Policy configuration¶

Warning

JSON formatted policy file is deprecated since Barbican 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Configuration¶

Note

The auto-generated configuration reference may show the default values of enforce_new_defaults and enforce_scope as True (the oslo.policy library default). However, Barbican overrides both to False at runtime. To opt in to the new secure RBAC defaults, explicitly set both options to True in the [oslo_policy] section of barbican.conf.

The following is an overview of all available policies in Barbican. For a sample configuration file.

barbican¶

secret_project_match

Default:: project_id:%(target.secret.project_id)s

(no description provided)

secret_project_reader

Default:: role:reader and rule:secret_project_match

(no description provided)

secret_project_member

Default:: role:member and rule:secret_project_match

(no description provided)

secret_project_admin

Default:: role:admin and rule:secret_project_match

(no description provided)

secret_owner

Default:: user_id:%(target.secret.creator_id)s

(no description provided)

secret_is_not_private

Default:: True:%(target.secret.read_project_access)s

(no description provided)

secret_acl_read

Default:: 'read':%(target.secret.read)s

(no description provided)

container_project_match

Default:: project_id:%(target.container.project_id)s

(no description provided)

container_project_member

Default:: role:member and rule:container_project_match

(no description provided)

container_project_admin

Default:: role:admin and rule:container_project_match

(no description provided)

container_owner

Default:: user_id:%(target.container.creator_id)s

(no description provided)

container_is_not_private

Default:: True:%(target.container.read_project_access)s

(no description provided)

container_acl_read

Default:: 'read':%(target.container.read)s

(no description provided)

order_project_match

Default:: project_id:%(target.order.project_id)s

(no description provided)

order_project_member

Default:: role:member and rule:order_project_match

(no description provided)

audit

Default:: role:audit

(no description provided)

observer

Default:: role:observer

(no description provided)

creator

Default:: role:creator

(no description provided)

admin

Default:: role:admin

(no description provided)

service_admin

Default:: role:key-manager:service-admin

(no description provided)

all_users

Default:: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin

(no description provided)

all_but_audit

Default:: rule:admin or rule:observer or rule:creator

(no description provided)

admin_or_creator

Default:: rule:admin or rule:creator

(no description provided)

secret_creator_user

Default:: user_id:%(target.secret.creator_id)s

(no description provided)

secret_private_read

Default:: 'False':%(target.secret.read_project_access)s

(no description provided)

secret_non_private_read

Default:: rule:all_users and rule:secret_project_match and not rule:secret_private_read

(no description provided)

secret_decrypt_non_private_read

Default:: rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read

(no description provided)

secret_project_creator

Default:: rule:creator and rule:secret_project_match and rule:secret_creator_user

(no description provided)

secret_project_creator_role

Default:: rule:creator and rule:secret_project_match

(no description provided)

container_private_read

Default:: 'False':%(target.container.read_project_access)s

(no description provided)

container_creator_user

Default:: user_id:%(target.container.creator_id)s

(no description provided)

container_non_private_read

Default:: rule:all_users and rule:container_project_match and not rule:container_private_read

(no description provided)

container_project_creator

Default:: rule:creator and rule:container_project_match and rule:container_creator_user

(no description provided)

container_project_creator_role

Default:: rule:creator and rule:container_project_match

(no description provided)

secret_acls:get

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

GET /v1/secrets/{secret-id}/acl

Scope Types:

project

Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.

secret_acls:delete

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

DELETE /v1/secrets/{secret-id}/acl

Scope Types:

project

Delete the ACL settings for a given secret.

secret_acls:put_patch

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

PUT /v1/secrets/{secret-id}/acl
PATCH /v1/secrets/{secret-id}/acl

Scope Types:

project

Create new, replaces, or updates existing ACL for a given secret.

container_acls:get

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

GET /v1/containers/{container-id}/acl

Scope Types:

project

Retrieve the ACL settings for a given container.

container_acls:delete

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

DELETE /v1/containers/{container-id}/acl

Scope Types:

project

Delete ACL for a given container. No content is returned in the case of successful deletion.

container_acls:put_patch

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

PUT /v1/containers/{container-id}/acl
PATCH /v1/containers/{container-id}/acl

Scope Types:

project

Create new or replaces existing ACL for a given container.

consumer:get

Default:

True:%(enforce_new_defaults)s and (role:admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)

Operations:

GET /v1/containers/{container-id}/consumers/{consumer-id}

Scope Types:

project

DEPRECATED: show information for a specific consumer

container_consumers:get

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)

Operations:

GET /v1/containers/{container-id}/consumers

Scope Types:

project

List a containers consumers.

container_consumers:post

Default:

Operations:

POST /v1/containers/{container-id}/consumers

Scope Types:

project

Creates a consumer.

container_consumers:delete

Default:

Operations:

DELETE /v1/containers/{container-id}/consumers

Scope Types:

project

Deletes a consumer.

secret_consumers:get

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:

GET /v1/secrets/{secret-id}/consumers

Scope Types:

project

List consumers for a secret.

secret_consumers:post

Default:

Operations:

POST /v1/secrets/{secrets-id}/consumers

Scope Types:

project

Creates a consumer.

secret_consumers:delete

Default:

Operations:

DELETE /v1/secrets/{secrets-id}/consumers

Scope Types:

project

Deletes a consumer.

containers:post

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

POST /v1/containers

Scope Types:

project

Creates a container.

containers:get

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

GET /v1/containers

Scope Types:

project

Lists a projects containers.

container:get

Default:

Operations:

GET /v1/containers/{container-id}

Scope Types:

project

Retrieves a single container.

container:delete

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

DELETE /v1/containers/{uuid}

Scope Types:

project

Deletes a container.

container_secret:post

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

POST /v1/containers/{container-id}/secrets

Scope Types:

project

Add a secret to an existing container.

container_secret:delete

Default:

True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))

Operations:

DELETE /v1/containers/{container-id}/secrets/{secret-id}

Scope Types:

project

Remove a secret from a container.

orders:get

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

GET /v1/orders

Scope Types:

project

Gets list of all orders associated with a project.

orders:post

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

POST /v1/orders

Scope Types:

project

Creates an order.

orders:put

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

PUT /v1/orders

Scope Types:

project

Unsupported method for the orders API.

order:get

Default:

True:%(enforce_new_defaults)s and rule:order_project_member

Operations:

GET /v1/orders/{order-id}

Scope Types:

project

Retrieves an orders metadata.

order:delete

Default:

True:%(enforce_new_defaults)s and rule:order_project_member

Operations:

DELETE /v1/orders/{order-id}

Scope Types:

project

Deletes an order.

quotas:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/quotas

Scope Types:

project

List quotas for the project the user belongs to.

project_quotas:get

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

GET /v1/project-quotas
GET /v1/project-quotas/{uuid}

Scope Types:

project

List quotas for the specified project.

project_quotas:put

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

PUT /v1/project-quotas/{uuid}

Scope Types:

project

Create or update the configured project quotas for the project with the specified UUID.

project_quotas:delete

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

DELETE /v1/quotas}

Scope Types:

project

Delete the project quotas configuration for the project with the requested UUID.

secret_meta:get

Default:

Operations:

GET /v1/secrets/{secret-id}/metadata
GET /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:

project

metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.

secret_meta:post

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

POST /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:

project

Adds a new key/value pair to the secrets user-defined metadata.

secret_meta:put

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

PUT /v1/secrets/{secret-id}/metadata
PUT /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:

project

metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.

secret_meta:delete

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

DELETE /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types:

project

Delete secret user-defined metadata by key.

secret:decrypt

Default:

Operations:

GET /v1/secrets/{uuid}/payload

Scope Types:

project

Retrieve a secrets payload.

secret:get

Default:

True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)

Operations:

GET /v1/secrets/{secret-id}

Scope Types:

project

Retrieves a secrets metadata.

secret:put

Default:

True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

PUT /v1/secrets/{secret-id}

Scope Types:

project

Add the payload to an existing metadata-only secret.

secret:delete

Default:

True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))

Operations:

DELETE /v1/secrets/{secret-id}

Scope Types:

project

Delete a secret by uuid.

secrets:post

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

POST /v1/secrets

Scope Types:

project

Creates a Secret entity.

secrets:get

Default:

True:%(enforce_new_defaults)s and role:member

Operations:

GET /v1/secrets

Scope Types:

project

Lists a projects secrets.

secretstores:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/secret-stores

Scope Types:

project

Get list of available secret store backends.

secretstores:get_global_default

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/secret-stores/global-default

Scope Types:

project

Get a reference to the secret store that is used as default secret store backend for the deployment.

secretstores:get_preferred

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/secret-stores/preferred

Scope Types:

project

Get a reference to the preferred secret store if assigned previously.

secretstore_preferred:post

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

POST /v1/secret-stores/{ss-id}/preferred

Scope Types:

project

Set a secret store backend to be preferred store backend for their project.

secretstore_preferred:delete

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

DELETE /v1/secret-stores/{ss-id}/preferred

Scope Types:

project

Remove preferred secret store backend setting for their project.

secretstore:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/secret-stores/{ss-id}

Scope Types:

project

Get details of secret store by its ID.

transport_key:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/transport_keys/{key-id}}

Scope Types:

project

Get a specific transport key.

transport_key:delete

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

DELETE /v1/transport_keys/{key-id}

Scope Types:

project

Delete a specific transport key.

transport_keys:get

Default:

True:%(enforce_new_defaults)s and role:reader

Operations:

GET /v1/transport_keys

Scope Types:

project

Get a list of all transport keys.

transport_keys:post

Default:

True:%(enforce_new_defaults)s and role:admin

Operations:

POST /v1/transport_keys

Scope Types:

project

Create a new transport key.

Policy configuration

Policy configuration¶

Configuration¶

barbican¶

Barbican 22.1.0.dev22

Page Contents