Barbican/Policy
Project-scope | System-scope | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Route | Method | reader | member | admin | reader | member | admin | no auth | Tag | RBAC Name | Notes |
/ | GET | x | x | x | x | x | x | x | |
TBD | Can't find any rbac policy enforcement in the versions controller. Where is policy for this route?
(dmend) There is none. This route is wide open for anyone to use. |
/v1 | GET | x | x | x | x | x | x | |
TBD | Can't find any rbac policy enforcement in the versions controller. Where is policy for this route?
(dmend) There isn't one for this either. This route basically just serves system metadata to anyone who is authenticated regardless of role. | |
/v1/secrets | GET | x | x | x | key_manager:list_secrets | secrets:get | |||||
POST | x | x | key_manager:store_secrets | secrets:post | |||||||
/v1/secrets/{secret-id} | GET | x | x | key_manager:get_secret_meta | secret:get | Marked as deprecated. Is this slotted to be removed? | |||||
PUT | x | x | key_manager:store_secrets | secret:put | |||||||
DELETE | x | key_manager:delete_secrets | secret:delete | ||||||||
/v1/secrets/{secret-id}/acl | GET | x | x | x | key_manager:get_acl | secret_acls:get | |||||
PATCH | x | x | key_manager:manage_acl | secret_acls:put_patch | |||||||
PUT | x | x | key_manager:manage_acl | secret_acls:put_patch | |||||||
DELETE | x | x | key_manager:manage_acl | secret_acls:delete | |||||||
/v1/secrets/{secret-id}/metadata | GET | x | x | x | key_manager:get_secret_meta | secret_meta:get | Note: rule is used twice, consider breaking apart | ||||
PUT | x | x | key_manager:store_secrets | secret_meta:put | Note: rule is used twice, consider breaking apart | ||||||
POST | x | x | key_manager:store_secrets | secret_meta:post | |||||||
/v1/secrets/{secret-id}/metadata/{meta-key} | GET | x | x | x | key_manager:get_secret_meta | secret_meta:get | Note: rule is used twice, consider breaking apart | ||||
PUT | x | x | key_manager:store_secrets | secret_meta:put | Note: rule is used twice, consider breaking apart | ||||||
DELETE | x | x | key_manager:delete_secret_meta | secret_meta:delete | |||||||
/v1/secrets/{secret-id}/payload | GET | x | x | key_manager:decrypt_secrets | secret:decrypt | ||||||
/v1/transport_keys | GET | x | x | x | x | x | x | key_manager:list_transport_keys | transport_keys:get | ||
POST | x | key_manager:add_transport_keys | transport_keys:post | ||||||||
/v1/transport_keys/{key-id} | GET | x | x | x | x | x | x | key_manager:get_transport_keys | transport_key:get | ||
DELETE | x | key_manager:delete_transport_keys | transport_key:delete | ||||||||
/v1/containers | GET | x | x | x | key_manager:list_containers | containers:get | |||||
POST | x | x | key_manager:create_containers | containers:post | |||||||
/v1/containers/{container-id} | GET | x | x | key_manager:get_containers | container:get | ||||||
DELETE | x | key_manager:delete_containers | container:delete | ||||||||
/v1/containers/{container-id}/acl | GET | x | x | x | key_manager:get_acl | container_acls:get | |||||
PATCH | x | x | key_manager:manage_acl | container_acls:put_patch | |||||||
PUT | x | x | key_manager:manage_acl | container_acls:put_patch | |||||||
DELETE | x | x | key_manager:manage_acl | container_acls:delete | Should this be on the 'consumeR' controller rather than the 'consumerS' controller? | ||||||
/v1/containers/{container-id}/consumers/{consumer-id} | GET | key_manager:list_container_consumer | consumer:get | ||||||||
/v1/containers/{container-id}/consumers | GET | x | x | x | key_manager:list_container_consumers | consumers:get | |||||
POST | key_manager:list_container_consumers | consumers:post | |||||||||
DELETE | key_manager:list_container_consumers | consumers:delete | |||||||||
/v1/containers/{container-id}/secrets | POST | x | x | key_manager:create_containers | container_secret:post | ||||||
DELETE | x | key_manager:delete_containers | container_secret:delete | ||||||||
/v1/secret-stores | GET | x | x | x | x | x | x | key_manager:list_backends | secretstores:get | ||
/v1/secret-stores/global-default | GET | x | x | x | x | x | x | key_manager:list_backends | secretstores:get_global_default | ||
/v1/secret-stores/preferred | GET | x | x | x | key_manager:get_preferred_backend | secretstores:get_preferred | |||||
/v1/secret-stores/{ss-id} | GET | x | x | x | x | x | x | key_manager:list_backends | secretstore:get | ||
/v1/secret-stores/{ss-id}/preferred | POST | x | key_manager:manage_preferred_backend | secretstores_preferred:post | |||||||
DELETE | x | key_manager:manage_preferred_backend | secretstores_preferred:delete | ||||||||
/v1/quotas | GET | x | x | x | key_manager:list_quotas | quotas:get | |||||
/v1/project-quotas | GET | x | x | x | key_manager:get_system_quotas | project_quotas:get | |||||
/v1/project-quotas/{project-id} | GET | x | x | x | key_manager:get_system_quotas | project_quotas:get | |||||
PUT | x | x | key_manager:set_system_quotas | project_quotas:put | |||||||
DELETE | x | x | key_manager:set_system_quotas | project_quotas:delete | |||||||
/v1/orders | GET | x | x | x | key_manager:list_orders | orders:get | |||||
PUT | x | x | key_manager:submit_orders | orders:put | This call is missing from the API reference: https://docs.openstack.org/barbican/latest/api/reference/orders.html. Perhaps it needs to be removed: https://storyboard.openstack.org/#!/story/2002579 | ||||||
POST | x | x | key_manager:submit_orders | orders:post | |||||||
/v1/orders/{order-id} | GET | x | x | x | key_manager:get_orders | order:get | |||||
DELETE | x | key_manager:delete_orders | order:delete |
- key_manager:manage_acl
- (dmendiza) Is this too broad?
- (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
- (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
- (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
- key_manager:store_secrets
- (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
- key_manager:delete_secret_meta
- (dmendiza) Is it ok for a member to delete secret meta?