Barbican Sample Policy

Barbican Sample Policy

The following is a sample Barbican policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific Barbican APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.

The sample policy file can also be viewed in file form.

#
#"admin": "role:admin"

#
#"observer": "role:observer"

#
#"creator": "role:creator"

#
#"audit": "role:audit"

#
#"service_admin": "role:key-manager:service-admin"

#
#"admin_or_user_does_not_work": "project_id:%(project_id)s"

#
#"admin_or_user": "rule:admin or project_id:%(project_id)s"

#
#"admin_or_creator": "rule:admin or rule:creator"

#
#"all_but_audit": "rule:admin or rule:observer or rule:creator"

#
#"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"

#
#"secret_project_match": "project:%(target.secret.project_id)s"

#
#"secret_acl_read": "'read':%(target.secret.read)s"

#
#"secret_private_read": "'False':%(target.secret.read_project_access)s"

#
#"secret_creator_user": "user:%(target.secret.creator_id)s"

#
#"container_project_match": "project:%(target.container.project_id)s"

#
#"container_acl_read": "'read':%(target.container.read)s"

#
#"container_private_read": "'False':%(target.container.read_project_access)s"

#
#"container_creator_user": "user:%(target.container.creator_id)s"

#
#"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"

#
#"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"

#
#"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"

#
#"secret_project_admin": "rule:admin and rule:secret_project_match"

#
#"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"

#
#"container_project_admin": "rule:admin and rule:container_project_match"

#
#"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"

#
#"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator"

#
#"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator"

#
#"secret_acls:get": "rule:all_but_audit and rule:secret_project_match"

#
#"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator"

#
#"container_acls:delete": "rule:container_project_admin or rule:container_project_creator"

#
#"container_acls:get": "rule:all_but_audit and rule:container_project_match"

#
#"certificate_authorities:get_limited": "rule:all_users"

#
#"certificate_authorities:get_all": "rule:admin"

#
#"certificate_authorities:post": "rule:admin"

#
#"certificate_authorities:get_preferred_ca": "rule:all_users"

#
#"certificate_authorities:get_global_preferred_ca": "rule:service_admin"

#
#"certificate_authorities:unset_global_preferred": "rule:service_admin"

#
#"certificate_authority:delete": "rule:admin"

#
#"certificate_authority:get": "rule:all_users"

#
#"certificate_authority:get_cacert": "rule:all_users"

#
#"certificate_authority:get_ca_cert_chain": "rule:all_users"

#
#"certificate_authority:get_projects": "rule:service_admin"

#
#"certificate_authority:add_to_project": "rule:admin"

#
#"certificate_authority:remove_from_project": "rule:admin"

#
#"certificate_authority:set_preferred": "rule:admin"

#
#"certificate_authority:set_global_preferred": "rule:service_admin"

#
#"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"

#
#"consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"

#
#"consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"

#
#"consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"

#
#"containers:post": "rule:admin_or_creator"

#
#"containers:get": "rule:all_but_audit"

#
#"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"

#
#"container:delete": "rule:container_project_admin or rule:container_project_creator"

#
#"container_secret:post": "rule:admin"

#
#"container_secret:delete": "rule:admin"

#
#"orders:post": "rule:admin_or_creator"

#
#"orders:get": "rule:all_but_audit"

#
#"order:get": "rule:all_users"

#
#"order:put": "rule:admin_or_creator"

#
#"order:delete": "rule:admin"

#
#"quotas:get": "rule:all_users"

#
#"project_quotas:get": "rule:service_admin"

#
#"project_quotas:put": "rule:service_admin"

#
#"project_quotas:delete": "rule:service_admin"

#
#"secret_meta:get": "rule:all_but_audit"

#
#"secret_meta:post": "rule:admin_or_creator"

#
#"secret_meta:put": "rule:admin_or_creator"

#
#"secret_meta:delete": "rule:admin_or_creator"

#
#"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"

#
#"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"

#
#"secret:put": "rule:admin_or_creator and rule:secret_project_match"

#
#"secret:delete": "rule:secret_project_admin or rule:secret_project_creator"

#
#"secrets:post": "rule:admin_or_creator"

#
#"secrets:get": "rule:all_but_audit"

#
#"secretstores:get": "rule:admin"

#
#"secretstores:get_global_default": "rule:admin"

#
#"secretstores:get_preferred": "rule:admin"

#
#"secretstore_preferred:post": "rule:admin"

#
#"secretstore_preferred:delete": "rule:admin"

#
#"secretstore:get": "rule:admin"

#
#"transport_key:get": "rule:all_users"

#
#"transport_key:delete": "rule:admin"

#
#"transport_keys:get": "rule:all_users"

#
#"transport_keys:post": "rule:admin"

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.