Barbican/Policy
Project-scope | System-scope | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Route | Method | reader | member | admin | reader | member | admin | no auth | Tag | RBAC Name | Notes |
/ | GET | x | x | x | x | x | x | x | |
N/A | No restrictions on this route
(dmend) There is none. This route is wide open for anyone to use. |
/v1 | GET | x | x | x | x | x | x | x | |
N/A | No restrictions on this route |
/v1/secrets | GET | x | x | x | key_manager:list_secrets | secrets:get | |||||
POST | x | x | key_manager:store_secrets | secrets:post | |||||||
/v1/secrets/{secret-id} | GET | x | x | key_manager:get_secret_meta | secret:get | Marked as deprecated. Is this slotted to be removed?
(dmend) An earlier version of this table made the distinction between different Accept headers. There are two code paths for this route depending on the Accept header. One of those code paths is deprecated, the other is not. | |||||
PUT | x | x | key_manager:store_secrets | secret:put | |||||||
DELETE | x | key_manager:delete_secrets | secret:delete | ||||||||
/v1/secrets/{secret-id}/acl | GET | x | x | x | key_manager:get_acl | secret_acls:get | |||||
PATCH | x | x | key_manager:manage_acl | secret_acls:put_patch | |||||||
PUT | x | x | key_manager:manage_acl | secret_acls:put_patch | |||||||
DELETE | x | x | key_manager:manage_acl | secret_acls:delete | |||||||
/v1/secrets/{secret-id}/metadata | GET | x | x | x | key_manager:get_secret_meta | secret_meta:get | Note: rule is used twice, consider breaking apart | ||||
PUT | x | x | key_manager:store_secrets | secret_meta:put | Note: rule is used twice, consider breaking apart | ||||||
POST | x | x | key_manager:store_secrets | secret_meta:post | |||||||
/v1/secrets/{secret-id}/metadata/{meta-key} | GET | x | x | x | key_manager:get_secret_meta | secret_meta:get | Note: rule is used twice, consider breaking apart | ||||
PUT | x | x | key_manager:store_secrets | secret_meta:put | Note: rule is used twice, consider breaking apart | ||||||
DELETE | x | x | key_manager:delete_secret_meta | secret_meta:delete | |||||||
/v1/secrets/{secret-id}/payload | GET | x | x | key_manager:decrypt_secrets | secret:decrypt | ||||||
/v1/transport_keys | GET | x | x | x | x | x | x | key_manager:list_transport_keys | transport_keys:get | ||
POST | x | key_manager:add_transport_keys | transport_keys:post | ||||||||
/v1/transport_keys/{key-id} | GET | x | x | x | x | x | x | key_manager:get_transport_keys | transport_key:get | ||
DELETE | x | key_manager:delete_transport_keys | transport_key:delete | ||||||||
/v1/containers | GET | x | x | x | key_manager:list_containers | containers:get | |||||
POST | x | x | key_manager:create_containers | containers:post | |||||||
/v1/containers/{container-id} | GET | x | x | key_manager:get_containers | container:get | ||||||
DELETE | x | key_manager:delete_containers | container:delete | ||||||||
/v1/containers/{container-id}/acl | GET | x | x | x | key_manager:get_acl | container_acls:get | |||||
PATCH | x | x | key_manager:manage_acl | container_acls:put_patch | |||||||
PUT | x | x | key_manager:manage_acl | container_acls:put_patch | |||||||
DELETE | x | x | key_manager:manage_acl | container_acls:delete | Should this be on the 'consumeR' controller rather than the 'consumerS' controller? | ||||||
/v1/containers/{container-id}/consumers/{consumer-id} | GET | key_manager:list_container_consumer | consumer:get | ||||||||
/v1/containers/{container-id}/consumers | GET | x | x | x | key_manager:list_container_consumers | consumers:get | |||||
POST | key_manager:list_container_consumers | consumers:post | |||||||||
DELETE | key_manager:list_container_consumers | consumers:delete | |||||||||
/v1/containers/{container-id}/secrets | POST | x | x | key_manager:create_containers | container_secret:post | ||||||
DELETE | x | key_manager:delete_containers | container_secret:delete | ||||||||
/v1/secret-stores | GET | x | x | x | x | x | x | key_manager:list_backends | secretstores:get | ||
/v1/secret-stores/global-default | GET | x | x | x | x | x | x | key_manager:list_backends | secretstores:get_global_default | ||
/v1/secret-stores/preferred | GET | x | x | x | key_manager:get_preferred_backend | secretstores:get_preferred | |||||
/v1/secret-stores/{ss-id} | GET | x | x | x | x | x | x | key_manager:list_backends | secretstore:get | ||
/v1/secret-stores/{ss-id}/preferred | POST | x | key_manager:manage_preferred_backend | secretstores_preferred:post | |||||||
DELETE | x | key_manager:manage_preferred_backend | secretstores_preferred:delete | ||||||||
/v1/quotas | GET | x | x | x | key_manager:list_quotas | quotas:get | |||||
/v1/project-quotas | GET | x | x | x | key_manager:get_system_quotas | project_quotas:get | |||||
/v1/project-quotas/{project-id} | GET | x | x | x | key_manager:get_system_quotas | project_quotas:get | |||||
PUT | x | x | key_manager:set_system_quotas | project_quotas:put | |||||||
DELETE | x | x | key_manager:set_system_quotas | project_quotas:delete | |||||||
/v1/orders | GET | x | x | x | key_manager:list_orders | orders:get | |||||
PUT | x | x | key_manager:submit_orders | orders:put | This call is missing from the API reference: https://docs.openstack.org/barbican/latest/api/reference/orders.html. Perhaps it needs to be removed: https://storyboard.openstack.org/#!/story/2002579 | ||||||
POST | x | x | key_manager:submit_orders | orders:post | |||||||
/v1/orders/{order-id} | GET | x | x | x | key_manager:get_orders | order:get | |||||
DELETE | x | key_manager:delete_orders | order:delete |
- key_manager:manage_acl
- (dmendiza) Is this too broad?
- (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
- (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
- (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
- key_manager:store_secrets
- (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
- key_manager:delete_secret_meta
- (dmendiza) Is it ok for a member to delete secret meta?