Policy configuration¶
Warning
JSON formatted policy file is deprecated since Barbican 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Configuration¶
The following is an overview of all available policies in Barbican. For a sample configuration file.
barbican¶
secret_project_match
- Default
project_id:%(target.secret.project_id)s
(no description provided)
secret_project_reader
- Default
role:reader and rule:secret_project_match
(no description provided)
secret_project_member
- Default
role:member and rule:secret_project_match
(no description provided)
secret_project_admin
- Default
role:admin and rule:secret_project_match
(no description provided)
secret_owner
- Default
user_id:%(target.secret.creator_id)s
(no description provided)
secret_is_not_private
- Default
True:%(target.secret.read_project_access)s
(no description provided)
secret_acl_read
- Default
'read':%(target.secret.read)s
(no description provided)
container_project_match
- Default
project_id:%(target.container.project_id)s
(no description provided)
container_project_member
- Default
role:member and rule:container_project_match
(no description provided)
container_project_admin
- Default
role:admin and rule:container_project_match
(no description provided)
container_owner
- Default
user_id:%(target.container.creator_id)s
(no description provided)
container_is_not_private
- Default
True:%(target.container.read_project_access)s
(no description provided)
container_acl_read
- Default
'read':%(target.container.read)s
(no description provided)
order_project_match
- Default
project_id:%(target.order.project_id)s
(no description provided)
order_project_member
- Default
role:member and rule:order_project_match
(no description provided)
audit
- Default
role:audit
(no description provided)
observer
- Default
role:observer
(no description provided)
creator
- Default
role:creator
(no description provided)
admin
- Default
role:admin
(no description provided)
service_admin
- Default
role:key-manager:service-admin
(no description provided)
all_users
- Default
rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
(no description provided)
all_but_audit
- Default
rule:admin or rule:observer or rule:creator
(no description provided)
admin_or_creator
- Default
rule:admin or rule:creator
(no description provided)
secret_creator_user
- Default
user_id:%(target.secret.creator_id)s
(no description provided)
secret_private_read
- Default
'False':%(target.secret.read_project_access)s
(no description provided)
secret_non_private_read
- Default
rule:all_users and rule:secret_project_match and not rule:secret_private_read
(no description provided)
secret_decrypt_non_private_read
- Default
rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read
(no description provided)
secret_project_creator
- Default
rule:creator and rule:secret_project_match and rule:secret_creator_user
(no description provided)
secret_project_creator_role
- Default
rule:creator and rule:secret_project_match
(no description provided)
container_private_read
- Default
'False':%(target.container.read_project_access)s
(no description provided)
container_creator_user
- Default
user_id:%(target.container.creator_id)s
(no description provided)
container_non_private_read
- Default
rule:all_users and rule:container_project_match and not rule:container_private_read
(no description provided)
container_project_creator
- Default
rule:creator and rule:container_project_match and rule:container_creator_user
(no description provided)
container_project_creator_role
- Default
rule:creator and rule:container_project_match
(no description provided)
secret_acls:get
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
- Operations
GET
/v1/secrets/{secret-id}/acl
- Scope Types
project
Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.
secret_acls:delete
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
- Operations
DELETE
/v1/secrets/{secret-id}/acl
- Scope Types
project
Delete the ACL settings for a given secret.
secret_acls:put_patch
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
- Operations
PUT
/v1/secrets/{secret-id}/acl
PATCH
/v1/secrets/{secret-id}/acl
- Scope Types
project
Create new, replaces, or updates existing ACL for a given secret.
container_acls:get
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
- Operations
GET
/v1/containers/{container-id}/acl
- Scope Types
project
Retrieve the ACL settings for a given container.
container_acls:delete
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
- Operations
DELETE
/v1/containers/{container-id}/acl
- Scope Types
project
Delete ACL for a given container. No content is returned in the case of successful deletion.
container_acls:put_patch
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
- Operations
PUT
/v1/containers/{container-id}/acl
PATCH
/v1/containers/{container-id}/acl
- Scope Types
project
Create new or replaces existing ACL for a given container.
consumer:get
- Default
True:%(enforce_new_defaults)s and (role:admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
- Operations
GET
/v1/containers/{container-id}/consumers/{consumer-id}
- Scope Types
project
DEPRECATED: show information for a specific consumer
container_consumers:get
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
- Operations
GET
/v1/containers/{container-id}/consumers
- Scope Types
project
List a containers consumers.
container_consumers:post
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
- Operations
POST
/v1/containers/{container-id}/consumers
- Scope Types
project
Creates a consumer.
container_consumers:delete
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
- Operations
DELETE
/v1/containers/{container-id}/consumers
- Scope Types
project
Deletes a consumer.
secret_consumers:get
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
- Operations
GET
/v1/secrets/{secret-id}/consumers
- Scope Types
project
List consumers for a secret.
secret_consumers:post
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
- Operations
POST
/v1/secrets/{secrets-id}/consumers
- Scope Types
project
Creates a consumer.
secret_consumers:delete
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
- Operations
DELETE
/v1/secrets/{secrets-id}/consumers
- Scope Types
project
Deletes a consumer.
containers:post
- Default
True:%(enforce_new_defaults)s and role:member
- Operations
POST
/v1/containers
- Scope Types
project
Creates a container.
containers:get
- Default
True:%(enforce_new_defaults)s and role:member
- Operations
GET
/v1/containers
- Scope Types
project
Lists a projects containers.
container:get
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)
- Operations
GET
/v1/containers/{container-id}
- Scope Types
project
Retrieves a single container.
container:delete
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
- Operations
DELETE
/v1/containers/{uuid}
- Scope Types
project
Deletes a container.
container_secret:post
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
- Operations
POST
/v1/containers/{container-id}/secrets
- Scope Types
project
Add a secret to an existing container.
container_secret:delete
- Default
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))
- Operations
DELETE
/v1/containers/{container-id}/secrets/{secret-id}
- Scope Types
project
Remove a secret from a container.
orders:get
- Default
True:%(enforce_new_defaults)s and role:member
- Operations
GET
/v1/orders
- Scope Types
project
Gets list of all orders associated with a project.
orders:post
- Default
True:%(enforce_new_defaults)s and role:member
- Operations
POST
/v1/orders
- Scope Types
project
Creates an order.
orders:put
- Default
True:%(enforce_new_defaults)s and role:member
- Operations
PUT
/v1/orders
- Scope Types
project
Unsupported method for the orders API.
order:get
- Default
True:%(enforce_new_defaults)s and rule:order_project_member
- Operations
GET
/v1/orders/{order-id}
- Scope Types
project
Retrieves an orders metadata.
order:delete
- Default
True:%(enforce_new_defaults)s and rule:order_project_member
- Operations
DELETE
/v1/orders/{order-id}
- Scope Types
project
Deletes an order.
quotas:get
- Default
True:%(enforce_new_defaults)s and role:reader
- Operations
GET
/v1/quotas
- Scope Types
project
List quotas for the project the user belongs to.
project_quotas:get
- Default
True:%(enforce_new_defaults)s and role:admin
- Operations
GET
/v1/project-quotas
GET
/v1/project-quotas/{uuid}
- Scope Types
project
List quotas for the specified project.
project_quotas:put
- Default
True:%(enforce_new_defaults)s and role:admin
- Operations
PUT
/v1/project-quotas/{uuid}
- Scope Types
project
Create or update the configured project quotas for the project with the specified UUID.
project_quotas:delete
- Default
True:%(enforce_new_defaults)s and role:admin
- Operations
DELETE
/v1/quotas}
- Scope Types
project
Delete the project quotas configuration for the project with the requested UUID.
secret_meta:get
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
- Operations
GET
/v1/secrets/{secret-id}/metadata
GET
/v1/secrets/{secret-id}/metadata/{meta-key}
- Scope Types
project
metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.
secret_meta:post
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
- Operations
POST
/v1/secrets/{secret-id}/metadata/{meta-key}
- Scope Types
project
Adds a new key/value pair to the secrets user-defined metadata.
secret_meta:put
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
- Operations
PUT
/v1/secrets/{secret-id}/metadata
PUT
/v1/secrets/{secret-id}/metadata/{meta-key}
- Scope Types
project
metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.
secret_meta:delete
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
- Operations
DELETE
/v1/secrets/{secret-id}/metadata/{meta-key}
- Scope Types
project
Delete secret user-defined metadata by key.
secret:decrypt
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
- Operations
GET
/v1/secrets/{uuid}/payload
- Scope Types
project
Retrieve a secrets payload.
secret:get
- Default
True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)
- Operations
GET
/v1/secrets/{secret-id}
- Scope Types
project
Retrieves a secrets metadata.
secret:put
- Default
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
- Operations
PUT
/v1/secrets/{secret-id}
- Scope Types
project
Add the payload to an existing metadata-only secret.
secret:delete
- Default
True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))
- Operations
DELETE
/v1/secrets/{secret-id}
- Scope Types
project
Delete a secret by uuid.
secrets:post
- Default
True:%(enforce_new_defaults)s and role:member
- Operations
POST
/v1/secrets
- Scope Types
project
Creates a Secret entity.
secrets:get
- Default
True:%(enforce_new_defaults)s and role:member
- Operations
GET
/v1/secrets
- Scope Types
project
Lists a projects secrets.
secretstores:get
- Default
True:%(enforce_new_defaults)s and role:reader
- Operations
GET
/v1/secret-stores
- Scope Types
project
Get list of available secret store backends.
secretstores:get_global_default
- Default
True:%(enforce_new_defaults)s and role:reader
- Operations
GET
/v1/secret-stores/global-default
- Scope Types
project
Get a reference to the secret store that is used as default secret store backend for the deployment.
secretstores:get_preferred
- Default
True:%(enforce_new_defaults)s and role:reader
- Operations
GET
/v1/secret-stores/preferred
- Scope Types
project
Get a reference to the preferred secret store if assigned previously.
secretstore_preferred:post
- Default
True:%(enforce_new_defaults)s and role:admin
- Operations
POST
/v1/secret-stores/{ss-id}/preferred
- Scope Types
project
Set a secret store backend to be preferred store backend for their project.
secretstore_preferred:delete
- Default
True:%(enforce_new_defaults)s and role:admin
- Operations
DELETE
/v1/secret-stores/{ss-id}/preferred
- Scope Types
project
Remove preferred secret store backend setting for their project.
secretstore:get
- Default
True:%(enforce_new_defaults)s and role:reader
- Operations
GET
/v1/secret-stores/{ss-id}
- Scope Types
project
Get details of secret store by its ID.
transport_key:get
- Default
True:%(enforce_new_defaults)s and role:reader
- Operations
GET
/v1/transport_keys/{key-id}}
- Scope Types
project
Get a specific transport key.
transport_key:delete
- Default
True:%(enforce_new_defaults)s and role:admin
- Operations
DELETE
/v1/transport_keys/{key-id}
- Scope Types
project
Delete a specific transport key.
transport_keys:get
- Default
True:%(enforce_new_defaults)s and role:reader
- Operations
GET
/v1/transport_keys
- Scope Types
project
Get a list of all transport keys.
transport_keys:post
- Default
True:%(enforce_new_defaults)s and role:admin
- Operations
POST
/v1/transport_keys
- Scope Types
project
Create a new transport key.