Policy configuration¶

Warning

JSON formatted policy file is deprecated since Barbican 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Configuration¶

The following is an overview of all available policies in Barbican. For a sample configuration file.

barbican¶

secret_project_match

Default:: project_id:%(target.secret.project_id)s

(no description provided)

secret_project_reader

Default:: role:reader and rule:secret_project_match

(no description provided)

secret_project_member

Default:: role:member and rule:secret_project_match

(no description provided)

secret_project_admin

Default:: role:admin and rule:secret_project_match

(no description provided)

secret_owner

Default:: user_id:%(target.secret.creator_id)s

(no description provided)

secret_is_not_private

Default:: True:%(target.secret.read_project_access)s

(no description provided)

secret_acl_read

Default:: 'read':%(target.secret.read)s

(no description provided)

container_project_match

Default:: project_id:%(target.container.project_id)s

(no description provided)

container_project_member

Default:: role:member and rule:container_project_match

(no description provided)

container_project_admin

Default:: role:admin and rule:container_project_match

(no description provided)

container_owner

Default:: user_id:%(target.container.creator_id)s

(no description provided)

container_is_not_private

Default:: True:%(target.container.read_project_access)s

(no description provided)

container_acl_read

Default:: 'read':%(target.container.read)s

(no description provided)

order_project_match

Default:: project_id:%(target.order.project_id)s

(no description provided)

order_project_member

Default:: role:member and rule:order_project_match

(no description provided)

audit

Default:: role:audit

(no description provided)

observer

Default:: role:observer

(no description provided)

creator

Default:: role:creator

(no description provided)

admin

Default:: role:admin

(no description provided)

service_admin

Default:: role:key-manager:service-admin

(no description provided)

all_users

Default:: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin

(no description provided)

all_but_audit

Default:: rule:admin or rule:observer or rule:creator

(no description provided)

admin_or_creator

Default:: rule:admin or rule:creator

(no description provided)

secret_creator_user

Default:: user_id:%(target.secret.creator_id)s

(no description provided)

secret_private_read

Default:: 'False':%(target.secret.read_project_access)s

(no description provided)

secret_non_private_read

Default:: rule:all_users and rule:secret_project_match and not rule:secret_private_read

(no description provided)

secret_decrypt_non_private_read

Default:: rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read

(no description provided)

secret_project_creator

Default:: rule:creator and rule:secret_project_match and rule:secret_creator_user

(no description provided)

secret_project_creator_role

Default:: rule:creator and rule:secret_project_match

(no description provided)

container_private_read

Default:: 'False':%(target.container.read_project_access)s

(no description provided)

container_creator_user

Default:: user_id:%(target.container.creator_id)s

(no description provided)

container_non_private_read

Default:: rule:all_users and rule:container_project_match and not rule:container_private_read

(no description provided)

container_project_creator

Default:: rule:creator and rule:container_project_match and rule:container_creator_user

(no description provided)

container_project_creator_role

Default:: rule:creator and rule:container_project_match

(no description provided)

secret_acls:get

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

GET /v1/secrets/{secret-id}/acl

Scope Types:

project

Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.

secret_acls:delete

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

DELETE /v1/secrets/{secret-id}/acl

Scope Types:

project

Delete the ACL settings for a given secret.

secret_acls:put_patch

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

PUT /v1/secrets/{secret-id}/acl
PATCH /v1/secrets/{secret-id}/acl

Scope Types:

project

Create new, replaces, or updates existing ACL for a given secret.

container_acls:get

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

GET /v1/containers/{container-id}/acl

Scope Types:

project

Retrieve the ACL settings for a given container.

container_acls:delete

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

DELETE /v1/containers/{container-id}/acl

Scope Types:

project

Delete ACL for a given container. No content is returned in the case of successful deletion.

container_acls:put_patch

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

PUT /v1/containers/{container-id}/acl
PATCH /v1/containers/{container-id}/acl

Scope Types:

project

Create new or replaces existing ACL for a given container.

consumer:get

Default:

True:%(enforce_new_defaults)s and (role:admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)

Operations:

GET /v1/containers/{container-id}/consumers/{consumer-id}

Scope Types:

project

DEPRECATED: show information for a specific consumer

container_consumers:get

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)

Operations:

GET /v1/containers/{container-id}/consumers

Scope Types:

project

List a containers consumers.

container_consumers:post

Default:

Operations:

POST /v1/containers/{container-id}/consumers

Scope Types:

project

Creates a consumer.

container_consumers:delete

Default:

Operations:

DELETE /v1/containers/{container-id}/consumers

Scope Types:

project

Deletes a consumer.

secret_consumers:get

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:

GET /v1/secrets/{secret-id}/consumers

Scope Types:

project

List consumers for a secret.

secret_consumers:post

Default:

Operations:

POST /v1/secrets/{secrets-id}/consumers

Scope Types:

project

Creates a consumer.

secret_consumers:delete

Default:

Operations:

DELETE /v1/secrets/{secrets-id}/consumers

Scope Types:

project

Deletes a consumer.

containers:post

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

POST /v1/containers

Scope Types:

project

Creates a container.

containers:get

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

GET /v1/containers

Scope Types:

project

Lists a projects containers.

container:get

Default:

Operations:

GET /v1/containers/{container-id}

Scope Types:

project

Retrieves a single container.

container:delete

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

DELETE /v1/containers/{uuid}

Scope Types:

project

Deletes a container.

container_secret:post

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

POST /v1/containers/{container-id}/secrets

Scope Types:

project

Add a secret to an existing container.

container_secret:delete

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

DELETE /v1/containers/{container-id}/secrets/{secret-id}

Scope Types:

project

Remove a secret from a container.

orders:get

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

GET /v1/orders

Scope Types:

project

Gets list of all orders associated with a project.

orders:post

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

POST /v1/orders

Scope Types:

project

Creates an order.

orders:put

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

PUT /v1/orders

Scope Types:

project

Unsupported method for the orders API.

order:get

Default:

True:%(enforce_new_defaults)s and rule:order_project_member

Operations:

GET /v1/orders/{order-id}

Scope Types:

project

Retrieves an orders metadata.

order:delete

Default:

True:%(enforce_new_defaults)s and rule:order_project_member

Operations:

DELETE /v1/orders/{order-id}

Scope Types:

project

Deletes an order.

quotas:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/quotas

Scope Types:

project

List quotas for the project the user belongs to.

project_quotas:get

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

GET /v1/project-quotas
GET /v1/project-quotas/{uuid}

Scope Types:

project

List quotas for the specified project.

project_quotas:put

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

PUT /v1/project-quotas/{uuid}

Scope Types:

project

Create or update the configured project quotas for the project with the specified UUID.

project_quotas:delete

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

DELETE /v1/quotas}

Scope Types:

project

Delete the project quotas configuration for the project with the requested UUID.

secret_meta:get

Default:

Operations:

GET /v1/secrets/{secret-id}/metadata
GET /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:

project

metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.

secret_meta:post

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

POST /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:

project

Adds a new key/value pair to the secrets user-defined metadata.

secret_meta:put

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

PUT /v1/secrets/{secret-id}/metadata
PUT /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:

project

metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.

secret_meta:delete

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

DELETE /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:

project

Delete secret user-defined metadata by key.

secret:decrypt

Default:

Operations:

GET /v1/secrets/{uuid}/payload

Scope Types:

project

Retrieve a secrets payload.

secret:get

Default:

True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:

GET /v1/secrets/{secret-id}

Scope Types:

project

Retrieves a secrets metadata.

secret:put

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

PUT /v1/secrets/{secret-id}

Scope Types:

project

Add the payload to an existing metadata-only secret.

secret:delete

Default:

True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

DELETE /v1/secrets/{secret-id}

Scope Types:

project

Delete a secret by uuid.

secrets:post

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

POST /v1/secrets

Scope Types:

project

Creates a Secret entity.

secrets:get

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

GET /v1/secrets

Scope Types:

project

Lists a projects secrets.

secretstores:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/secret-stores

Scope Types:

project

Get list of available secret store backends.

secretstores:get_global_default

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/secret-stores/global-default

Scope Types:

project

Get a reference to the secret store that is used as default secret store backend for the deployment.

secretstores:get_preferred

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/secret-stores/preferred

Scope Types:

project

Get a reference to the preferred secret store if assigned previously.

secretstore_preferred:post

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

POST /v1/secret-stores/{ss-id}/preferred

Scope Types:

project

Set a secret store backend to be preferred store backend for their project.

secretstore_preferred:delete

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

DELETE /v1/secret-stores/{ss-id}/preferred

Scope Types:

project

Remove preferred secret store backend setting for their project.

secretstore:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/secret-stores/{ss-id}

Scope Types:

project

Get details of secret store by its ID.

transport_key:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/transport_keys/{key-id}}

Scope Types:

project

Get a specific transport key.

transport_key:delete

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

DELETE /v1/transport_keys/{key-id}

Scope Types:

project

Delete a specific transport key.

transport_keys:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/transport_keys

Scope Types:

project

Get a list of all transport keys.

transport_keys:post

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

POST /v1/transport_keys

Scope Types:

project

Create a new transport key.

Policy configuration

Policy configuration¶

Configuration¶

barbican¶

Barbican 17.0.1.dev4

Page Contents