Difference between revisions of "Barbican/Policy"
< Barbican
Line 18: | Line 18: | ||
|- | |- | ||
| rowspan="3" | /v1/secrets/{secret-id} || GET || || x || x || || || || || key_manager:get_secret_meta || secret:get || Marked as deprecated. Is this slotted to be removed? | | rowspan="3" | /v1/secrets/{secret-id} || GET || || x || x || || || || || key_manager:get_secret_meta || secret:get || Marked as deprecated. Is this slotted to be removed? | ||
+ | (dmend) An earlier version of this table made the distinction between different Accept headers. There are two code paths for this route depending on the Accept header. One of those code paths is deprecated, the other is not. | ||
|- | |- | ||
| PUT || || x || x || || || || || key_manager:store_secrets || secret:put || | | PUT || || x || x || || || || || key_manager:store_secrets || secret:put || |
Revision as of 22:12, 19 June 2018
Project-scope | System-scope | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Route | Method | reader | member | admin | reader | member | admin | no auth | Tag | RBAC Name | Notes |
/ | GET | x | x | x | x | x | x | x | |
TBD | Can't find any rbac policy enforcement in the versions controller. Where is policy for this route?
(dmend) There is none. This route is wide open for anyone to use. |
/v1 | GET | x | x | x | x | x | x | |
TBD | Can't find any rbac policy enforcement in the versions controller. Where is policy for this route?
(dmend) There isn't one for this either. This route basically just serves system metadata to anyone who is authenticated regardless of role. | |
/v1/secrets | GET | x | x | x | key_manager:list_secrets | secrets:get | |||||
POST | x | x | key_manager:store_secrets | secrets:post | |||||||
/v1/secrets/{secret-id} | GET | x | x | key_manager:get_secret_meta | secret:get | Marked as deprecated. Is this slotted to be removed?
(dmend) An earlier version of this table made the distinction between different Accept headers. There are two code paths for this route depending on the Accept header. One of those code paths is deprecated, the other is not. | |||||
PUT | x | x | key_manager:store_secrets | secret:put | |||||||
DELETE | x | key_manager:delete_secrets | secret:delete | ||||||||
/v1/secrets/{secret-id}/acl | GET | x | x | x | key_manager:get_acl | secret_acls:get | |||||
PATCH | x | x | key_manager:manage_acl | secret_acls:put_patch | |||||||
PUT | x | x | key_manager:manage_acl | secret_acls:put_patch | |||||||
DELETE | x | x | key_manager:manage_acl | secret_acls:delete | |||||||
/v1/secrets/{secret-id}/metadata | GET | x | x | x | key_manager:get_secret_meta | secret_meta:get | Note: rule is used twice, consider breaking apart | ||||
PUT | x | x | key_manager:store_secrets | secret_meta:put | Note: rule is used twice, consider breaking apart | ||||||
POST | x | x | key_manager:store_secrets | secret_meta:post | |||||||
/v1/secrets/{secret-id}/metadata/{meta-key} | GET | x | x | x | key_manager:get_secret_meta | secret_meta:get | Note: rule is used twice, consider breaking apart | ||||
PUT | x | x | key_manager:store_secrets | secret_meta:put | Note: rule is used twice, consider breaking apart | ||||||
DELETE | x | x | key_manager:delete_secret_meta | secret_meta:delete | |||||||
/v1/secrets/{secret-id}/payload | GET | x | x | key_manager:decrypt_secrets | secret:decrypt | ||||||
/v1/transport_keys | GET | x | x | x | x | x | x | key_manager:list_transport_keys | transport_keys:get | ||
POST | x | key_manager:add_transport_keys | transport_keys:post | ||||||||
/v1/transport_keys/{key-id} | GET | x | x | x | x | x | x | key_manager:get_transport_keys | transport_key:get | ||
DELETE | x | key_manager:delete_transport_keys | transport_key:delete | ||||||||
/v1/containers | GET | x | x | x | key_manager:list_containers | containers:get | |||||
POST | x | x | key_manager:create_containers | containers:post | |||||||
/v1/containers/{container-id} | GET | x | x | key_manager:get_containers | container:get | ||||||
DELETE | x | key_manager:delete_containers | container:delete | ||||||||
/v1/containers/{container-id}/acl | GET | x | x | x | key_manager:get_acl | container_acls:get | |||||
PATCH | x | x | key_manager:manage_acl | container_acls:put_patch | |||||||
PUT | x | x | key_manager:manage_acl | container_acls:put_patch | |||||||
DELETE | x | x | key_manager:manage_acl | container_acls:delete | Should this be on the 'consumeR' controller rather than the 'consumerS' controller? | ||||||
/v1/containers/{container-id}/consumers/{consumer-id} | GET | key_manager:list_container_consumer | consumer:get | ||||||||
/v1/containers/{container-id}/consumers | GET | x | x | x | key_manager:list_container_consumers | consumers:get | |||||
POST | key_manager:list_container_consumers | consumers:post | |||||||||
DELETE | key_manager:list_container_consumers | consumers:delete | |||||||||
/v1/containers/{container-id}/secrets | POST | x | x | key_manager:create_containers | container_secret:post | ||||||
DELETE | x | key_manager:delete_containers | container_secret:delete | ||||||||
/v1/secret-stores | GET | x | x | x | x | x | x | key_manager:list_backends | secretstores:get | ||
/v1/secret-stores/global-default | GET | x | x | x | x | x | x | key_manager:list_backends | secretstores:get_global_default | ||
/v1/secret-stores/preferred | GET | x | x | x | key_manager:get_preferred_backend | secretstores:get_preferred | |||||
/v1/secret-stores/{ss-id} | GET | x | x | x | x | x | x | key_manager:list_backends | secretstore:get | ||
/v1/secret-stores/{ss-id}/preferred | POST | x | key_manager:manage_preferred_backend | secretstores_preferred:post | |||||||
DELETE | x | key_manager:manage_preferred_backend | secretstores_preferred:delete | ||||||||
/v1/quotas | GET | x | x | x | key_manager:list_quotas | quotas:get | |||||
/v1/project-quotas | GET | x | x | x | key_manager:get_system_quotas | project_quotas:get | |||||
/v1/project-quotas/{project-id} | GET | x | x | x | key_manager:get_system_quotas | project_quotas:get | |||||
PUT | x | x | key_manager:set_system_quotas | project_quotas:put | |||||||
DELETE | x | x | key_manager:set_system_quotas | project_quotas:delete | |||||||
/v1/orders | GET | x | x | x | key_manager:list_orders | orders:get | |||||
PUT | x | x | key_manager:submit_orders | orders:put | This call is missing from the API reference: https://docs.openstack.org/barbican/latest/api/reference/orders.html. Perhaps it needs to be removed: https://storyboard.openstack.org/#!/story/2002579 | ||||||
POST | x | x | key_manager:submit_orders | orders:post | |||||||
/v1/orders/{order-id} | GET | x | x | x | key_manager:get_orders | order:get | |||||
DELETE | x | key_manager:delete_orders | order:delete |
- key_manager:manage_acl
- (dmendiza) Is this too broad?
- (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
- (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
- (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
- key_manager:store_secrets
- (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
- key_manager:delete_secret_meta
- (dmendiza) Is it ok for a member to delete secret meta?