Policy configuration

Policy configuration

Warning

JSON formatted policy file is deprecated since Barbican 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Configuration

The following is an overview of all available policies in Barbican. For a sample configuration file.

barbican

system_reader
Default:

role:reader and system_scope:all

(no description provided)

system_admin
Default:

role:admin and system_scope:all

(no description provided)

secret_project_match
Default:

project_id:%(target.secret.project_id)s

(no description provided)

secret_project_reader
Default:

role:reader and rule:secret_project_match

(no description provided)

secret_project_member
Default:

role:member and rule:secret_project_match

(no description provided)

secret_project_admin
Default:

role:admin and rule:secret_project_match

(no description provided)

secret_owner
Default:

user_id:%(target.secret.creator_id)s

(no description provided)

secret_is_not_private
Default:

True:%(target.secret.read_project_access)s

(no description provided)

secret_acl_read
Default:

'read':%(target.secret.read)s

(no description provided)

container_project_match
Default:

project_id:%(target.container.project_id)s

(no description provided)

container_project_member
Default:

role:member and rule:container_project_match

(no description provided)

container_project_admin
Default:

role:admin and rule:container_project_match

(no description provided)

container_owner
Default:

user_id:%(target.container.creator_id)s

(no description provided)

container_is_not_private
Default:

True:%(target.container.read_project_access)s

(no description provided)

container_acl_read
Default:

'read':%(target.container.read)s

(no description provided)

order_project_match
Default:

project_id:%(target.order.project_id)s

(no description provided)

order_project_member
Default:

role:member and rule:order_project_match

(no description provided)

audit
Default:

role:audit

(no description provided)

observer
Default:

role:observer

(no description provided)

creator
Default:

role:creator

(no description provided)

admin
Default:

role:admin

(no description provided)

service_admin
Default:

role:key-manager:service-admin

(no description provided)

all_users
Default:

rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin

(no description provided)

all_but_audit
Default:

rule:admin or rule:observer or rule:creator

(no description provided)

admin_or_creator
Default:

rule:admin or rule:creator

(no description provided)

secret_creator_user
Default:

user_id:%(target.secret.creator_id)s

(no description provided)

secret_private_read
Default:

'False':%(target.secret.read_project_access)s

(no description provided)

secret_non_private_read
Default:

rule:all_users and rule:secret_project_match and not rule:secret_private_read

(no description provided)

secret_decrypt_non_private_read
Default:

rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read

(no description provided)

secret_project_creator
Default:

rule:creator and rule:secret_project_match and rule:secret_creator_user

(no description provided)

secret_project_creator_role
Default:

rule:creator and rule:secret_project_match

(no description provided)

container_private_read
Default:

'False':%(target.container.read_project_access)s

(no description provided)

container_creator_user
Default:

user_id:%(target.container.creator_id)s

(no description provided)

container_non_private_read
Default:

rule:all_users and rule:container_project_match and not rule:container_private_read

(no description provided)

container_project_creator
Default:

rule:creator and rule:container_project_match and rule:container_creator_user

(no description provided)

container_project_creator_role
Default:

rule:creator and rule:container_project_match

(no description provided)

secret_acls:get
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:
  • GET /v1/secrets/{secret-id}/acl

Scope Types:
  • project

Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.

secret_acls:delete
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:
  • DELETE /v1/secrets/{secret-id}/acl

Scope Types:
  • project

Delete the ACL settings for a given secret.

secret_acls:put_patch
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:
  • PUT /v1/secrets/{secret-id}/acl

  • PATCH /v1/secrets/{secret-id}/acl

Scope Types:
  • project

Create new, replaces, or updates existing ACL for a given secret.

container_acls:get
Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))

Operations:
  • GET /v1/containers/{container-id}/acl

Scope Types:
  • project

Retrieve the ACL settings for a given container.

container_acls:delete
Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))

Operations:
  • DELETE /v1/containers/{container-id}/acl

Scope Types:
  • project

Delete ACL for a given container. No content is returned in the case of successful deletion.

container_acls:put_patch
Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))

Operations:
  • PUT /v1/containers/{container-id}/acl

  • PATCH /v1/containers/{container-id}/acl

Scope Types:
  • project

Create new or replaces existing ACL for a given container.

consumer:get
Default:

True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)

Operations:
  • GET /v1/containers/{container-id}/consumers/{consumer-id}

Scope Types:
  • project

  • system

DEPRECATED: show information for a specific consumer

container_consumers:get
Default:

True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)

Operations:
  • GET /v1/containers/{container-id}/consumers

Scope Types:
  • project

  • system

List a containers consumers.

container_consumers:post
Default:

True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)

Operations:
  • POST /v1/containers/{container-id}/consumers

Scope Types:
  • project

  • system

Creates a consumer.

container_consumers:delete
Default:

True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)

Operations:
  • DELETE /v1/containers/{container-id}/consumers

Scope Types:
  • project

  • system

Deletes a consumer.

secret_consumers:get
Default:

True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:
  • GET /v1/secrets/{secret-id}/consumers

Scope Types:
  • project

  • system

List consumers for a secret.

secret_consumers:post
Default:

True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:
  • POST /v1/secrets/{secrets-id}/consumers

Scope Types:
  • project

  • system

Creates a consumer.

secret_consumers:delete
Default:

True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:
  • DELETE /v1/secrets/{secrets-id}/consumers

Scope Types:
  • project

  • system

Deletes a consumer.

containers:post
Default:

True:%(enforce_new_defaults)s and role:member

Operations:
  • POST /v1/containers

Scope Types:
  • project

Creates a container.

containers:get
Default:

True:%(enforce_new_defaults)s and role:member

Operations:
  • GET /v1/containers

Scope Types:
  • project

Lists a projects containers.

container:get
Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private) or rule:container_acl_read)

Operations:
  • GET /v1/containers/{container-id}

Scope Types:
  • project

Retrieves a single container.

container:delete
Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))

Operations:
  • DELETE /v1/containers/{uuid}

Scope Types:
  • project

Deletes a container.

container_secret:post
Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))

Operations:
  • POST /v1/containers/{container-id}/secrets

Scope Types:
  • project

Add a secret to an existing container.

container_secret:delete
Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and  rule:container_is_not_private))

Operations:
  • DELETE /v1/containers/{container-id}/secrets/{secret-id}

Scope Types:
  • project

Remove a secret from a container.

orders:get
Default:

True:%(enforce_new_defaults)s and role:member

Operations:
  • GET /v1/orders

Scope Types:
  • project

Gets list of all orders associated with a project.

orders:post
Default:

True:%(enforce_new_defaults)s and role:member

Operations:
  • POST /v1/orders

Scope Types:
  • project

Creates an order.

orders:put
Default:

True:%(enforce_new_defaults)s and role:member

Operations:
  • PUT /v1/orders

Scope Types:
  • project

Unsupported method for the orders API.

order:get
Default:

True:%(enforce_new_defaults)s and rule:order_project_member

Operations:
  • GET /v1/orders/{order-id}

Scope Types:
  • project

Retrieves an orders metadata.

order:delete
Default:

True:%(enforce_new_defaults)s and rule:order_project_member

Operations:
  • DELETE /v1/orders/{order-id}

Scope Types:
  • project

Deletes an order.

quotas:get
Default:

True:%(enforce_new_defaults)s and role:reader

Operations:
  • GET /v1/quotas

Scope Types:
  • project

List quotas for the project the user belongs to.

project_quotas:get
Default:

True:%(enforce_new_defaults)s and rule:system_reader

Operations:
  • GET /v1/project-quotas

  • GET /v1/project-quotas/{uuid}

Scope Types:
  • system

List quotas for the specified project.

project_quotas:put
Default:

True:%(enforce_new_defaults)s and rule:system_admin

Operations:
  • PUT /v1/project-quotas/{uuid}

Scope Types:
  • system

Create or update the configured project quotas for the project with the specified UUID.

project_quotas:delete
Default:

True:%(enforce_new_defaults)s and rule:system_admin

Operations:
  • DELETE /v1/quotas}

Scope Types:
  • system

Delete the project quotas configuration for the project with the requested UUID.

secret_meta:get
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:
  • GET /v1/secrets/{secret-id}/metadata

  • GET /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:
  • project

metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.

secret_meta:post
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:
  • POST /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:
  • project

Adds a new key/value pair to the secrets user-defined metadata.

secret_meta:put
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:
  • PUT /v1/secrets/{secret-id}/metadata

  • PUT /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:
  • project

metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.

secret_meta:delete
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:
  • DELETE /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:
  • project

Delete secret user-defined metadata by key.

secret:decrypt
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:
  • GET /v1/secrets/{uuid}/payload

Scope Types:
  • project

Retrieve a secrets payload.

secret:get
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:
  • GET /v1/secrets/{secret-id}

Scope Types:
  • project

Retrieves a secrets metadata.

secret:put
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:
  • PUT /v1/secrets/{secret-id}

Scope Types:
  • project

Add the payload to an existing metadata-only secret.

secret:delete
Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:
  • DELETE /v1/secrets/{secret-id}

Scope Types:
  • project

Delete a secret by uuid.

secrets:post
Default:

True:%(enforce_new_defaults)s and role:member

Operations:
  • POST /v1/secrets

Scope Types:
  • project

Creates a Secret entity.

secrets:get
Default:

True:%(enforce_new_defaults)s and role:member

Operations:
  • GET /v1/secrets

Scope Types:
  • project

Lists a projects secrets.

secretstores:get
Default:

True:%(enforce_new_defaults)s and role:reader

Operations:
  • GET /v1/secret-stores

Scope Types:
  • project

  • system

Get list of available secret store backends.

secretstores:get_global_default
Default:

True:%(enforce_new_defaults)s and role:reader

Operations:
  • GET /v1/secret-stores/global-default

Scope Types:
  • project

  • system

Get a reference to the secret store that is used as default secret store backend for the deployment.

secretstores:get_preferred
Default:

True:%(enforce_new_defaults)s and role:reader

Operations:
  • GET /v1/secret-stores/preferred

Scope Types:
  • project

  • system

Get a reference to the preferred secret store if assigned previously.

secretstore_preferred:post
Default:

True:%(enforce_new_defaults)s and role:admin

Operations:
  • POST /v1/secret-stores/{ss-id}/preferred

Scope Types:
  • project

Set a secret store backend to be preferred store backend for their project.

secretstore_preferred:delete
Default:

True:%(enforce_new_defaults)s and role:admin

Operations:
  • DELETE /v1/secret-stores/{ss-id}/preferred

Scope Types:
  • project

Remove preferred secret store backend setting for their project.

secretstore:get
Default:

True:%(enforce_new_defaults)s and role:reader

Operations:
  • GET /v1/secret-stores/{ss-id}

Scope Types:
  • project

  • system

Get details of secret store by its ID.

transport_key:get
Default:

True:%(enforce_new_defaults)s and role:reader

Operations:
  • GET /v1/transport_keys/{key-id}}

Scope Types:
  • project

  • system

Get a specific transport key.

transport_key:delete
Default:

True:%(enforce_new_defaults)s and rule:system_admin

Operations:
  • DELETE /v1/transport_keys/{key-id}

Scope Types:
  • system

Delete a specific transport key.

transport_keys:get
Default:

True:%(enforce_new_defaults)s and role:reader

Operations:
  • GET /v1/transport_keys

Scope Types:
  • project

  • system

Get a list of all transport keys.

transport_keys:post
Default:

True:%(enforce_new_defaults)s and rule:system_admin

Operations:
  • POST /v1/transport_keys

Scope Types:
  • system

Create a new transport key.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.