Jump to: navigation, search

Barbican/Policy

< Barbican
Revision as of 22:09, 19 June 2018 by Dmend (talk | contribs)
Project-scope System-scope
Route Method reader member admin reader member admin no auth Tag RBAC Name Notes
/ GET x x x x x x x key_manager:get_home (none) TBD Can't find any rbac policy enforcement in the versions controller. Where is policy for this route?

(dmend) There is none. This route is wide open for anyone to use.

/v1 GET x x x x x x key_manager:get_v1 (none) TBD Can't find any rbac policy enforcement in the versions controller. Where is policy for this route?
/v1/secrets GET x x x key_manager:list_secrets secrets:get
POST x x key_manager:store_secrets secrets:post
/v1/secrets/{secret-id} GET x x key_manager:get_secret_meta secret:get Marked as deprecated. Is this slotted to be removed?
PUT x x key_manager:store_secrets secret:put
DELETE x key_manager:delete_secrets secret:delete
/v1/secrets/{secret-id}/acl GET x x x key_manager:get_acl secret_acls:get
PATCH x x key_manager:manage_acl secret_acls:put_patch
PUT x x key_manager:manage_acl secret_acls:put_patch
DELETE x x key_manager:manage_acl secret_acls:delete
/v1/secrets/{secret-id}/metadata GET x x x key_manager:get_secret_meta secret_meta:get Note: rule is used twice, consider breaking apart
PUT x x key_manager:store_secrets secret_meta:put Note: rule is used twice, consider breaking apart
POST x x key_manager:store_secrets secret_meta:post
/v1/secrets/{secret-id}/metadata/{meta-key} GET x x x key_manager:get_secret_meta secret_meta:get Note: rule is used twice, consider breaking apart
PUT x x key_manager:store_secrets secret_meta:put Note: rule is used twice, consider breaking apart
DELETE x x key_manager:delete_secret_meta secret_meta:delete
/v1/secrets/{secret-id}/payload GET x x key_manager:decrypt_secrets secret:decrypt
/v1/transport_keys GET x x x x x x key_manager:list_transport_keys transport_keys:get
POST x key_manager:add_transport_keys transport_keys:post
/v1/transport_keys/{key-id} GET x x x x x x key_manager:get_transport_keys transport_key:get
DELETE x key_manager:delete_transport_keys transport_key:delete
/v1/containers GET x x x key_manager:list_containers containers:get
POST x x key_manager:create_containers containers:post
/v1/containers/{container-id} GET x x key_manager:get_containers container:get
DELETE x key_manager:delete_containers container:delete
/v1/containers/{container-id}/acl GET x x x key_manager:get_acl container_acls:get
PATCH x x key_manager:manage_acl container_acls:put_patch
PUT x x key_manager:manage_acl container_acls:put_patch
DELETE x x key_manager:manage_acl container_acls:delete Should this be on the 'consumeR' controller rather than the 'consumerS' controller?
/v1/containers/{container-id}/consumers/{consumer-id} GET key_manager:list_container_consumer consumer:get
/v1/containers/{container-id}/consumers GET x x x key_manager:list_container_consumers consumers:get
POST key_manager:list_container_consumers consumers:post
DELETE key_manager:list_container_consumers consumers:delete
/v1/containers/{container-id}/secrets POST x x key_manager:create_containers container_secret:post
DELETE x key_manager:delete_containers container_secret:delete
/v1/secret-stores GET x x x x x x key_manager:list_backends secretstores:get
/v1/secret-stores/global-default GET x x x x x x key_manager:list_backends secretstores:get_global_default
/v1/secret-stores/preferred GET x x x key_manager:get_preferred_backend secretstores:get_preferred
/v1/secret-stores/{ss-id} GET x x x x x x key_manager:list_backends secretstore:get
/v1/secret-stores/{ss-id}/preferred POST x key_manager:manage_preferred_backend secretstores_preferred:post
DELETE x key_manager:manage_preferred_backend secretstores_preferred:delete
/v1/quotas GET x x x key_manager:list_quotas quotas:get
/v1/project-quotas GET x x x key_manager:get_system_quotas project_quotas:get
/v1/project-quotas/{project-id} GET x x x key_manager:get_system_quotas project_quotas:get
PUT x x key_manager:set_system_quotas project_quotas:put
DELETE x x key_manager:set_system_quotas project_quotas:delete
/v1/orders GET x x x key_manager:list_orders orders:get
PUT x x key_manager:submit_orders orders:put This call is missing from the API reference: https://docs.openstack.org/barbican/latest/api/reference/orders.html. Perhaps it needs to be removed: https://storyboard.openstack.org/#!/story/2002579
POST x x key_manager:submit_orders orders:post
/v1/orders/{order-id} GET x x x key_manager:get_orders order:get
DELETE x key_manager:delete_orders order:delete
  • key_manager:manage_acl
    • (dmendiza) Is this too broad?
    • (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
    • (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
    • (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
  • key_manager:store_secrets
    • (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
  • key_manager:delete_secret_meta
    • (dmendiza) Is it ok for a member to delete secret meta?