Warning
JSON formatted policy file is deprecated since Barbican 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
The following is an overview of all available policies in Barbican. For a sample configuration file.
system_reader
role:reader and system_scope:all
(no description provided)
system_admin
role:admin and system_scope:all
(no description provided)
secret_project_match
project_id:%(target.secret.project_id)s
(no description provided)
secret_project_reader
role:reader and rule:secret_project_match
(no description provided)
secret_project_member
role:member and rule:secret_project_match
(no description provided)
secret_project_admin
role:admin and rule:secret_project_match
(no description provided)
secret_owner
user_id:%(target.secret.creator_id)s
(no description provided)
secret_is_not_private
True:%(target.secret.read_project_access)s
(no description provided)
secret_acl_read
'read':%(target.secret.read)s
(no description provided)
container_project_match
project_id:%(target.container.project_id)s
(no description provided)
container_project_member
role:member and rule:container_project_match
(no description provided)
container_project_admin
role:admin and rule:container_project_match
(no description provided)
container_owner
user_id:%(target.container.creator_id)s
(no description provided)
container_is_not_private
True:%(target.container.read_project_access)s
(no description provided)
container_acl_read
'read':%(target.container.read)s
(no description provided)
order_project_match
project_id:%(target.order.project_id)s
(no description provided)
order_project_member
role:member and rule:order_project_match
(no description provided)
audit
role:audit
(no description provided)
observer
role:observer
(no description provided)
creator
role:creator
(no description provided)
admin
role:admin
(no description provided)
service_admin
role:key-manager:service-admin
(no description provided)
all_users
rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
(no description provided)
all_but_audit
rule:admin or rule:observer or rule:creator
(no description provided)
admin_or_creator
rule:admin or rule:creator
(no description provided)
secret_creator_user
user_id:%(target.secret.creator_id)s
(no description provided)
secret_private_read
'False':%(target.secret.read_project_access)s
(no description provided)
secret_non_private_read
rule:all_users and rule:secret_project_match and not rule:secret_private_read
(no description provided)
secret_decrypt_non_private_read
rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read
(no description provided)
secret_project_creator
rule:creator and rule:secret_project_match and rule:secret_creator_user
(no description provided)
secret_project_creator_role
rule:creator and rule:secret_project_match
(no description provided)
container_private_read
'False':%(target.container.read_project_access)s
(no description provided)
container_creator_user
user_id:%(target.container.creator_id)s
(no description provided)
container_non_private_read
rule:all_users and rule:container_project_match and not rule:container_private_read
(no description provided)
container_project_creator
rule:creator and rule:container_project_match and rule:container_creator_user
(no description provided)
container_project_creator_role
rule:creator and rule:container_project_match
(no description provided)
secret_acls:get
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
GET /v1/secrets/{secret-id}/acl
project
Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.
secret_acls:delete
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
DELETE /v1/secrets/{secret-id}/acl
project
Delete the ACL settings for a given secret.
secret_acls:put_patch
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
PUT /v1/secrets/{secret-id}/acl
PATCH /v1/secrets/{secret-id}/acl
project
Create new, replaces, or updates existing ACL for a given secret.
container_acls:get
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
GET /v1/containers/{container-id}/acl
project
Retrieve the ACL settings for a given container.
container_acls:delete
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
DELETE /v1/containers/{container-id}/acl
project
Delete ACL for a given container. No content is returned in the case of successful deletion.
container_acls:put_patch
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
PUT /v1/containers/{container-id}/acl
PATCH /v1/containers/{container-id}/acl
project
Create new or replaces existing ACL for a given container.
consumer:get
True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
GET /v1/containers/{container-id}/consumers/{consumer-id}
project
system
DEPRECATED: show information for a specific consumer
container_consumers:get
True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
GET /v1/containers/{container-id}/consumers
project
system
List a containers consumers.
container_consumers:post
True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
POST /v1/containers/{container-id}/consumers
project
system
Creates a consumer.
container_consumers:delete
True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
DELETE /v1/containers/{container-id}/consumers
project
system
Deletes a consumer.
secret_consumers:get
True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
GET /v1/secrets/{secret-id}/consumers
project
system
List consumers for a secret.
secret_consumers:post
True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
POST /v1/secrets/{secrets-id}/consumers
project
system
Creates a consumer.
secret_consumers:delete
True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
DELETE /v1/secrets/{secrets-id}/consumers
project
system
Deletes a consumer.
containers:post
True:%(enforce_new_defaults)s and role:member
POST /v1/containers
project
Creates a container.
containers:get
True:%(enforce_new_defaults)s and role:member
GET /v1/containers
project
Lists a projects containers.
container:get
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
GET /v1/containers/{container-id}
project
Retrieves a single container.
container:delete
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
DELETE /v1/containers/{uuid}
project
Deletes a container.
container_secret:post
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
POST /v1/containers/{container-id}/secrets
project
Add a secret to an existing container.
container_secret:delete
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
DELETE /v1/containers/{container-id}/secrets/{secret-id}
project
Remove a secret from a container.
orders:get
True:%(enforce_new_defaults)s and role:member
GET /v1/orders
project
Gets list of all orders associated with a project.
orders:post
True:%(enforce_new_defaults)s and role:member
POST /v1/orders
project
Creates an order.
orders:put
True:%(enforce_new_defaults)s and role:member
PUT /v1/orders
project
Unsupported method for the orders API.
order:get
True:%(enforce_new_defaults)s and rule:order_project_member
GET /v1/orders/{order-id}
project
Retrieves an orders metadata.
order:delete
True:%(enforce_new_defaults)s and rule:order_project_member
DELETE /v1/orders/{order-id}
project
Deletes an order.
quotas:get
True:%(enforce_new_defaults)s and role:reader
GET /v1/quotas
project
List quotas for the project the user belongs to.
project_quotas:get
True:%(enforce_new_defaults)s and rule:system_reader
GET /v1/project-quotas
GET /v1/project-quotas/{uuid}
system
List quotas for the specified project.
project_quotas:put
True:%(enforce_new_defaults)s and rule:system_admin
PUT /v1/project-quotas/{uuid}
system
Create or update the configured project quotas for the project with the specified UUID.
project_quotas:delete
True:%(enforce_new_defaults)s and rule:system_admin
DELETE /v1/quotas}
system
Delete the project quotas configuration for the project with the requested UUID.
secret_meta:get
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
GET /v1/secrets/{secret-id}/metadata
GET /v1/secrets/{secret-id}/metadata/{meta-key}
project
metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.
secret_meta:post
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
POST /v1/secrets/{secret-id}/metadata/{meta-key}
project
Adds a new key/value pair to the secrets user-defined metadata.
secret_meta:put
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
PUT /v1/secrets/{secret-id}/metadata
PUT /v1/secrets/{secret-id}/metadata/{meta-key}
project
metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.
secret_meta:delete
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
DELETE /v1/secrets/{secret-id}/metadata/{meta-key}
project
Delete secret user-defined metadata by key.
secret:decrypt
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
GET /v1/secrets/{uuid}/payload
project
Retrieve a secrets payload.
secret:get
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
GET /v1/secrets/{secret-id}
project
Retrieves a secrets metadata.
secret:put
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
PUT /v1/secrets/{secret-id}
project
Add the payload to an existing metadata-only secret.
secret:delete
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
DELETE /v1/secrets/{secret-id}
project
Delete a secret by uuid.
secrets:post
True:%(enforce_new_defaults)s and role:member
POST /v1/secrets
project
Creates a Secret entity.
secrets:get
True:%(enforce_new_defaults)s and role:member
GET /v1/secrets
project
Lists a projects secrets.
secretstores:get
True:%(enforce_new_defaults)s and role:reader
GET /v1/secret-stores
project
system
Get list of available secret store backends.
secretstores:get_global_default
True:%(enforce_new_defaults)s and role:reader
GET /v1/secret-stores/global-default
project
system
Get a reference to the secret store that is used as default secret store backend for the deployment.
secretstores:get_preferred
True:%(enforce_new_defaults)s and role:reader
GET /v1/secret-stores/preferred
project
system
Get a reference to the preferred secret store if assigned previously.
secretstore_preferred:post
True:%(enforce_new_defaults)s and role:admin
POST /v1/secret-stores/{ss-id}/preferred
project
Set a secret store backend to be preferred store backend for their project.
secretstore_preferred:delete
True:%(enforce_new_defaults)s and role:admin
DELETE /v1/secret-stores/{ss-id}/preferred
project
Remove preferred secret store backend setting for their project.
secretstore:get
True:%(enforce_new_defaults)s and role:reader
GET /v1/secret-stores/{ss-id}
project
system
Get details of secret store by its ID.
transport_key:get
True:%(enforce_new_defaults)s and role:reader
GET /v1/transport_keys/{key-id}}
project
system
Get a specific transport key.
transport_key:delete
True:%(enforce_new_defaults)s and rule:system_admin
DELETE /v1/transport_keys/{key-id}
system
Delete a specific transport key.
transport_keys:get
True:%(enforce_new_defaults)s and role:reader
GET /v1/transport_keys
project
system
Get a list of all transport keys.
transport_keys:post
True:%(enforce_new_defaults)s and rule:system_admin
POST /v1/transport_keys
system
Create a new transport key.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.