Difference between revisions of "Barbican/Policy"
< Barbican
(Updating fields post audit meeting.) |
|||
| Line 7: | Line 7: | ||
! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || Tag || RBAC Name || Notes | ! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || Tag || RBAC Name || Notes | ||
|- | |- | ||
| − | | / || GET || | + | | / || GET || || || || || || || x || <s>key_manager:get_home</s> (none) || N/A || No restrictions on this route |
| − | |||
|- | |- | ||
| − | | /v1 || GET || | + | | /v1 || GET || || || || || || || x || <s>key_manager:get_v1</s> (none) || N/A || No restrictions on this route |
|- | |- | ||
| − | | rowspan="2" | /v1/secrets || GET || x || | + | | rowspan="2" | /v1/secrets || GET || x || || || || || || || key_manager:list_secrets || secrets:get || |
|- | |- | ||
| − | | POST || || x || | + | | POST || || x || || || || || || key_manager:store_secrets || secrets:post || |
|- | |- | ||
| − | | rowspan="3" | /v1/secrets/{secret-id} || GET || | + | | rowspan="3" | /v1/secrets/{secret-id} || GET || x || || || || || || || key_manager:get_secret_meta || secret:get || Marked as deprecated. Is this slotted to be removed? |
| − | (dmend) An earlier version of this table made the distinction between different Accept headers. There are two code paths for this route depending on the Accept header. One of those code paths is deprecated, the other is not. | + | (dmend) An earlier version of this table made the distinction between different Accept headers. There are two code paths for this route depending on the Accept header. One of those code paths is deprecated, the other is not. (hrybacki) Lets create a user story for deleting the unused/deprecated route. |
|- | |- | ||
| − | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:store_secrets || secret:put || |
|- | |- | ||
| DELETE || || || x || || || || || key_manager:delete_secrets || secret:delete || | | DELETE || || || x || || || || || key_manager:delete_secrets || secret:delete || | ||
|- | |- | ||
| − | | rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || | + | | rowspan="4" | /v1/secrets/{secret-id}/acl || GET || x || || || || || || || key_manager:get_acl || secret_acls:get || |
|- | |- | ||
| − | | PATCH || || x || | + | | PATCH || || x || || || || || || key_manager:manage_acl || secret_acls:put_patch || |
|- | |- | ||
| − | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:manage_acl || secret_acls:put_patch || |
|- | |- | ||
| − | | DELETE || || x || | + | | DELETE || || x || || || || || || key_manager:manage_acl || secret_acls:delete || |
|- | |- | ||
| − | | rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || | + | | rowspan="3" | /v1/secrets/{secret-id}/metadata || GET || x || || || || || || || key_manager:get_secret_meta || secret_meta:get || Note: rule is used twice, consider breaking apart |
|- | |- | ||
| − | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:store_secrets || secret_meta:put || Note: rule is used twice, consider breaking apart |
|- | |- | ||
| − | | POST || || x || | + | | POST || || x || || || || || || key_manager:store_secrets || secret_meta:post || |
|- | |- | ||
| − | | rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET || x || | + | | rowspan="3" | /v1/secrets/{secret-id}/metadata/{meta-key} || GET || x || || || || || || || key_manager:get_secret_meta || secret_meta:get || Note: rule is used twice, consider breaking apart |
|- | |- | ||
| − | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:store_secrets || secret_meta:put || Note: rule is used twice, consider breaking apart |
|- | |- | ||
| − | | DELETE || || x || | + | | DELETE || || x || || || || || || key_manager:delete_secret_meta || secret_meta:delete || |
|- | |- | ||
| − | | /v1/secrets/{secret-id}/payload || GET || || x || | + | | /v1/secrets/{secret-id}/payload || GET || || x || || || || || || key_manager:decrypt_secrets || secret:decrypt || |
|- | |- | ||
| − | | rowspan="2" | /v1/transport_keys || GET || x || | + | | rowspan="2" | /v1/transport_keys || GET || x || || || x || || || || key_manager:list_transport_keys || transport_keys:get || |
|- | |- | ||
| POST || || || || || || x || || key_manager:add_transport_keys || transport_keys:post || | | POST || || || || || || x || || key_manager:add_transport_keys || transport_keys:post || | ||
|- | |- | ||
| − | | rowspan="2" | /v1/transport_keys/{key-id} || GET || x || | + | | rowspan="2" | /v1/transport_keys/{key-id} || GET || x || || || x || || || || key_manager:get_transport_keys || transport_key:get || |
|- | |- | ||
| DELETE || || || || || || x || || key_manager:delete_transport_keys || transport_key:delete || | | DELETE || || || || || || x || || key_manager:delete_transport_keys || transport_key:delete || | ||
|- | |- | ||
| − | | rowspan="2" | /v1/containers || GET || x || | + | | rowspan="2" | /v1/containers || GET || x || || || || || || || key_manager:list_containers || containers:get || |
|- | |- | ||
| − | | POST || || x || | + | | POST || || x || || || || || || key_manager:create_containers || containers:post || |
|- | |- | ||
| − | | rowspan="2" | /v1/containers/{container-id} || GET || | + | | rowspan="2" | /v1/containers/{container-id} || GET || x || || || || || || || key_manager:get_containers || container:get || |
|- | |- | ||
| DELETE || || || x || || || || || key_manager:delete_containers || container:delete || | | DELETE || || || x || || || || || key_manager:delete_containers || container:delete || | ||
|- | |- | ||
| − | | rowspan="4" | /v1/containers/{container-id}/acl || GET || x || | + | | rowspan="4" | /v1/containers/{container-id}/acl || GET || x || || || || || || || key_manager:get_acl || container_acls:get || |
|- | |- | ||
| − | | PATCH || || x || | + | | PATCH || || x || || || || || || key_manager:manage_acl || container_acls:put_patch || |
|- | |- | ||
| − | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:manage_acl || container_acls:put_patch || |
|- | |- | ||
| − | | DELETE || || x || | + | | DELETE || || x || || || || || || key_manager:manage_acl || container_acls:delete || |
|- | |- | ||
| − | | | + | | rowspan="2" | /v1/containers/{container-id}/consumers/{consumer-id} || GET || x || || || x || || || || key_manager:list_container_consumer || consumer:get || |
|- | |- | ||
| − | | | + | | DELETE || || x || || || x || || || key_manager:list_container_consumers || consumers:delete || Should we rename this policy as consumeR:delete rather than consumerS:delete? |
|- | |- | ||
| − | | | + | | rowspan="2" | /v1/containers/{container-id}/consumers || GET || x || || || x || || || || key_manager:list_container_consumers || consumers:get || |
|- | |- | ||
| − | | | + | | POST || || x || || || x || || || key_manager:list_container_consumers || consumers:post || |
|- | |- | ||
| − | | rowspan="2" | /v1/containers/{container-id}/secrets || POST || || x || | + | | rowspan="2" | /v1/containers/{container-id}/secrets || POST || || x || || || || || || key_manager:create_containers || container_secret:post || |
|- | |- | ||
| DELETE || || || x || || || || || key_manager:delete_containers || container_secret:delete || | | DELETE || || || x || || || || || key_manager:delete_containers || container_secret:delete || | ||
|- | |- | ||
| − | | /v1/secret-stores || GET || x || | + | | /v1/secret-stores || GET || x || || || x || || || || key_manager:list_backends || secretstores:get || |
|- | |- | ||
| − | | /v1/secret-stores/global-default || GET || x || | + | | /v1/secret-stores/global-default || GET || x || || || x || || || || key_manager:list_backends || secretstores:get_global_default || |
|- | |- | ||
| − | | /v1/secret-stores/preferred || GET || x || | + | | /v1/secret-stores/preferred || GET || x || || || || || || || key_manager:get_preferred_backend || secretstores:get_preferred || |
|- | |- | ||
| − | | /v1/secret-stores/{ss-id} || GET || x || | + | | /v1/secret-stores/{ss-id} || GET || x || || || x || || || || key_manager:list_backends || secretstore:get || |
|- | |- | ||
| rowspan="2" | /v1/secret-stores/{ss-id}/preferred || POST || || || x || || || || || key_manager:manage_preferred_backend || secretstores_preferred:post || | | rowspan="2" | /v1/secret-stores/{ss-id}/preferred || POST || || || x || || || || || key_manager:manage_preferred_backend || secretstores_preferred:post || | ||
| Line 93: | Line 92: | ||
| DELETE || || || x || || || || || key_manager:manage_preferred_backend || secretstores_preferred:delete || | | DELETE || || || x || || || || || key_manager:manage_preferred_backend || secretstores_preferred:delete || | ||
|- | |- | ||
| − | | /v1/quotas || GET || x || | + | | /v1/quotas || GET || x || || || || || || || key_manager:list_quotas || quotas:get || |
|- | |- | ||
| − | | /v1/project-quotas || GET || || || || x || | + | | /v1/project-quotas || GET || || || || x || || || || key_manager:get_system_quotas || project_quotas:get || |
|- | |- | ||
| − | | rowspan="3" | /v1/project-quotas/{project-id} || GET || || || || x || | + | | rowspan="3" | /v1/project-quotas/{project-id} || GET || || || || x || || || || key_manager:get_system_quotas || project_quotas:get || |
|- | |- | ||
|- | |- | ||
| − | | PUT || || || || || x || | + | | PUT || || || || || x || || || key_manager:set_system_quotas || project_quotas:put || |
|- | |- | ||
| − | | DELETE || || || || || x || | + | | DELETE || || || || || x || || || key_manager:set_system_quotas || project_quotas:delete || |
|- | |- | ||
| − | | rowspan="3" | /v1/orders || GET || x || | + | | rowspan="3" | /v1/orders || GET || x || || || || || || || key_manager:list_orders || orders:get || |
|- | |- | ||
| − | | PUT || || x || | + | | PUT || || x || || || || || || key_manager:submit_orders || orders:put || This call is missing from the API reference: https://docs.openstack.org/barbican/latest/api/reference/orders.html. Perhaps it needs to be removed: https://storyboard.openstack.org/#!/story/2002579 |
|- | |- | ||
| − | | POST || || x || | + | | POST || || x || || || || || || key_manager:submit_orders || orders:post || |
|- | |- | ||
| − | | rowspan="2" | /v1/orders/{order-id} || GET || x || | + | | rowspan="2" | /v1/orders/{order-id} || GET || x || || || || || || || key_manager:get_orders || order:get || |
|- | |- | ||
| DELETE || || || x || || || || || key_manager:delete_orders || order:delete || | | DELETE || || || x || || || || || key_manager:delete_orders || order:delete || | ||
Revision as of 15:54, 27 June 2018
| Project-scope | System-scope | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Route | Method | reader | member | admin | reader | member | admin | no auth | Tag | RBAC Name | Notes |
| / | GET | x | |
N/A | No restrictions on this route | ||||||
| /v1 | GET | x | |
N/A | No restrictions on this route | ||||||
| /v1/secrets | GET | x | key_manager:list_secrets | secrets:get | |||||||
| POST | x | key_manager:store_secrets | secrets:post | ||||||||
| /v1/secrets/{secret-id} | GET | x | key_manager:get_secret_meta | secret:get | Marked as deprecated. Is this slotted to be removed?
(dmend) An earlier version of this table made the distinction between different Accept headers. There are two code paths for this route depending on the Accept header. One of those code paths is deprecated, the other is not. (hrybacki) Lets create a user story for deleting the unused/deprecated route. | ||||||
| PUT | x | key_manager:store_secrets | secret:put | ||||||||
| DELETE | x | key_manager:delete_secrets | secret:delete | ||||||||
| /v1/secrets/{secret-id}/acl | GET | x | key_manager:get_acl | secret_acls:get | |||||||
| PATCH | x | key_manager:manage_acl | secret_acls:put_patch | ||||||||
| PUT | x | key_manager:manage_acl | secret_acls:put_patch | ||||||||
| DELETE | x | key_manager:manage_acl | secret_acls:delete | ||||||||
| /v1/secrets/{secret-id}/metadata | GET | x | key_manager:get_secret_meta | secret_meta:get | Note: rule is used twice, consider breaking apart | ||||||
| PUT | x | key_manager:store_secrets | secret_meta:put | Note: rule is used twice, consider breaking apart | |||||||
| POST | x | key_manager:store_secrets | secret_meta:post | ||||||||
| /v1/secrets/{secret-id}/metadata/{meta-key} | GET | x | key_manager:get_secret_meta | secret_meta:get | Note: rule is used twice, consider breaking apart | ||||||
| PUT | x | key_manager:store_secrets | secret_meta:put | Note: rule is used twice, consider breaking apart | |||||||
| DELETE | x | key_manager:delete_secret_meta | secret_meta:delete | ||||||||
| /v1/secrets/{secret-id}/payload | GET | x | key_manager:decrypt_secrets | secret:decrypt | |||||||
| /v1/transport_keys | GET | x | x | key_manager:list_transport_keys | transport_keys:get | ||||||
| POST | x | key_manager:add_transport_keys | transport_keys:post | ||||||||
| /v1/transport_keys/{key-id} | GET | x | x | key_manager:get_transport_keys | transport_key:get | ||||||
| DELETE | x | key_manager:delete_transport_keys | transport_key:delete | ||||||||
| /v1/containers | GET | x | key_manager:list_containers | containers:get | |||||||
| POST | x | key_manager:create_containers | containers:post | ||||||||
| /v1/containers/{container-id} | GET | x | key_manager:get_containers | container:get | |||||||
| DELETE | x | key_manager:delete_containers | container:delete | ||||||||
| /v1/containers/{container-id}/acl | GET | x | key_manager:get_acl | container_acls:get | |||||||
| PATCH | x | key_manager:manage_acl | container_acls:put_patch | ||||||||
| PUT | x | key_manager:manage_acl | container_acls:put_patch | ||||||||
| DELETE | x | key_manager:manage_acl | container_acls:delete | ||||||||
| /v1/containers/{container-id}/consumers/{consumer-id} | GET | x | x | key_manager:list_container_consumer | consumer:get | ||||||
| DELETE | x | x | key_manager:list_container_consumers | consumers:delete | Should we rename this policy as consumeR:delete rather than consumerS:delete? | ||||||
| /v1/containers/{container-id}/consumers | GET | x | x | key_manager:list_container_consumers | consumers:get | ||||||
| POST | x | x | key_manager:list_container_consumers | consumers:post | |||||||
| /v1/containers/{container-id}/secrets | POST | x | key_manager:create_containers | container_secret:post | |||||||
| DELETE | x | key_manager:delete_containers | container_secret:delete | ||||||||
| /v1/secret-stores | GET | x | x | key_manager:list_backends | secretstores:get | ||||||
| /v1/secret-stores/global-default | GET | x | x | key_manager:list_backends | secretstores:get_global_default | ||||||
| /v1/secret-stores/preferred | GET | x | key_manager:get_preferred_backend | secretstores:get_preferred | |||||||
| /v1/secret-stores/{ss-id} | GET | x | x | key_manager:list_backends | secretstore:get | ||||||
| /v1/secret-stores/{ss-id}/preferred | POST | x | key_manager:manage_preferred_backend | secretstores_preferred:post | |||||||
| DELETE | x | key_manager:manage_preferred_backend | secretstores_preferred:delete | ||||||||
| /v1/quotas | GET | x | key_manager:list_quotas | quotas:get | |||||||
| /v1/project-quotas | GET | x | key_manager:get_system_quotas | project_quotas:get | |||||||
| /v1/project-quotas/{project-id} | GET | x | key_manager:get_system_quotas | project_quotas:get | |||||||
| PUT | x | key_manager:set_system_quotas | project_quotas:put | ||||||||
| DELETE | x | key_manager:set_system_quotas | project_quotas:delete | ||||||||
| /v1/orders | GET | x | key_manager:list_orders | orders:get | |||||||
| PUT | x | key_manager:submit_orders | orders:put | This call is missing from the API reference: https://docs.openstack.org/barbican/latest/api/reference/orders.html. Perhaps it needs to be removed: https://storyboard.openstack.org/#!/story/2002579 | |||||||
| POST | x | key_manager:submit_orders | orders:post | ||||||||
| /v1/orders/{order-id} | GET | x | key_manager:get_orders | order:get | |||||||
| DELETE | x | key_manager:delete_orders | order:delete | ||||||||
- key_manager:manage_acl
- (dmendiza) Is this too broad?
- (dmendiza) Should we have separate key_manager:(secret|order)_manage_acl?
- (dmendiza) Should member be allowed to manage ACL? Would private secrets break if we don't? Are private secrets really private it we do?
- (dmendiza) Is there a way to reference the User by ID to introduce the concept of a secret owner into this policy?
- key_manager:store_secrets
- (dmendiza) Is it ok to use this for adding metadata to a secret? I think it is.
- key_manager:delete_secret_meta
- (dmendiza) Is it ok for a member to delete secret meta?
