Jump to: navigation, search

Difference between revisions of "Barbican/Policy"

Line 11: Line 11:
 
| /v1 || GET || x || x || x || x || x || x ||  || key_manager:get_v1 || TBD ||
 
| /v1 || GET || x || x || x || x || x || x ||  || key_manager:get_v1 || TBD ||
 
|-
 
|-
| rowspan="2" | /v1/secrets || GET || x || x || x ||  ||  ||  ||  || key_manager:list_secrets || TBD ||
+
| rowspan="2" | /v1/secrets || GET || x || x || x ||  ||  ||  ||  || key_manager:list_secrets || secrets:get ||
 
|-
 
|-
| POST ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || TBD ||
+
| POST ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || secrets:post ||
 
|-
 
|-
| rowspan="3" | '''DEPRECATED'''
+
| rowspan="3" | /v1/secrets/{secret-id} || GET ||  || x || x ||  ||  ||  ||  || key_manager:get_secret_meta || secret:get || Marked as deprecated. Is this slotted to be removed?
GET Accept:{secret-mime}  
 
|  || x || x ||  ||  ||  ||  || key_manager:get_secret_meta || secret:get || Marked as deprecated. Is this slotted to be removed?
 
 
|-
 
|-
 
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || secret:put ||
 
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || secret:put ||
 
|-
 
|-
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_secrets || TBD ||
+
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_secrets || secret:delete ||
 
|-
 
|-
 
| rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || x || x ||  ||  ||  ||  || key_manager:get_acl || secret_acls:get ||
 
| rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || x || x ||  ||  ||  ||  || key_manager:get_acl || secret_acls:get ||
Line 43: Line 41:
 
| DELETE ||  || x || x ||  ||  ||  ||  || key_manager:delete_secret_meta || TBD ||
 
| DELETE ||  || x || x ||  ||  ||  ||  || key_manager:delete_secret_meta || TBD ||
 
|-
 
|-
| /v1/secrets/{secret-id}/payload || GET ||  || x || x ||  ||  ||  ||  || key_manager:decrypt_secrets || TBD ||
+
| /v1/secrets/{secret-id}/payload || GET ||  || x || x ||  ||  ||  ||  || key_manager:decrypt_secrets || secret:decrypt ||
 
|-
 
|-
 
| rowspan="2" | /v1/transport_keys || GET || x || x || x || x || x || x ||  || key_manager:list_transport_keys || transport_keys:get ||
 
| rowspan="2" | /v1/transport_keys || GET || x || x || x || x || x || x ||  || key_manager:list_transport_keys || transport_keys:get ||

Revision as of 20:04, 19 June 2018

Project-scope System-scope
Route Method reader member admin reader member admin no auth Tag RBAC Name Notes
/ GET x x x x x x x key_manager:get_home TBD
/v1 GET x x x x x x key_manager:get_v1 TBD
/v1/secrets GET x x x key_manager:list_secrets secrets:get
POST x x key_manager:store_secrets secrets:post
/v1/secrets/{secret-id} GET x x key_manager:get_secret_meta secret:get Marked as deprecated. Is this slotted to be removed?
PUT x x key_manager:store_secrets secret:put
DELETE x key_manager:delete_secrets secret:delete
/v1/secrets/{secret-id}/acl GET x x x key_manager:get_acl secret_acls:get
PATCH x x key_manager:manage_acl secret_acls:put_patch
PUT x x key_manager:manage_acl secret_acls:put_patch
DELETE x x key_manager:manage_acl secret_acls:delete
/v1/secrets/{secret-id}/metadata GET x x x key_manager:get_secret_meta TBD
PUT x x key_manager:store_secrets TBD
POST x x key_manager:store_secrets TBD
/v1/secrets/{secret-id}/metadata/{meta-key} GET x x x key_manager:get_secret_meta TBD
PUT x x key_manager:store_secrets TBD
DELETE x x key_manager:delete_secret_meta TBD
/v1/secrets/{secret-id}/payload GET x x key_manager:decrypt_secrets secret:decrypt
/v1/transport_keys GET x x x x x x key_manager:list_transport_keys transport_keys:get
POST x key_manager:add_transport_keys transport_keys:post
/v1/transport_keys/{key-id} GET x x x x x x key_manager:get_transport_keys transport_key:get
DELETE x key_manager:delete_transport_keys transport_key:delete
/v1/containers GET x x x key_manager:list_containers containers:get
POST x x key_manager:create_containers containers:post
/v1/containers/{container-id} GET x x key_manager:get_containers container:get
DELETE x key_manager:delete_containers container:delete
/v1/containers/{container-id}/acl GET x x x key_manager:get_acl container_acls:get
PATCH x x key_manager:manage_acl container_acls:put_patch
PUT x x key_manager:manage_acl container_acls:put_patch
DELETE x x key_manager:manage_acl container_acls:delete Should this be on the 'consumeR' controller rather than the 'consumerS' controller?
/v1/containers/{container-id}/consumers/{consumer-id} GET key_manager:list_container_consumer consumer:get
/v1/containers/{container-id}/consumers GET x x x key_manager:list_container_consumers consumers:get
POST key_manager:list_container_consumers consumers:post
DELETE key_manager:list_container_consumers consumers:delete
/v1/containers/{container-id}/secrets POST x x key_manager:create_containers container_secret:post
DELETE x key_manager:delete_containers container_secret:delete
/v1/secret-stores GET x x x x x x key_manager:list_backends TBD
/v1/secret-stores/global-default GET x x x x x x key_manager:list_backends TBD
/v1/secret-stores/preferred GET x x x key_manager:get_preferred_backend TBD
/v1/secret-stores/{ss-id} GET x x x x x x key_manager:list_backends TBD
/v1/secret-stores/{ss-id}/preferred POST x key_manager:manage_preferred_backend TBD
DELETE x key_manager:manage_preferred_backend TBD
/v1/quotas GET x x x key_manager:list_quotas quotas:get
/v1/project-quotas GET x x x key_manager:get_system_quotas project_quotas:get
/v1/project-quotas/{project-id} GET x x x key_manager:get_system_quotas project_quotas:get
PUT x x key_manager:set_system_quotas project_quotas:put
DELETE x x key_manager:set_system_quotas project_quotas:delete
/v1/orders GET x x x key_manager:list_orders orders:get
PUT x x key_manager:submit_orders orders:put This call is missing from the API reference: https://docs.openstack.org/barbican/latest/api/reference/orders.html. Perhaps it needs to be removed: https://storyboard.openstack.org/#!/story/2002579
POST x x key_manager:submit_orders orders:post
/v1/orders/{order-id} GET x x x key_manager:get_orders order:get
DELETE x key_manager:delete_orders order:delete
  • key_manager:manage_acl
    • (dmendiza) Is this too broad?
    • (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
    • (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
    • (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
  • key_manager:store_secrets
    • (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
  • key_manager:delete_secret_meta
    • (dmendiza) Is it ok for a member to delete secret meta?