Barbican/Policy

		Project-scope			System-scope
Route	Method	reader	member	admin	reader	member	admin	no auth	Tag
/	GET	x	x	x	x	x	x	x	key_manager:get_home
/v1	GET	x	x	x	x	x	x		key_manager:get_v1
/v1/secrets	GET	x	x	x					key_manager:list_secrets
/v1/secrets	POST		x	x					key_manager:store_secrets
/v1/secrets/{secret-id}	GET Accept:application/json	x	x	x					key_manager:get_secret_meta
	DEPRECATED GET Accept:{secret-mime}		x	x					key_manager:decrypt_secrets
	PUT		x	x					key_manager:store_secrets
	DELETE			x					key_manager:delete_secrets
/v1/secrets/{secret-id}/acl	GET	x	x	x					key_manager:get_acl
	PATCH		x	x					key_manager:manage_acl
	PUT		x	x					key_manager:manage_acl
	DELETE		x	x					key_manager:manage_acl
/v1/secrets/{secret-id}/metadata	GET	x	x	x					key_manager:get_secret_meta
	PUT		x	x					key_manager:store_secrets
	POST		x	x					key_manager:store_secrets
/v1/secrets/{secret-id}/metadata/{meta-key}	GET
	PUT
	DELETE
/v1/secrets/{secret-id}/payload	GET
/v1/transport_keys	GET
/v1/transport_keys	POST
/v1/transport_keys/{key-id}	GET
/v1/transport_keys/{key-id}	DELETE
/v1/containers	GET
/v1/containers	POST
/v1/containers/{container-id}	GET
/v1/containers/{container-id}	DELETE
/v1/containers/{container-id}/acl	GET
	PATCH
	PUT
	DELETE
/v1/containers/{container-id}/consumers	GET
/v1/containers/{container-id}/secrets	POST
/v1/containers/{container-id}/secrets	DELETE
/v1/secret-stores	GET
/v1/secret-stores/{ss-id}	GET
/v1/secret-stores/{ss-id}/preferred	POST
/v1/secret-stores/{ss-id}/preferred	DELETE
/v1/quotas	GET
/v1/project-quotas	GET
/v1/project-quotas/{project-id}	GET
	PUT
	DELETE
DEPRECATED - To be removed in P
/v1/orders	GET
	PUT
	POST
/v1/orders/{order-id}	GET
/v1/orders/{order-id}	DELETE

key_manager:manage_acl
- (dmendiza) Is this too broad?
- (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
- (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
- (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
key_manager:store_secret
- (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.