Difference between revisions of "Barbican/Policy"
< Barbican
Line 5: | Line 5: | ||
! colspan="3" | System-scope | ! colspan="3" | System-scope | ||
|- | |- | ||
− | ! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || Tag || RBAC Name | + | ! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || Tag || RBAC Name || Notes |
|- | |- | ||
− | | / || GET || x || x || x || x || x || x || x || key_manager:get_home || TBD | + | | / || GET || x || x || x || x || x || x || x || key_manager:get_home || TBD || |
|- | |- | ||
− | | /v1 || GET || x || x || x || x || x || x || || key_manager:get_v1 || TBD | + | | /v1 || GET || x || x || x || x || x || x || || key_manager:get_v1 || TBD || |
|- | |- | ||
− | | rowspan="2" | /v1/secrets || GET || x || x || x || || || || || key_manager:list_secrets || TBD | + | | rowspan="2" | /v1/secrets || GET || x || x || x || || || || || key_manager:list_secrets || TBD || |
|- | |- | ||
− | | POST || || x || x || || || || || key_manager:store_secrets || TBD | + | | POST || || x || x || || || || || key_manager:store_secrets || TBD || |
|- | |- | ||
− | | rowspan="4" | /v1/secrets/{secret-id} || GET Accept:application/json || x || x || x || || || || || key_manager:get_secret_meta || TBD | + | | rowspan="4" | /v1/secrets/{secret-id} || GET Accept:application/json || x || x || x || || || || || key_manager:get_secret_meta || TBD || |
|- | |- | ||
| '''DEPRECATED''' | | '''DEPRECATED''' | ||
GET Accept:{secret-mime} | GET Accept:{secret-mime} | ||
− | | || x || x || || || || || key_manager:decrypt_secrets || TBD | + | | || x || x || || || || || key_manager:decrypt_secrets || TBD || |
|- | |- | ||
− | | PUT || || x || x || || || || || key_manager:store_secrets || TBD | + | | PUT || || x || x || || || || || key_manager:store_secrets || TBD || |
|- | |- | ||
− | | DELETE || || || x || || || || || key_manager:delete_secrets || TBD | + | | DELETE || || || x || || || || || key_manager:delete_secrets || TBD || |
|- | |- | ||
− | | rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || x || x || || || || || key_manager:get_acl || secret_acls:get | + | | rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || x || x || || || || || key_manager:get_acl || secret_acls:get || |
|- | |- | ||
− | | PATCH || || x || x || || || || || key_manager:manage_acl || secret_acls:put_patch | + | | PATCH || || x || x || || || || || key_manager:manage_acl || secret_acls:put_patch || |
|- | |- | ||
− | | PUT || || x || x || || || || || key_manager:manage_acl || secret_acls:put_patch | + | | PUT || || x || x || || || || || key_manager:manage_acl || secret_acls:put_patch || |
|- | |- | ||
− | | DELETE || || x || x || || || || || key_manager:manage_acl || secret_acls:delete | + | | DELETE || || x || x || || || || || key_manager:manage_acl || secret_acls:delete || |
|- | |- | ||
− | | rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || x || x || || || || || key_manager:get_secret_meta || TBD | + | | rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || x || x || || || || || key_manager:get_secret_meta || TBD || |
|- | |- | ||
− | | PUT || || x || x || || || || || key_manager:store_secrets || TBD | + | | PUT || || x || x || || || || || key_manager:store_secrets || TBD || |
|- | |- | ||
− | | POST || || x || x || || || || || key_manager:store_secrets || TBD | + | | POST || || x || x || || || || || key_manager:store_secrets || TBD || |
|- | |- | ||
− | | rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET || x || x || x || || || || || key_manager:get_secret_meta || TBD | + | | rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET || x || x || x || || || || || key_manager:get_secret_meta || TBD || |
|- | |- | ||
− | | PUT || || x || x || || || || || key_manager:store_secrets || TBD | + | | PUT || || x || x || || || || || key_manager:store_secrets || TBD || |
|- | |- | ||
− | | DELETE || || x || x || || || || || key_manager:delete_secret_meta || TBD | + | | DELETE || || x || x || || || || || key_manager:delete_secret_meta || TBD || |
|- | |- | ||
− | | /v1/secrets/{secret-id}/payload || GET || || x || x || || || || || key_manager:decrypt_secrets || TBD | + | | /v1/secrets/{secret-id}/payload || GET || || x || x || || || || || key_manager:decrypt_secrets || TBD || |
|- | |- | ||
− | | rowspan="2" | /v1/transport_keys || GET || x || x || x || x || x || x || || key_manager:list_transport_keys || TBD | + | | rowspan="2" | /v1/transport_keys || GET || x || x || x || x || x || x || || key_manager:list_transport_keys || TBD || |
|- | |- | ||
− | | POST || || || || || || x || || key_manager:add_transport_keys || TBD | + | | POST || || || || || || x || || key_manager:add_transport_keys || TBD || |
|- | |- | ||
− | | rowspan="2" | /v1/transport_keys/{key-id} || GET || x || x || x || x || x || x || || key_manager:get_transport_keys || TBD | + | | rowspan="2" | /v1/transport_keys/{key-id} || GET || x || x || x || x || x || x || || key_manager:get_transport_keys || TBD || |
|- | |- | ||
− | | DELETE || || || || || || x || || key_manager:delete_transport_keys || TBD | + | | DELETE || || || || || || x || || key_manager:delete_transport_keys || TBD || |
|- | |- | ||
− | | rowspan="2" | /v1/containers || GET || x || x || x || || || || || key_manager:list_containers || TBD | + | | rowspan="2" | /v1/containers || GET || x || x || x || || || || || key_manager:list_containers || TBD || |
|- | |- | ||
− | | POST || || x || x || || || || || key_manager:create_containers || TBD | + | | POST || || x || x || || || || || key_manager:create_containers || TBD || |
|- | |- | ||
− | | rowspan="2" | /v1/containers/{container-id} || GET || || x || x || || || || || key_manager:get_containers || TBD | + | | rowspan="2" | /v1/containers/{container-id} || GET || || x || x || || || || || key_manager:get_containers || TBD || |
|- | |- | ||
− | | DELETE || || || x || || || || || key_manager:delete_containers || TBD | + | | DELETE || || || x || || || || || key_manager:delete_containers || TBD || |
|- | |- | ||
− | | rowspan="4" | /v1/containers/{container-id}/acl || GET || x || x || x || || || || || key_manager:get_acl || container_acls:get | + | | rowspan="4" | /v1/containers/{container-id}/acl || GET || x || x || x || || || || || key_manager:get_acl || container_acls:get || |
|- | |- | ||
− | | PATCH || || x || x || || || || || key_manager:manage_acl || container_acls:put_patch | + | | PATCH || || x || x || || || || || key_manager:manage_acl || container_acls:put_patch || |
|- | |- | ||
− | | PUT || || x || x || || || || || key_manager:manage_acl || container_acls:put_patch | + | | PUT || || x || x || || || || || key_manager:manage_acl || container_acls:put_patch || |
|- | |- | ||
− | | DELETE || || x || x || || || || || key_manager:manage_acl || container_acls:delete | + | | DELETE || || x || x || || || || || key_manager:manage_acl || container_acls:delete || Should this be on the 'consumeR' controller rather than the 'consumerS' controller? |
|- | |- | ||
− | | /v1/containers/{container-id}/consumers/{consumer-id} || GET || || || || || || || || key_manager:list_container_consumer || consumer:get | + | | /v1/containers/{container-id}/consumers/{consumer-id} || GET || || || || || || || || key_manager:list_container_consumer || consumer:get || |
|- | |- | ||
− | | rowspan="3" | /v1/containers/{container-id}/consumers || GET || x || x || x || || || || || key_manager:list_container_consumers || consumers:get | + | | rowspan="3" | /v1/containers/{container-id}/consumers || GET || x || x || x || || || || || key_manager:list_container_consumers || consumers:get || |
|- | |- | ||
− | | POST || || || || || || || || key_manager:list_container_consumers || consumers:post | + | | POST || || || || || || || || key_manager:list_container_consumers || consumers:post || |
|- | |- | ||
− | | DELETE || || || || || || || || key_manager:list_container_consumers || consumers:delete | + | | DELETE || || || || || || || || key_manager:list_container_consumers || consumers:delete || |
|- | |- | ||
− | | rowspan="2" | /v1/containers/{container-id}/secrets || POST || || x || x || || || || || key_manager:create_containers || TBD | + | | rowspan="2" | /v1/containers/{container-id}/secrets || POST || || x || x || || || || || key_manager:create_containers || TBD || |
|- | |- | ||
− | | DELETE || || || x || || || || || key_manager:delete_containers || TBD | + | | DELETE || || || x || || || || || key_manager:delete_containers || TBD || |
|- | |- | ||
− | | /v1/secret-stores || GET || x || x || x || x || x || x || || key_manager:list_backends || TBD | + | | /v1/secret-stores || GET || x || x || x || x || x || x || || key_manager:list_backends || TBD || |
|- | |- | ||
− | | /v1/secret-stores/global-default || GET || x || x || x || x || x || x || || key_manager:list_backends || TBD | + | | /v1/secret-stores/global-default || GET || x || x || x || x || x || x || || key_manager:list_backends || TBD || |
|- | |- | ||
− | | /v1/secret-stores/preferred || GET || x || x || x || || || || || key_manager:get_preferred_backend || TBD | + | | /v1/secret-stores/preferred || GET || x || x || x || || || || || key_manager:get_preferred_backend || TBD || |
|- | |- | ||
− | | /v1/secret-stores/{ss-id} || GET || x || x || x || x || x || x || || key_manager:list_backends || TBD | + | | /v1/secret-stores/{ss-id} || GET || x || x || x || x || x || x || || key_manager:list_backends || TBD || |
|- | |- | ||
− | | rowspan="2" | /v1/secret-stores/{ss-id}/preferred || POST || || || x || || || || || key_manager:manage_preferred_backend || TBD | + | | rowspan="2" | /v1/secret-stores/{ss-id}/preferred || POST || || || x || || || || || key_manager:manage_preferred_backend || TBD || |
|- | |- | ||
− | | DELETE || || || x || || || || || key_manager:manage_preferred_backend || TBD | + | | DELETE || || || x || || || || || key_manager:manage_preferred_backend || TBD || |
|- | |- | ||
− | | /v1/quotas || GET || x || x || x || || || || || key_manager:list_quotas || TBD | + | | /v1/quotas || GET || x || x || x || || || || || key_manager:list_quotas || TBD || |
|- | |- | ||
− | | /v1/project-quotas || GET || || || || x || x || x || || key_manager:get_system_quotas || TBD | + | | /v1/project-quotas || GET || || || || x || x || x || || key_manager:get_system_quotas || TBD || |
|- | |- | ||
− | | rowspan="3" | /v1/project-quotas/{project-id} || GET || || || || x || x || x || || key_manager:get_system_quotas || TBD | + | | rowspan="3" | /v1/project-quotas/{project-id} || GET || || || || x || x || x || || key_manager:get_system_quotas || TBD || |
|- | |- | ||
|- | |- | ||
− | | PUT || || || || || x || x || || key_manager:set_system_quotas || TBD | + | | PUT || || || || || x || x || || key_manager:set_system_quotas || TBD || |
|- | |- | ||
− | | DELETE || || || || || x || x || || key_manager:set_system_quotas || TBD | + | | DELETE || || || || || x || x || || key_manager:set_system_quotas || TBD || |
|- | |- | ||
− | | rowspan="3" | /v1/orders || GET || x || x || x || || || || || key_manager:list_orders || TBD | + | | rowspan="3" | /v1/orders || GET || x || x || x || || || || || key_manager:list_orders || TBD || |
|- | |- | ||
− | | PUT || || x || x || || || || || key_manager:submit_orders || TBD | + | | PUT || || x || x || || || || || key_manager:submit_orders || TBD || |
|- | |- | ||
− | | POST || || x || x || || || || || key_manager:submit_orders || TBD | + | | POST || || x || x || || || || || key_manager:submit_orders || TBD || |
|- | |- | ||
− | | rowspan="2" | /v1/orders/{order-id} || GET || x || x || x || || || || || key_manager:get_orders || TBD | + | | rowspan="2" | /v1/orders/{order-id} || GET || x || x || x || || || || || key_manager:get_orders || TBD || |
|- | |- | ||
− | | DELETE || || || x || || || || || key_manager:delete_orders || TBD | + | | DELETE || || || x || || || || || key_manager:delete_orders || TBD || |
|- | |- | ||
|} | |} |
Revision as of 14:36, 15 June 2018
Project-scope | System-scope | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Route | Method | reader | member | admin | reader | member | admin | no auth | Tag | RBAC Name | Notes |
/ | GET | x | x | x | x | x | x | x | key_manager:get_home | TBD | |
/v1 | GET | x | x | x | x | x | x | key_manager:get_v1 | TBD | ||
/v1/secrets | GET | x | x | x | key_manager:list_secrets | TBD | |||||
POST | x | x | key_manager:store_secrets | TBD | |||||||
/v1/secrets/{secret-id} | GET Accept:application/json | x | x | x | key_manager:get_secret_meta | TBD | |||||
DEPRECATED
GET Accept:{secret-mime} |
x | x | key_manager:decrypt_secrets | TBD | |||||||
PUT | x | x | key_manager:store_secrets | TBD | |||||||
DELETE | x | key_manager:delete_secrets | TBD | ||||||||
/v1/secrets/{secret-id}/acl | GET | x | x | x | key_manager:get_acl | secret_acls:get | |||||
PATCH | x | x | key_manager:manage_acl | secret_acls:put_patch | |||||||
PUT | x | x | key_manager:manage_acl | secret_acls:put_patch | |||||||
DELETE | x | x | key_manager:manage_acl | secret_acls:delete | |||||||
/v1/secrets/{secret-id}/metadata | GET | x | x | x | key_manager:get_secret_meta | TBD | |||||
PUT | x | x | key_manager:store_secrets | TBD | |||||||
POST | x | x | key_manager:store_secrets | TBD | |||||||
/v1/secrets/{secret-id}/metadata/{meta-key} | GET | x | x | x | key_manager:get_secret_meta | TBD | |||||
PUT | x | x | key_manager:store_secrets | TBD | |||||||
DELETE | x | x | key_manager:delete_secret_meta | TBD | |||||||
/v1/secrets/{secret-id}/payload | GET | x | x | key_manager:decrypt_secrets | TBD | ||||||
/v1/transport_keys | GET | x | x | x | x | x | x | key_manager:list_transport_keys | TBD | ||
POST | x | key_manager:add_transport_keys | TBD | ||||||||
/v1/transport_keys/{key-id} | GET | x | x | x | x | x | x | key_manager:get_transport_keys | TBD | ||
DELETE | x | key_manager:delete_transport_keys | TBD | ||||||||
/v1/containers | GET | x | x | x | key_manager:list_containers | TBD | |||||
POST | x | x | key_manager:create_containers | TBD | |||||||
/v1/containers/{container-id} | GET | x | x | key_manager:get_containers | TBD | ||||||
DELETE | x | key_manager:delete_containers | TBD | ||||||||
/v1/containers/{container-id}/acl | GET | x | x | x | key_manager:get_acl | container_acls:get | |||||
PATCH | x | x | key_manager:manage_acl | container_acls:put_patch | |||||||
PUT | x | x | key_manager:manage_acl | container_acls:put_patch | |||||||
DELETE | x | x | key_manager:manage_acl | container_acls:delete | Should this be on the 'consumeR' controller rather than the 'consumerS' controller? | ||||||
/v1/containers/{container-id}/consumers/{consumer-id} | GET | key_manager:list_container_consumer | consumer:get | ||||||||
/v1/containers/{container-id}/consumers | GET | x | x | x | key_manager:list_container_consumers | consumers:get | |||||
POST | key_manager:list_container_consumers | consumers:post | |||||||||
DELETE | key_manager:list_container_consumers | consumers:delete | |||||||||
/v1/containers/{container-id}/secrets | POST | x | x | key_manager:create_containers | TBD | ||||||
DELETE | x | key_manager:delete_containers | TBD | ||||||||
/v1/secret-stores | GET | x | x | x | x | x | x | key_manager:list_backends | TBD | ||
/v1/secret-stores/global-default | GET | x | x | x | x | x | x | key_manager:list_backends | TBD | ||
/v1/secret-stores/preferred | GET | x | x | x | key_manager:get_preferred_backend | TBD | |||||
/v1/secret-stores/{ss-id} | GET | x | x | x | x | x | x | key_manager:list_backends | TBD | ||
/v1/secret-stores/{ss-id}/preferred | POST | x | key_manager:manage_preferred_backend | TBD | |||||||
DELETE | x | key_manager:manage_preferred_backend | TBD | ||||||||
/v1/quotas | GET | x | x | x | key_manager:list_quotas | TBD | |||||
/v1/project-quotas | GET | x | x | x | key_manager:get_system_quotas | TBD | |||||
/v1/project-quotas/{project-id} | GET | x | x | x | key_manager:get_system_quotas | TBD | |||||
PUT | x | x | key_manager:set_system_quotas | TBD | |||||||
DELETE | x | x | key_manager:set_system_quotas | TBD | |||||||
/v1/orders | GET | x | x | x | key_manager:list_orders | TBD | |||||
PUT | x | x | key_manager:submit_orders | TBD | |||||||
POST | x | x | key_manager:submit_orders | TBD | |||||||
/v1/orders/{order-id} | GET | x | x | x | key_manager:get_orders | TBD | |||||
DELETE | x | key_manager:delete_orders | TBD |
- key_manager:manage_acl
- (dmendiza) Is this too broad?
- (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
- (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
- (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
- key_manager:store_secrets
- (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
- key_manager:delete_secret_meta
- (dmendiza) Is it ok for a member to delete secret meta?