Difference between revisions of "Barbican/Policy"
< Barbican
(Adding notes from discussion and collating them to the bottom of the wiki.) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || Tag || RBAC Name || Notes | ! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || Tag || RBAC Name || Notes | ||
|- | |- | ||
− | | / || GET || | + | | / || GET || || || || || || || x || <s>key_manager:get_home</s> (none) || N/A || No restrictions on this route |
− | |||
|- | |- | ||
− | | /v1 || GET || | + | | /v1 || GET || || || || || || || x || <s>key_manager:get_v1</s> (none) || N/A || No restrictions on this route |
− | |||
|- | |- | ||
− | | rowspan="2" | /v1/secrets || GET || x || | + | | rowspan="2" | /v1/secrets || GET || x || || || || || || || key_manager:list_secrets || secrets:get || |
|- | |- | ||
− | | POST || || x || | + | | POST || || x || || || || || || key_manager:store_secrets || secrets:post || |
|- | |- | ||
− | | rowspan="3" | /v1/secrets/{secret-id} || GET || | + | | rowspan="3" | /v1/secrets/{secret-id} || GET || x || || || || || || || key_manager:get_secret_meta || secret:get || |
− | |||
|- | |- | ||
− | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:store_secrets || secret:put || |
|- | |- | ||
| DELETE || || || x || || || || || key_manager:delete_secrets || secret:delete || | | DELETE || || || x || || || || || key_manager:delete_secrets || secret:delete || | ||
|- | |- | ||
− | | rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || | + | | rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || || || || || || || key_manager:get_acl || secret_acls:get || |
|- | |- | ||
− | | PATCH || || x || | + | | PATCH || || x || || || || || || key_manager:manage_acl || secret_acls:put_patch || |
|- | |- | ||
− | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:manage_acl || secret_acls:put_patch || |
|- | |- | ||
− | | DELETE || || x || | + | | DELETE || || x || || || || || || key_manager:manage_acl || secret_acls:delete || |
|- | |- | ||
− | | rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || | + | | rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || || || || || || || key_manager:get_secret_meta || secret_meta:get || |
|- | |- | ||
− | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:store_secrets || secret_meta:put || |
|- | |- | ||
− | | POST || || x || | + | | POST || || x || || || || || || key_manager:store_secrets || secret_meta:post || |
|- | |- | ||
− | | rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET || x || | + | | rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET || x || || || || || || || key_manager:get_secret_meta || secret_meta:get || |
|- | |- | ||
− | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:store_secrets || secret_meta:put || |
|- | |- | ||
− | | DELETE || || x || | + | | DELETE || || x || || || || || || key_manager:delete_secret_meta || secret_meta:delete || |
|- | |- | ||
− | | /v1/secrets/{secret-id}/payload || GET || || x || | + | | /v1/secrets/{secret-id}/payload || GET || || x || || || || || || key_manager:decrypt_secrets || secret:decrypt || |
|- | |- | ||
− | | rowspan="2" | /v1/transport_keys || GET || x || | + | | rowspan="2" | /v1/transport_keys || GET || x || || || x || || || || key_manager:list_transport_keys || transport_keys:get || |
|- | |- | ||
| POST || || || || || || x || || key_manager:add_transport_keys || transport_keys:post || | | POST || || || || || || x || || key_manager:add_transport_keys || transport_keys:post || | ||
|- | |- | ||
− | | rowspan="2" | /v1/transport_keys/{key-id} || GET || x || | + | | rowspan="2" | /v1/transport_keys/{key-id} || GET || x || || || x || || || || key_manager:get_transport_keys || transport_key:get || |
|- | |- | ||
| DELETE || || || || || || x || || key_manager:delete_transport_keys || transport_key:delete || | | DELETE || || || || || || x || || key_manager:delete_transport_keys || transport_key:delete || | ||
|- | |- | ||
− | | rowspan="2" | /v1/containers || GET || x || | + | | rowspan="2" | /v1/containers || GET || x || || || || || || || key_manager:list_containers || containers:get || |
|- | |- | ||
− | | POST || || x || | + | | POST || || x || || || || || || key_manager:create_containers || containers:post || |
|- | |- | ||
− | | rowspan="2" | /v1/containers/{container-id} || GET || | + | | rowspan="2" | /v1/containers/{container-id} || GET || x || || || || || || || key_manager:get_containers || container:get || |
|- | |- | ||
| DELETE || || || x || || || || || key_manager:delete_containers || container:delete || | | DELETE || || || x || || || || || key_manager:delete_containers || container:delete || | ||
|- | |- | ||
− | | rowspan="4" | /v1/containers/{container-id}/acl || GET || x || | + | | rowspan="4" | /v1/containers/{container-id}/acl || GET || x || || || || || || || key_manager:get_acl || container_acls:get || |
|- | |- | ||
− | | PATCH || || x || | + | | PATCH || || x || || || || || || key_manager:manage_acl || container_acls:put_patch || |
|- | |- | ||
− | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:manage_acl || container_acls:put_patch || |
|- | |- | ||
− | | DELETE || || x || | + | | DELETE || || x || || || || || || key_manager:manage_acl || container_acls:delete || |
|- | |- | ||
− | | | + | | rowspan="2" | /v1/containers/{container-id}/consumers/{consumer-id} || GET || x || || || x || || || || key_manager:list_container_consumer || consumer:get || |
|- | |- | ||
− | | | + | | DELETE || || x || || || x || || || key_manager:list_container_consumers || consumers:delete || |
|- | |- | ||
− | | | + | | rowspan="2" | /v1/containers/{container-id}/consumers || GET || x || || || x || || || || key_manager:list_container_consumers || consumers:get || |
|- | |- | ||
− | | | + | | POST || || x || || || x || || || key_manager:list_container_consumers || consumers:post || |
|- | |- | ||
− | | rowspan="2" | /v1/containers/{container-id}/secrets || POST || || x || | + | | rowspan="2" | /v1/containers/{container-id}/secrets || POST || || x || || || || || || key_manager:create_containers || container_secret:post || |
|- | |- | ||
| DELETE || || || x || || || || || key_manager:delete_containers || container_secret:delete || | | DELETE || || || x || || || || || key_manager:delete_containers || container_secret:delete || | ||
|- | |- | ||
− | | /v1/secret-stores || GET || x || | + | | /v1/secret-stores || GET || x || || || x || || || || key_manager:list_backends || secretstores:get || |
|- | |- | ||
− | | /v1/secret-stores/global-default || GET || x || | + | | /v1/secret-stores/global-default || GET || x || || || x || || || || key_manager:list_backends || secretstores:get_global_default || |
|- | |- | ||
− | | /v1/secret-stores/preferred || GET || x || | + | | /v1/secret-stores/preferred || GET || x || || || || || || || key_manager:get_preferred_backend || secretstores:get_preferred || |
|- | |- | ||
− | | /v1/secret-stores/{ss-id} || GET || x || | + | | /v1/secret-stores/{ss-id} || GET || x || || || x || || || || key_manager:list_backends || secretstore:get || |
|- | |- | ||
| rowspan="2" | /v1/secret-stores/{ss-id}/preferred || POST || || || x || || || || || key_manager:manage_preferred_backend || secretstores_preferred:post || | | rowspan="2" | /v1/secret-stores/{ss-id}/preferred || POST || || || x || || || || || key_manager:manage_preferred_backend || secretstores_preferred:post || | ||
Line 94: | Line 91: | ||
| DELETE || || || x || || || || || key_manager:manage_preferred_backend || secretstores_preferred:delete || | | DELETE || || || x || || || || || key_manager:manage_preferred_backend || secretstores_preferred:delete || | ||
|- | |- | ||
− | | /v1/quotas || GET || x || | + | | /v1/quotas || GET || x || || || || || || || key_manager:list_quotas || quotas:get || |
|- | |- | ||
− | | /v1/project-quotas || GET || || || || x || | + | | /v1/project-quotas || GET || || || || x || || || || key_manager:get_system_quotas || project_quotas:get || |
|- | |- | ||
− | | rowspan="3" | /v1/project-quotas/{project-id} || GET || || || || x || | + | | rowspan="3" | /v1/project-quotas/{project-id} || GET || || || || x || || || || key_manager:get_system_quotas || project_quotas:get || |
|- | |- | ||
|- | |- | ||
− | | PUT || || || || || x || | + | | PUT || || || || || x || || || key_manager:set_system_quotas || project_quotas:put || |
|- | |- | ||
− | | DELETE || || || || || x || | + | | DELETE || || || || || x || || || key_manager:set_system_quotas || project_quotas:delete || |
|- | |- | ||
− | | rowspan="3" | /v1/orders || GET || x || | + | | rowspan="3" | /v1/orders || GET || x || || || || || || || key_manager:list_orders || orders:get || |
|- | |- | ||
− | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:submit_orders || orders:put || |
|- | |- | ||
− | | POST || || x || | + | | POST || || x || || || || || || key_manager:submit_orders || orders:post || |
|- | |- | ||
− | | rowspan="2" | /v1/orders/{order-id} || GET || x || | + | | rowspan="2" | /v1/orders/{order-id} || GET || x || || || || || || || key_manager:get_orders || order:get || |
|- | |- | ||
| DELETE || || || x || || || || || key_manager:delete_orders || order:delete || | | DELETE || || || x || || || || || key_manager:delete_orders || order:delete || | ||
|- | |- | ||
|} | |} | ||
+ | |||
+ | Questions (tied to tags): | ||
* key_manager:manage_acl | * key_manager:manage_acl | ||
Line 126: | Line 125: | ||
* key_manager:delete_secret_meta | * key_manager:delete_secret_meta | ||
** (dmendiza) Is it ok for a member to delete secret meta? | ** (dmendiza) Is it ok for a member to delete secret meta? | ||
+ | * key_manager:get_secret_meta | ||
+ | ** (hrybacki): we use the same rule for both /v1/secrets/{secret-id}/metadata and /v1/secrets/{secret-id}/metadata/{meta-key}. Should we break these into separate rules so we can properly use the DocumentedRuleDefault description field? | ||
+ | * key_manager:store_secrets | ||
+ | ** (hrybacki): Same as above only for PUT rather than GET | ||
+ | * key_manager:get_secret_meta | ||
+ | ** (hrybacki): The deprecated code path for this route (one way of decrypting secrets) should be removed. Can we create a user story for this? | ||
+ | * key_manager:list_container_consumers | ||
+ | ** (hrybacki) Can we rename this policy `consumerS:delete -> consumeR:delete` ? | ||
+ | ** (hrybacki) I chose member role for this but should it be admin level? | ||
+ | * key_manager:submit_orders | ||
+ | ** The PUT request lives in policy but was missing from the [API reference docs](https://docs.openstack.org/barbican/latest/api/reference/orders.html). I've created [a story to remove this](https://storyboard.openstack.org/#!/story/2002579). | ||
+ | * key_manager:list_transport_keys | ||
+ | ** (hrybacki): Does this need any auth at all? | ||
+ | * routes: /v1/secrets/{secret-id}/acl and /v1/containers/{container-id}/acl | ||
+ | ** (hrybacki) need to verify existing rules with the new member (secret non-private read and container non-private read). Check with Ade |
Revision as of 16:33, 27 June 2018
Project-scope | System-scope | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Route | Method | reader | member | admin | reader | member | admin | no auth | Tag | RBAC Name | Notes |
/ | GET | x | |
N/A | No restrictions on this route | ||||||
/v1 | GET | x | |
N/A | No restrictions on this route | ||||||
/v1/secrets | GET | x | key_manager:list_secrets | secrets:get | |||||||
POST | x | key_manager:store_secrets | secrets:post | ||||||||
/v1/secrets/{secret-id} | GET | x | key_manager:get_secret_meta | secret:get | |||||||
PUT | x | key_manager:store_secrets | secret:put | ||||||||
DELETE | x | key_manager:delete_secrets | secret:delete | ||||||||
/v1/secrets/{secret-id}/acl | GET | x | key_manager:get_acl | secret_acls:get | |||||||
PATCH | x | key_manager:manage_acl | secret_acls:put_patch | ||||||||
PUT | x | key_manager:manage_acl | secret_acls:put_patch | ||||||||
DELETE | x | key_manager:manage_acl | secret_acls:delete | ||||||||
/v1/secrets/{secret-id}/metadata | GET | x | key_manager:get_secret_meta | secret_meta:get | |||||||
PUT | x | key_manager:store_secrets | secret_meta:put | ||||||||
POST | x | key_manager:store_secrets | secret_meta:post | ||||||||
/v1/secrets/{secret-id}/metadata/{meta-key} | GET | x | key_manager:get_secret_meta | secret_meta:get | |||||||
PUT | x | key_manager:store_secrets | secret_meta:put | ||||||||
DELETE | x | key_manager:delete_secret_meta | secret_meta:delete | ||||||||
/v1/secrets/{secret-id}/payload | GET | x | key_manager:decrypt_secrets | secret:decrypt | |||||||
/v1/transport_keys | GET | x | x | key_manager:list_transport_keys | transport_keys:get | ||||||
POST | x | key_manager:add_transport_keys | transport_keys:post | ||||||||
/v1/transport_keys/{key-id} | GET | x | x | key_manager:get_transport_keys | transport_key:get | ||||||
DELETE | x | key_manager:delete_transport_keys | transport_key:delete | ||||||||
/v1/containers | GET | x | key_manager:list_containers | containers:get | |||||||
POST | x | key_manager:create_containers | containers:post | ||||||||
/v1/containers/{container-id} | GET | x | key_manager:get_containers | container:get | |||||||
DELETE | x | key_manager:delete_containers | container:delete | ||||||||
/v1/containers/{container-id}/acl | GET | x | key_manager:get_acl | container_acls:get | |||||||
PATCH | x | key_manager:manage_acl | container_acls:put_patch | ||||||||
PUT | x | key_manager:manage_acl | container_acls:put_patch | ||||||||
DELETE | x | key_manager:manage_acl | container_acls:delete | ||||||||
/v1/containers/{container-id}/consumers/{consumer-id} | GET | x | x | key_manager:list_container_consumer | consumer:get | ||||||
DELETE | x | x | key_manager:list_container_consumers | consumers:delete | |||||||
/v1/containers/{container-id}/consumers | GET | x | x | key_manager:list_container_consumers | consumers:get | ||||||
POST | x | x | key_manager:list_container_consumers | consumers:post | |||||||
/v1/containers/{container-id}/secrets | POST | x | key_manager:create_containers | container_secret:post | |||||||
DELETE | x | key_manager:delete_containers | container_secret:delete | ||||||||
/v1/secret-stores | GET | x | x | key_manager:list_backends | secretstores:get | ||||||
/v1/secret-stores/global-default | GET | x | x | key_manager:list_backends | secretstores:get_global_default | ||||||
/v1/secret-stores/preferred | GET | x | key_manager:get_preferred_backend | secretstores:get_preferred | |||||||
/v1/secret-stores/{ss-id} | GET | x | x | key_manager:list_backends | secretstore:get | ||||||
/v1/secret-stores/{ss-id}/preferred | POST | x | key_manager:manage_preferred_backend | secretstores_preferred:post | |||||||
DELETE | x | key_manager:manage_preferred_backend | secretstores_preferred:delete | ||||||||
/v1/quotas | GET | x | key_manager:list_quotas | quotas:get | |||||||
/v1/project-quotas | GET | x | key_manager:get_system_quotas | project_quotas:get | |||||||
/v1/project-quotas/{project-id} | GET | x | key_manager:get_system_quotas | project_quotas:get | |||||||
PUT | x | key_manager:set_system_quotas | project_quotas:put | ||||||||
DELETE | x | key_manager:set_system_quotas | project_quotas:delete | ||||||||
/v1/orders | GET | x | key_manager:list_orders | orders:get | |||||||
PUT | x | key_manager:submit_orders | orders:put | ||||||||
POST | x | key_manager:submit_orders | orders:post | ||||||||
/v1/orders/{order-id} | GET | x | key_manager:get_orders | order:get | |||||||
DELETE | x | key_manager:delete_orders | order:delete |
Questions (tied to tags):
- key_manager:manage_acl
- (dmendiza) Is this too broad?
- (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
- (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
- (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
- key_manager:store_secrets
- (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
- key_manager:delete_secret_meta
- (dmendiza) Is it ok for a member to delete secret meta?
- key_manager:get_secret_meta
- (hrybacki): we use the same rule for both /v1/secrets/{secret-id}/metadata and /v1/secrets/{secret-id}/metadata/{meta-key}. Should we break these into separate rules so we can properly use the DocumentedRuleDefault description field?
- key_manager:store_secrets
- (hrybacki): Same as above only for PUT rather than GET
- key_manager:get_secret_meta
- (hrybacki): The deprecated code path for this route (one way of decrypting secrets) should be removed. Can we create a user story for this?
- key_manager:list_container_consumers
- (hrybacki) Can we rename this policy `consumerS:delete -> consumeR:delete` ?
- (hrybacki) I chose member role for this but should it be admin level?
- key_manager:submit_orders
- The PUT request lives in policy but was missing from the [API reference docs](https://docs.openstack.org/barbican/latest/api/reference/orders.html). I've created [a story to remove this](https://storyboard.openstack.org/#!/story/2002579).
- key_manager:list_transport_keys
- (hrybacki): Does this need any auth at all?
- routes: /v1/secrets/{secret-id}/acl and /v1/containers/{container-id}/acl
- (hrybacki) need to verify existing rules with the new member (secret non-private read and container non-private read). Check with Ade