Like many other services, the Key Manager service supports the protection of its
APIs by enforcing policy rules defined in a policy file. The Key Manager
service stores a reference to a policy JSON file in its configuration file,
/etc/barbican/barbican.conf
. Typically this file is named
policy.json
and it is stored in /etc/barbican/policy.json
.
Each Key Manager API call has a line in the policy file that dictates which level of access applies:
API_NAME: RULE_STATEMENT or MATCH_STATEMENT
where RULE_STATEMENT
can be another RULE_STATEMENT
or a
MATCH_STATEMENT
:
RULE_STATEMENT: RULE_STATEMENT or MATCH_STATEMENT
MATCH_STATEMENT
is a set of identifiers that must match between the token
provided by the caller of the API and the parameters or target entities of the
API in question. For example:
"secrets:post": "role:admin or role:creator"
indicates that to create a new secret via a POST request, you must have either the admin or creator role in your token.
Warning
The Key Manager service scopes the ownership of a secret at the project level. This means that many calls in the API will perform an additional check to ensure that the project_id of the token matches the project_id stored as the secret owner.
The policy engine in OpenStack is very flexible and allows for customized
policies that make sense for your particular cloud. The Key Manager service
comes with a sample policy.json
file which can be used as the starting
point for a customized policy. The sample policy defines 5 distinct roles:
There are some limitations that result from scoping ownership of a secret at the project level. For example, there is no easy way for a user to upload a secret for which only they have access. There is also no easy way to grant a user access to only a single secret.
To address this limitations the Key Manager service includes an Access Control List (ACL) API. For full details see the ACL API User Guide
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.