager.go#L33).
-- [NamedKeyManagerFactory](https://github.com/opentdf/platform/blob/main/service/trust/key_manager.go#L62)
-- [KeyManagerFactory](https://github.com/opentdf/platform/blob/main/service/trust/delegating_key_service.go#L21)
+- [key manager interface](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/trust/key_manager.go#L19).
+- [NamedKeyManagerFactory](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/trust/key_manager.go#L49-L58)
+- [KeyManagerFactory](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/trust/delegating_key_service.go#L39-L44)
diff --git a/docs/components/policy/keymanagement/key_mappings.md b/docs/components/policy/keymanagement/key_mappings.md
@@ -32,39 +32,39 @@ attribute definitions, you can also create mappings for namespaces
 and attribute values.
 :::
 
-1. First you will need to [create a key access server](https://github.com/opentdf/platform/blob/main/service/policy/kasregistry/key_access_server_registry.proto#L630)
+1. First you will need to [create a key access server](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/kasregistry/key_access_server_registry.proto#L59)
 
 OpenTDF CLI
 
 ```bash
 otdfctl policy kas-registry create --uri http://example.com/kas --name example-kas
 ```
 
-2. Next, you will need to [create a key](https://github.com/opentdf/platform/blob/main/service/policy/kasregistry/key_access_server_registry.proto#L644)
+2. Next, you will need to [create a key](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/kasregistry/key_access_server_registry.proto#L379)
 
 OpenTDF CLI
 
 ```bash
 otdfctl key create --key-id "rsa-key-1" --algorithm "rsa:2048" --mode "local" --kas "891cfe85-b381-4f85-9699-5f7dbfe2a9ab" --wrapping-key-id "virtru-stored-key" --wrapping-key "a8c4824daafcfa38ed0d13002e92b08720e6c4fcee67d52e954c1a6e045907d1"
 ```
 
-3. [create a namespace](https://github.com/opentdf/platform/blob/main/service/policy/namespaces/namespaces.proto#L180)
+3. [create a namespace](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/namespaces/namespaces.proto#L95)
 
 OpenTDF CLI
 
 ```bash
 otdfctl policy attributes namespaces create --name opentdf.io
 ```
 
-4. [create an attribute](https://github.com/opentdf/platform/blob/main/service/policy/attributes/attributes.proto#L415)
+4. [create an attribute](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/attributes/attributes.proto#L116)
 
 OpenTDF CLI
 
 ```bash
 otdfctl policy attributes create --namespace 3d25d33e-2469-4990-a9ed-fdd13ce74436 --name myattribute --rule ANY_OF
 ```
 
-5. [assign a key to an attribute](https://github.com/opentdf/platform/blob/main/service/policy/attributes/attributes.proto#L457)
+5. [assign a key to an attribute](https://github.com/opentdf/platform/blob/5221cf41079fc43a3966e17c6f3e0d3cf8a16730/service/policy/attributes/attributes.proto#L356)
 
 OpenTDF CLI
 
