Jump to: navigation, search

Difference between revisions of "Barbican/Policy"

Line 25: Line 25:
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_secrets
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_secrets
 
|-
 
|-
| rowspan="4" | /v1/secrets/{secret-id}/acl || GET
+
| rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || x || x ||  ||  ||  ||  || key_manager:get_acl
 
|-
 
|-
| PATCH
+
| PATCH ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl
 
|-
 
|-
| PUT
+
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl
 
|-
 
|-
| DELETE
+
| DELETE ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl
 
|-
 
|-
| rowspan="3" | /v1/secrets/{secret-id}/metadata || GET
+
| rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || x || x ||  ||  ||  ||  || key_manager:get_secret_meta
 
|-
 
|-
| PUT
+
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets
 
|-
 
|-
| POST
+
| POST ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets
 
|-
 
|-
 
| rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET
 
| rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET
Line 108: Line 108:
 
|-
 
|-
 
|}
 
|}
 +
 +
* key_manager:manage_acl
 +
** (dmendiza) Is this too broad?
 +
** (dmendiza) Should we have separate ''key_manager:(secret|order)_manage_acl''?
 +
** (dmendiza) Should '''member''' be allowed to manage ACL?  Would private secrets break if we don't?  Are private secrets really private it we do?
 +
** (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
 +
* key_manager:store_secret
 +
** (dmendiza) Is it ok to use this for adding metadata to a secret?  I think it is.

Revision as of 00:38, 14 June 2018

Project-scope System-scope
Route Method reader member admin reader member admin no auth Tag
/ GET x x x x x x x key_manager:get_home
/v1 GET x x x x x x key_manager:get_v1
/v1/secrets GET x x x key_manager:list_secrets
POST x x key_manager:store_secrets
/v1/secrets/{secret-id} GET Accept:application/json x x x key_manager:get_secret_meta
DEPRECATED

GET Accept:{secret-mime}

x x key_manager:decrypt_secrets
PUT x x key_manager:store_secrets
DELETE x key_manager:delete_secrets
/v1/secrets/{secret-id}/acl GET x x x key_manager:get_acl
PATCH x x key_manager:manage_acl
PUT x x key_manager:manage_acl
DELETE x x key_manager:manage_acl
/v1/secrets/{secret-id}/metadata GET x x x key_manager:get_secret_meta
PUT x x key_manager:store_secrets
POST x x key_manager:store_secrets
/v1/secrets/{secret-id}/metadata/{meta-key} GET
PUT
DELETE
/v1/secrets/{secret-id}/payload GET
/v1/transport_keys GET
POST
/v1/transport_keys/{key-id} GET
DELETE
/v1/containers GET
POST
/v1/containers/{container-id} GET
DELETE
/v1/containers/{container-id}/acl GET
PATCH
PUT
DELETE
/v1/containers/{container-id}/consumers GET
/v1/containers/{container-id}/secrets POST
DELETE
/v1/secret-stores GET
/v1/secret-stores/{ss-id} GET
/v1/secret-stores/{ss-id}/preferred POST
DELETE
/v1/quotas GET
/v1/project-quotas GET
/v1/project-quotas/{project-id} GET
PUT
DELETE
DEPRECATED - To be removed in P
/v1/orders GET
PUT
POST
/v1/orders/{order-id} GET
DELETE
  • key_manager:manage_acl
    • (dmendiza) Is this too broad?
    • (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
    • (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
    • (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
  • key_manager:store_secret
    • (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
Retrieved from "https://wiki.openstack.org/w/index.php?title=Barbican/Policy&oldid=161927"