Policy configuration¶
Configuration¶
The following is an overview of all available policies in Barbican. For a sample configuration file.
barbican¶
adminDefault: role:admin(no description provided)
observerDefault: role:observer(no description provided)
creatorDefault: role:creator(no description provided)
auditDefault: role:audit(no description provided)
service_adminDefault: role:key-manager:service-admin(no description provided)
admin_or_creatorDefault: rule:admin or rule:creator(no description provided)
all_but_auditDefault: rule:admin or rule:observer or rule:creator(no description provided)
all_usersDefault: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin(no description provided)
secret_project_matchDefault: project_id:%(target.secret.project_id)s(no description provided)
secret_acl_readDefault: 'read':%(target.secret.read)s(no description provided)
secret_private_readDefault: 'False':%(target.secret.read_project_access)s(no description provided)
secret_creator_userDefault: user_id:%(target.secret.creator_id)s(no description provided)
container_project_matchDefault: project_id:%(target.container.project_id)s(no description provided)
container_acl_readDefault: 'read':%(target.container.read)s(no description provided)
container_private_readDefault: 'False':%(target.container.read_project_access)s(no description provided)
container_creator_userDefault: user_id:%(target.container.creator_id)s(no description provided)
secret_non_private_readDefault: rule:all_users and rule:secret_project_match and not rule:secret_private_read(no description provided)
secret_decrypt_non_private_readDefault: rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read(no description provided)
container_non_private_readDefault: rule:all_users and rule:container_project_match and not rule:container_private_read(no description provided)
secret_project_adminDefault: rule:admin and rule:secret_project_match(no description provided)
secret_project_creatorDefault: rule:creator and rule:secret_project_match and rule:secret_creator_user(no description provided)
secret_project_creator_roleDefault: rule:creator and rule:secret_project_match(no description provided)
container_project_adminDefault: rule:admin and rule:container_project_match(no description provided)
container_project_creatorDefault: rule:creator and rule:container_project_match and rule:container_creator_user(no description provided)
container_project_creator_roleDefault: rule:creator and rule:container_project_match(no description provided)
secret_acls:getDefault: rule:all_but_audit and rule:secret_project_matchOperations: - GET
/v1/secrets/{secret-id}/acl
Scope Types: Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.
- GET
secret_acls:deleteDefault: rule:secret_project_admin or rule:secret_project_creatorOperations: - DELETE
/v1/secrets/{secret-id}/acl
Scope Types: Delete the ACL settings for a given secret.
- DELETE
secret_acls:put_patchDefault: rule:secret_project_admin or rule:secret_project_creatorOperations: - PUT
/v1/secrets/{secret-id}/acl - PATCH
/v1/secrets/{secret-id}/acl
Scope Types: Create new, replaces, or updates existing ACL for a given secret.
- PUT
container_acls:getDefault: rule:all_but_audit and rule:container_project_matchOperations: - GET
/v1/containers/{container-id}/acl
Scope Types: Retrieve the ACL settings for a given container.
- GET
container_acls:deleteDefault: rule:container_project_admin or rule:container_project_creatorOperations: - DELETE
/v1/containers/{container-id}/acl
Scope Types: Delete ACL for a given container. No content is returned in the case of successful deletion.
- DELETE
container_acls:put_patchDefault: rule:container_project_admin or rule:container_project_creatorOperations: - PUT
/v1/containers/{container-id}/acl - PATCH
/v1/containers/{container-id}/acl
Scope Types: Create new or replaces existing ACL for a given container.
- PUT
consumer:getDefault: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_readOperations: - GET
/v1/containers/{container-id}/consumers/{consumer-id}
Scope Types: List a specific consumer for a given container.
- GET
consumers:getDefault: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_readOperations: - GET
/v1/containers/{container-id}/consumers
Scope Types: List a containers consumers.
- GET
consumers:postDefault: rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_readOperations: - POST
/v1/containers/{container-id}/consumers
Scope Types: Creates a consumer.
- POST
consumers:deleteDefault: rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_readOperations: - DELETE
/v1/containers/{container-id}/consumers/{consumer-id}
Scope Types: Deletes a consumer.
- DELETE
containers:postDefault: rule:admin_or_creatorOperations: - POST
/v1/containers
Scope Types: Creates a container.
- POST
containers:getDefault: rule:all_but_auditOperations: - GET
/v1/containers
Scope Types: Lists a projects containers.
- GET
container:getDefault: rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_readOperations: - GET
/v1/containers/{container-id}
Scope Types: Retrieves a single container.
- GET
container:deleteDefault: rule:container_project_admin or rule:container_project_creatorOperations: - DELETE
/v1/containers/{uuid}
Scope Types: Deletes a container.
- DELETE
container_secret:postDefault: rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_readOperations: - POST
/v1/containers/{container-id}/secrets
Scope Types: Add a secret to an existing container.
- POST
container_secret:deleteDefault: rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_readOperations: - DELETE
/v1/containers/{container-id}/secrets/{secret-id}
Scope Types: Remove a secret from a container.
- DELETE
orders:getDefault: rule:all_but_auditOperations: - GET
/v1/orders
Scope Types: Gets list of all orders associated with a project.
- GET
orders:postDefault: rule:admin_or_creatorOperations: - POST
/v1/orders
Scope Types: Creates an order.
- POST
orders:putDefault: rule:admin_or_creatorOperations: - PUT
/v1/orders
Scope Types: Unsupported method for the orders API.
- PUT
order:getDefault: rule:all_usersOperations: - GET
/v1/orders/{order-id}
Scope Types: Retrieves an orders metadata.
- GET
order:deleteDefault: rule:adminOperations: - DELETE
/v1/orders/{order-id}
Scope Types: Deletes an order.
- DELETE
quotas:getDefault: rule:all_usersOperations: - GET
/v1/quotas
Scope Types: List quotas for the project the user belongs to.
- GET
project_quotas:getDefault: rule:service_adminOperations: - GET
/v1/project-quotas - GET
/v1/project-quotas/{uuid}
Scope Types: List quotas for the specified project.
- GET
project_quotas:putDefault: rule:service_adminOperations: - PUT
/v1/project-quotas/{uuid}
Scope Types: Create or update the configured project quotas for the project with the specified UUID.
- PUT
project_quotas:deleteDefault: rule:service_adminOperations: - DELETE
/v1/quotas}
Scope Types: Delete the project quotas configuration for the project with the requested UUID.
- DELETE
secret_meta:getDefault: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_readOperations: - GET
/v1/secrets/{secret-id}/metadata - GET
/v1/secrets/{secret-id}/metadata/{meta-key}
Scope Types: metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.
- GET
secret_meta:postDefault: rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read)Operations: - POST
/v1/secrets/{secret-id}/metadata/{meta-key}
Scope Types: Adds a new key/value pair to the secrets user-defined metadata.
- POST
secret_meta:putDefault: rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read)Operations: - PUT
/v1/secrets/{secret-id}/metadata - PUT
/v1/secrets/{secret-id}/metadata/{meta-key}
Scope Types: metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.
- PUT
secret_meta:deleteDefault: rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read)Operations: - DELETE
/v1/secrets/{secret-id}/metadata/{meta-key}
Scope Types: Delete secret user-defined metadata by key.
- DELETE
secret:decryptDefault: rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_readOperations: - GET
/v1/secrets/{uuid}/payload
Scope Types: Retrieve a secrets payload.
- GET
secret:getDefault: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_readOperations: - GET”
/v1/secrets/{secret-id}
Scope Types: Retrieves a secrets metadata.
- GET”
secret:putDefault: rule:admin_or_creator and rule:secret_project_matchOperations: - PUT
/v1/secrets/{secret-id}
Scope Types: Add the payload to an existing metadata-only secret.
- PUT
secret:deleteDefault: rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and not rule:secret_private_read)Operations: - DELETE
/v1/secrets/{secret-id}
Scope Types: Delete a secret by uuid.
- DELETE
secrets:postDefault: rule:admin_or_creatorOperations: - POST
/v1/secrets
Scope Types: Creates a Secret entity.
- POST
secrets:getDefault: rule:all_but_auditOperations: - GET
/v1/secrets
Scope Types: Lists a projects secrets.
- GET
secretstores:getDefault: rule:adminOperations: - GET
/v1/secret-stores
Scope Types: Get list of available secret store backends.
- GET
secretstores:get_global_defaultDefault: rule:adminOperations: - GET
/v1/secret-stores/global-default
Scope Types: Get a reference to the secret store that is used as default secret store backend for the deployment.
- GET
secretstores:get_preferredDefault: rule:adminOperations: - GET
/v1/secret-stores/preferred
Scope Types: Get a reference to the preferred secret store if assigned previously.
- GET
secretstore_preferred:postDefault: rule:adminOperations: - POST
/v1/secret-stores/{ss-id}/preferred
Scope Types: Set a secret store backend to be preferred store backend for their project.
- POST
secretstore_preferred:deleteDefault: rule:adminOperations: - DELETE
/v1/secret-stores/{ss-id}/preferred
Scope Types: Remove preferred secret store backend setting for their project.
- DELETE
secretstore:getDefault: rule:adminOperations: - GET
/v1/secret-stores/{ss-id}
Scope Types: Get details of secret store by its ID.
- GET
transport_key:getDefault: rule:all_usersOperations: - GET
/v1/transport_keys/{key-id}}
Scope Types: Get a specific transport key.
- GET
transport_key:deleteDefault: rule:adminOperations: - DELETE
/v1/transport_keys/{key-id}
Scope Types: Delete a specific transport key.
- DELETE
transport_keys:getDefault: rule:all_usersOperations: - GET
/v1/transport_keys
Scope Types: Get a list of all transport keys.
- GET
transport_keys:postDefault: rule:adminOperations: - POST
/v1/transport_keys
Scope Types: Create a new transport key.
- POST
