Jump to: navigation, search

Difference between revisions of "Barbican/Policy"

(Adding notes from discussion and collating them to the bottom of the wiki.)
(One intermediate revision by the same user not shown)
Line 7: Line 7:
 
! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || Tag || RBAC Name || Notes
 
! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || Tag || RBAC Name || Notes
 
|-
 
|-
| /    || GET || x || x || x || x || x || x || x || <s>key_manager:get_home</s> (none) || N/A || No restrictions on this route
+
| /    || GET || || || || || || || x || <s>key_manager:get_home</s> (none) || N/A || No restrictions on this route
(dmend) There is none.  This route is wide open for anyone to use.
 
 
|-
 
|-
| /v1 || GET || x || x || x || x || x || x || x || <s>key_manager:get_v1</s> (none) || N/A || No restrictions on this route
+
| /v1 || GET || || || || || || || x || <s>key_manager:get_v1</s> (none) || N/A || No restrictions on this route
 
|-
 
|-
| rowspan="2" | /v1/secrets || GET || x || x || x ||  ||  ||  ||  || key_manager:list_secrets || secrets:get ||
+
| rowspan="2" | /v1/secrets || GET || x || || ||  ||  ||  ||  || key_manager:list_secrets || secrets:get ||
 
|-
 
|-
| POST ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || secrets:post ||
+
| POST ||  || x || ||  ||  ||  ||  || key_manager:store_secrets || secrets:post ||
 
|-
 
|-
| rowspan="3" | /v1/secrets/{secret-id} || GET || || x || x ||  ||  ||  ||  || key_manager:get_secret_meta || secret:get || Marked as deprecated. Is this slotted to be removed?
+
| rowspan="3" | /v1/secrets/{secret-id} || GET || x || || ||  ||  ||  ||  || key_manager:get_secret_meta || secret:get ||  
(dmend) An earlier version of this table made the distinction between different Accept headers.  There are two code paths for this route depending on the Accept header.  One of those code paths is deprecated, the other is not.
 
 
|-
 
|-
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || secret:put ||
+
| PUT ||  || x || ||  ||  ||  ||  || key_manager:store_secrets || secret:put ||
 
|-
 
|-
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_secrets || secret:delete ||
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_secrets || secret:delete ||
 
|-
 
|-
| rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || x || x ||  ||  ||  ||  || key_manager:get_acl || secret_acls:get ||
+
| rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || || ||  ||  ||  ||  || key_manager:get_acl || secret_acls:get ||
 
|-
 
|-
| PATCH ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl || secret_acls:put_patch ||
+
| PATCH ||  || x || ||  ||  ||  ||  || key_manager:manage_acl || secret_acls:put_patch ||
 
|-
 
|-
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl || secret_acls:put_patch ||
+
| PUT ||  || x || ||  ||  ||  ||  || key_manager:manage_acl || secret_acls:put_patch ||
 
|-
 
|-
| DELETE  ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl || secret_acls:delete ||
+
| DELETE  ||  || x || ||  ||  ||  ||  || key_manager:manage_acl || secret_acls:delete ||
 
|-
 
|-
| rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || x || x ||  ||  ||  ||  || key_manager:get_secret_meta || secret_meta:get || Note: rule is used twice, consider breaking apart
+
| rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || || ||  ||  ||  ||  || key_manager:get_secret_meta || secret_meta:get ||  
 
|-
 
|-
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || secret_meta:put || Note: rule is used twice, consider breaking apart
+
| PUT ||  || x || ||  ||  ||  ||  || key_manager:store_secrets || secret_meta:put ||  
 
|-
 
|-
| POST ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || secret_meta:post ||
+
| POST ||  || x || ||  ||  ||  ||  || key_manager:store_secrets || secret_meta:post ||
 
|-
 
|-
| rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET || x || x || x ||  ||  ||  ||  || key_manager:get_secret_meta || secret_meta:get || Note: rule is used twice, consider breaking apart
+
| rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET || x || || ||  ||  ||  ||  || key_manager:get_secret_meta || secret_meta:get ||
 
|-
 
|-
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:store_secrets || secret_meta:put || Note: rule is used twice, consider breaking apart
+
| PUT ||  || x || ||  ||  ||  ||  || key_manager:store_secrets || secret_meta:put ||
 
|-
 
|-
| DELETE ||  || x || x ||  ||  ||  ||  || key_manager:delete_secret_meta || secret_meta:delete ||
+
| DELETE ||  || x || ||  ||  ||  ||  || key_manager:delete_secret_meta || secret_meta:delete ||
 
|-
 
|-
| /v1/secrets/{secret-id}/payload || GET ||  || x || x ||  ||  ||  ||  || key_manager:decrypt_secrets || secret:decrypt ||
+
| /v1/secrets/{secret-id}/payload || GET ||  || x || ||  ||  ||  ||  || key_manager:decrypt_secrets || secret:decrypt ||
 
|-
 
|-
| rowspan="2" | /v1/transport_keys || GET || x || x || x || x || x || x ||  || key_manager:list_transport_keys || transport_keys:get ||
+
| rowspan="2" | /v1/transport_keys || GET || x || || || x || || ||  || key_manager:list_transport_keys || transport_keys:get ||
 
|-
 
|-
 
| POST ||  ||  ||  ||  ||  || x ||  || key_manager:add_transport_keys || transport_keys:post ||
 
| POST ||  ||  ||  ||  ||  || x ||  || key_manager:add_transport_keys || transport_keys:post ||
 
|-
 
|-
| rowspan="2" | /v1/transport_keys/{key-id} || GET || x || x || x || x || x || x ||  || key_manager:get_transport_keys || transport_key:get ||
+
| rowspan="2" | /v1/transport_keys/{key-id} || GET || x || || || x || ||  ||  || key_manager:get_transport_keys || transport_key:get ||
 
|-
 
|-
 
| DELETE ||  ||  ||  ||  ||  || x ||  || key_manager:delete_transport_keys || transport_key:delete ||
 
| DELETE ||  ||  ||  ||  ||  || x ||  || key_manager:delete_transport_keys || transport_key:delete ||
 
|-
 
|-
| rowspan="2" | /v1/containers || GET || x || x || x ||  ||  ||  ||  || key_manager:list_containers || containers:get ||
+
| rowspan="2" | /v1/containers || GET || x || || ||  ||  ||  ||  || key_manager:list_containers || containers:get ||
 
|-
 
|-
| POST ||  || x || x ||  ||  ||  ||  || key_manager:create_containers || containers:post ||
+
| POST ||  || x || ||  ||  ||  ||  || key_manager:create_containers || containers:post ||
 
|-
 
|-
| rowspan="2" | /v1/containers/{container-id} || GET || || x || x ||  ||  ||  ||  || key_manager:get_containers || container:get ||
+
| rowspan="2" | /v1/containers/{container-id} || GET || x || || ||  ||  ||  ||  || key_manager:get_containers || container:get ||
 
|-
 
|-
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_containers || container:delete ||
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_containers || container:delete ||
 
|-
 
|-
| rowspan="4" | /v1/containers/{container-id}/acl || GET || x || x || x ||  ||  ||  ||  || key_manager:get_acl || container_acls:get ||
+
| rowspan="4" | /v1/containers/{container-id}/acl || GET || x || || ||  ||  ||  ||  || key_manager:get_acl || container_acls:get ||
 
|-
 
|-
| PATCH ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl || container_acls:put_patch ||
+
| PATCH ||  || x || ||  ||  ||  ||  || key_manager:manage_acl || container_acls:put_patch ||
 
|-
 
|-
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl || container_acls:put_patch ||
+
| PUT ||  || x || ||  ||  ||  ||  || key_manager:manage_acl || container_acls:put_patch ||
 
|-
 
|-
| DELETE ||  || x || x ||  ||  ||  ||  || key_manager:manage_acl || container_acls:delete || Should this be on the 'consumeR' controller rather than the 'consumerS' controller?
+
| DELETE ||  || x || ||  ||  ||  ||  || key_manager:manage_acl || container_acls:delete ||
 
|-
 
|-
| /v1/containers/{container-id}/consumers/{consumer-id} || GET || ||  ||  || ||  ||  ||  || key_manager:list_container_consumer || consumer:get ||
+
| rowspan="2" | /v1/containers/{container-id}/consumers/{consumer-id} || GET || x ||  ||  || x ||  ||  ||  || key_manager:list_container_consumer || consumer:get ||
 
|-
 
|-
| rowspan="3" | /v1/containers/{container-id}/consumers || GET || x || x || x ||  || ||  ||  || key_manager:list_container_consumers || consumers:get ||
+
| DELETE || || x || ||  || x ||  ||  || key_manager:list_container_consumers || consumers:delete ||  
 
|-
 
|-
| POST || ||  ||  || ||  ||  ||  || key_manager:list_container_consumers || consumers:post ||
+
| rowspan="2" | /v1/containers/{container-id}/consumers || GET || x ||  ||  || x ||  ||  ||  || key_manager:list_container_consumers || consumers:get ||
 
|-
 
|-
| DELETE ||  || ||  ||  || ||  ||  || key_manager:list_container_consumers || consumers:delete ||
+
| POST ||  || x ||  ||  || x ||  ||  || key_manager:list_container_consumers || consumers:post ||
 
|-
 
|-
| rowspan="2" | /v1/containers/{container-id}/secrets || POST ||  || x || x ||  ||  ||  ||  || key_manager:create_containers || container_secret:post ||
+
| rowspan="2" | /v1/containers/{container-id}/secrets || POST ||  || x || ||  ||  ||  ||  || key_manager:create_containers || container_secret:post ||
 
|-
 
|-
 
| DELETE  ||  ||  || x ||  ||  ||  ||  || key_manager:delete_containers || container_secret:delete ||
 
| DELETE  ||  ||  || x ||  ||  ||  ||  || key_manager:delete_containers || container_secret:delete ||
 
|-
 
|-
| /v1/secret-stores || GET || x || x || x || x || x || x ||  || key_manager:list_backends || secretstores:get ||
+
| /v1/secret-stores || GET || x || || || x || || ||  || key_manager:list_backends || secretstores:get ||
 
|-
 
|-
| /v1/secret-stores/global-default || GET || x || x || x || x || x || x ||  || key_manager:list_backends || secretstores:get_global_default ||
+
| /v1/secret-stores/global-default || GET || x || || || x || || ||  || key_manager:list_backends || secretstores:get_global_default ||
 
|-
 
|-
| /v1/secret-stores/preferred || GET || x || x || x ||  ||  ||  ||  || key_manager:get_preferred_backend || secretstores:get_preferred ||
+
| /v1/secret-stores/preferred || GET || x || || ||  ||  ||  ||  || key_manager:get_preferred_backend || secretstores:get_preferred ||
 
|-
 
|-
| /v1/secret-stores/{ss-id} || GET || x || x || x || x || x || x ||  || key_manager:list_backends || secretstore:get ||
+
| /v1/secret-stores/{ss-id} || GET || x || || || x || || ||  || key_manager:list_backends || secretstore:get ||
 
|-
 
|-
 
| rowspan="2" | /v1/secret-stores/{ss-id}/preferred || POST ||  ||  || x ||  ||  ||  ||  || key_manager:manage_preferred_backend || secretstores_preferred:post ||
 
| rowspan="2" | /v1/secret-stores/{ss-id}/preferred || POST ||  ||  || x ||  ||  ||  ||  || key_manager:manage_preferred_backend || secretstores_preferred:post ||
Line 93: Line 91:
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:manage_preferred_backend || secretstores_preferred:delete ||
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:manage_preferred_backend || secretstores_preferred:delete ||
 
|-
 
|-
| /v1/quotas || GET  || x || x || x ||  ||  ||  ||  || key_manager:list_quotas || quotas:get ||
+
| /v1/quotas || GET  || x || || ||  ||  ||  ||  || key_manager:list_quotas || quotas:get ||
 
|-
 
|-
| /v1/project-quotas || GET ||  ||  ||  || x || x || x ||  || key_manager:get_system_quotas || project_quotas:get ||
+
| /v1/project-quotas || GET ||  ||  ||  || x || || ||  || key_manager:get_system_quotas || project_quotas:get ||
 
|-
 
|-
| rowspan="3" | /v1/project-quotas/{project-id} || GET  ||  ||  ||  || x || x || x ||  || key_manager:get_system_quotas || project_quotas:get ||
+
| rowspan="3" | /v1/project-quotas/{project-id} || GET  ||  ||  ||  || x || || ||  || key_manager:get_system_quotas || project_quotas:get ||
 
|-
 
|-
 
|-
 
|-
| PUT ||  ||  ||  ||  || x || x ||  || key_manager:set_system_quotas || project_quotas:put ||
+
| PUT ||  ||  ||  ||  || x || ||  || key_manager:set_system_quotas || project_quotas:put ||
 
|-
 
|-
| DELETE ||  ||  ||  ||  || x || x ||  || key_manager:set_system_quotas || project_quotas:delete ||
+
| DELETE ||  ||  ||  ||  || x || ||  || key_manager:set_system_quotas || project_quotas:delete ||
 
|-
 
|-
| rowspan="3" | /v1/orders || GET || x || x || x ||  ||  ||  ||  || key_manager:list_orders || orders:get ||
+
| rowspan="3" | /v1/orders || GET || x || || ||  ||  ||  ||  || key_manager:list_orders || orders:get ||
 
|-
 
|-
| PUT ||  || x || x ||  ||  ||  ||  || key_manager:submit_orders || orders:put || This call is missing from the API reference: https://docs.openstack.org/barbican/latest/api/reference/orders.html. Perhaps it needs to be removed: https://storyboard.openstack.org/#!/story/2002579
+
| PUT ||  || x || ||  ||  ||  ||  || key_manager:submit_orders || orders:put ||  
 
|-
 
|-
| POST ||  || x || x ||  ||  ||  ||  || key_manager:submit_orders || orders:post ||
+
| POST ||  || x || ||  ||  ||  ||  || key_manager:submit_orders || orders:post ||
 
|-
 
|-
| rowspan="2"  | /v1/orders/{order-id} || GET || x || x || x ||  ||  ||  ||  || key_manager:get_orders || order:get ||
+
| rowspan="2"  | /v1/orders/{order-id} || GET || x || || ||  ||  ||  ||  || key_manager:get_orders || order:get ||
 
|-
 
|-
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_orders || order:delete ||
 
| DELETE ||  ||  || x ||  ||  ||  ||  || key_manager:delete_orders || order:delete ||
 
|-
 
|-
 
|}
 
|}
 +
 +
Questions (tied to tags):
  
 
* key_manager:manage_acl  
 
* key_manager:manage_acl  
Line 125: Line 125:
 
* key_manager:delete_secret_meta
 
* key_manager:delete_secret_meta
 
** (dmendiza) Is it ok for a member to delete secret meta?
 
** (dmendiza) Is it ok for a member to delete secret meta?
 +
* key_manager:get_secret_meta
 +
** (hrybacki): we use the same rule for both /v1/secrets/{secret-id}/metadata and /v1/secrets/{secret-id}/metadata/{meta-key}. Should we break these into separate rules so we can properly use the DocumentedRuleDefault description field?
 +
* key_manager:store_secrets
 +
** (hrybacki): Same as above only for PUT rather than GET
 +
* key_manager:get_secret_meta
 +
** (hrybacki): The deprecated code path for this route (one way of decrypting secrets) should be removed. Can we create a user story for this?
 +
* key_manager:list_container_consumers
 +
** (hrybacki) Can we rename this policy `consumerS:delete -> consumeR:delete` ?
 +
** (hrybacki) I chose member role for this but should it be admin level?
 +
* key_manager:submit_orders
 +
** The PUT request lives in policy but was missing from the [API reference docs](https://docs.openstack.org/barbican/latest/api/reference/orders.html). I've created [a story to remove this](https://storyboard.openstack.org/#!/story/2002579).
 +
* key_manager:list_transport_keys
 +
** (hrybacki): Does this need any auth at all?
 +
* routes: /v1/secrets/{secret-id}/acl and /v1/containers/{container-id}/acl
 +
** (hrybacki) need to verify existing rules with the new member (secret non-private read and container non-private read). Check with Ade

Revision as of 16:33, 27 June 2018

Project-scope System-scope
Route Method reader member admin reader member admin no auth Tag RBAC Name Notes
/ GET x key_manager:get_home (none) N/A No restrictions on this route
/v1 GET x key_manager:get_v1 (none) N/A No restrictions on this route
/v1/secrets GET x key_manager:list_secrets secrets:get
POST x key_manager:store_secrets secrets:post
/v1/secrets/{secret-id} GET x key_manager:get_secret_meta secret:get
PUT x key_manager:store_secrets secret:put
DELETE x key_manager:delete_secrets secret:delete
/v1/secrets/{secret-id}/acl GET x key_manager:get_acl secret_acls:get
PATCH x key_manager:manage_acl secret_acls:put_patch
PUT x key_manager:manage_acl secret_acls:put_patch
DELETE x key_manager:manage_acl secret_acls:delete
/v1/secrets/{secret-id}/metadata GET x key_manager:get_secret_meta secret_meta:get
PUT x key_manager:store_secrets secret_meta:put
POST x key_manager:store_secrets secret_meta:post
/v1/secrets/{secret-id}/metadata/{meta-key} GET x key_manager:get_secret_meta secret_meta:get
PUT x key_manager:store_secrets secret_meta:put
DELETE x key_manager:delete_secret_meta secret_meta:delete
/v1/secrets/{secret-id}/payload GET x key_manager:decrypt_secrets secret:decrypt
/v1/transport_keys GET x x key_manager:list_transport_keys transport_keys:get
POST x key_manager:add_transport_keys transport_keys:post
/v1/transport_keys/{key-id} GET x x key_manager:get_transport_keys transport_key:get
DELETE x key_manager:delete_transport_keys transport_key:delete
/v1/containers GET x key_manager:list_containers containers:get
POST x key_manager:create_containers containers:post
/v1/containers/{container-id} GET x key_manager:get_containers container:get
DELETE x key_manager:delete_containers container:delete
/v1/containers/{container-id}/acl GET x key_manager:get_acl container_acls:get
PATCH x key_manager:manage_acl container_acls:put_patch
PUT x key_manager:manage_acl container_acls:put_patch
DELETE x key_manager:manage_acl container_acls:delete
/v1/containers/{container-id}/consumers/{consumer-id} GET x x key_manager:list_container_consumer consumer:get
DELETE x x key_manager:list_container_consumers consumers:delete
/v1/containers/{container-id}/consumers GET x x key_manager:list_container_consumers consumers:get
POST x x key_manager:list_container_consumers consumers:post
/v1/containers/{container-id}/secrets POST x key_manager:create_containers container_secret:post
DELETE x key_manager:delete_containers container_secret:delete
/v1/secret-stores GET x x key_manager:list_backends secretstores:get
/v1/secret-stores/global-default GET x x key_manager:list_backends secretstores:get_global_default
/v1/secret-stores/preferred GET x key_manager:get_preferred_backend secretstores:get_preferred
/v1/secret-stores/{ss-id} GET x x key_manager:list_backends secretstore:get
/v1/secret-stores/{ss-id}/preferred POST x key_manager:manage_preferred_backend secretstores_preferred:post
DELETE x key_manager:manage_preferred_backend secretstores_preferred:delete
/v1/quotas GET x key_manager:list_quotas quotas:get
/v1/project-quotas GET x key_manager:get_system_quotas project_quotas:get
/v1/project-quotas/{project-id} GET x key_manager:get_system_quotas project_quotas:get
PUT x key_manager:set_system_quotas project_quotas:put
DELETE x key_manager:set_system_quotas project_quotas:delete
/v1/orders GET x key_manager:list_orders orders:get
PUT x key_manager:submit_orders orders:put
POST x key_manager:submit_orders orders:post
/v1/orders/{order-id} GET x key_manager:get_orders order:get
DELETE x key_manager:delete_orders order:delete

Questions (tied to tags):

  • key_manager:manage_acl
    • (dmendiza) Is this too broad?
    • (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
    • (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
    • (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
  • key_manager:store_secrets
    • (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
  • key_manager:delete_secret_meta
    • (dmendiza) Is it ok for a member to delete secret meta?
  • key_manager:get_secret_meta
    • (hrybacki): we use the same rule for both /v1/secrets/{secret-id}/metadata and /v1/secrets/{secret-id}/metadata/{meta-key}. Should we break these into separate rules so we can properly use the DocumentedRuleDefault description field?
  • key_manager:store_secrets
    • (hrybacki): Same as above only for PUT rather than GET
  • key_manager:get_secret_meta
    • (hrybacki): The deprecated code path for this route (one way of decrypting secrets) should be removed. Can we create a user story for this?
  • key_manager:list_container_consumers
    • (hrybacki) Can we rename this policy `consumerS:delete -> consumeR:delete` ?
    • (hrybacki) I chose member role for this but should it be admin level?
  • key_manager:submit_orders
  • key_manager:list_transport_keys
    • (hrybacki): Does this need any auth at all?
  • routes: /v1/secrets/{secret-id}/acl and /v1/containers/{container-id}/acl
    • (hrybacki) need to verify existing rules with the new member (secret non-private read and container non-private read). Check with Ade