Policy configuration

Policy configuration

Configuration

The following is an overview of all available policies in Barbican. For a sample configuration file.

barbican

admin
Default:role:admin

(no description provided)

observer
Default:role:observer

(no description provided)

creator
Default:role:creator

(no description provided)

audit
Default:role:audit

(no description provided)

service_admin
Default:role:key-manager:service-admin

(no description provided)

admin_or_creator
Default:rule:admin or rule:creator

(no description provided)

all_but_audit
Default:rule:admin or rule:observer or rule:creator

(no description provided)

all_users
Default:rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin

(no description provided)

secret_project_match
Default:project:%(target.secret.project_id)s

(no description provided)

secret_acl_read
Default:'read':%(target.secret.read)s

(no description provided)

secret_private_read
Default:'False':%(target.secret.read_project_access)s

(no description provided)

secret_creator_user
Default:user:%(target.secret.creator_id)s

(no description provided)

container_project_match
Default:project:%(target.container.project_id)s

(no description provided)

container_acl_read
Default:'read':%(target.container.read)s

(no description provided)

container_private_read
Default:'False':%(target.container.read_project_access)s

(no description provided)

container_creator_user
Default:user:%(target.container.creator_id)s

(no description provided)

secret_non_private_read
Default:rule:all_users and rule:secret_project_match and not rule:secret_private_read

(no description provided)

secret_decrypt_non_private_read
Default:rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read

(no description provided)

container_non_private_read
Default:rule:all_users and rule:container_project_match and not rule:container_private_read

(no description provided)

secret_project_admin
Default:rule:admin and rule:secret_project_match

(no description provided)

secret_project_creator
Default:rule:creator and rule:secret_project_match and rule:secret_creator_user

(no description provided)

container_project_admin
Default:rule:admin and rule:container_project_match

(no description provided)

container_project_creator
Default:rule:creator and rule:container_project_match and rule:container_creator_user

(no description provided)

secret_acls:put_patch
Default:rule:secret_project_admin or rule:secret_project_creator

(no description provided)

secret_acls:delete
Default:rule:secret_project_admin or rule:secret_project_creator

(no description provided)

secret_acls:get
Default:rule:all_but_audit and rule:secret_project_match

(no description provided)

container_acls:put_patch
Default:rule:container_project_admin or rule:container_project_creator

(no description provided)

container_acls:delete
Default:rule:container_project_admin or rule:container_project_creator

(no description provided)

container_acls:get
Default:rule:all_but_audit and rule:container_project_match

(no description provided)

consumer:get
Default:rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

(no description provided)

consumers:get
Default:rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

(no description provided)

consumers:post
Default:rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

(no description provided)

consumers:delete
Default:rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

(no description provided)

containers:post
Default:rule:admin_or_creator

(no description provided)

containers:get
Default:rule:all_but_audit

(no description provided)

container:get
Default:rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

(no description provided)

container:delete
Default:rule:container_project_admin or rule:container_project_creator

(no description provided)

container_secret:post
Default:rule:admin

(no description provided)

container_secret:delete
Default:rule:admin

(no description provided)

orders:post
Default:rule:admin_or_creator

(no description provided)

orders:get
Default:rule:all_but_audit

(no description provided)

orders:put
Default:rule:admin_or_creator

(no description provided)

order:get
Default:rule:all_users

(no description provided)

order:delete
Default:rule:admin

(no description provided)

quotas:get
Default:rule:all_users

(no description provided)

project_quotas:get
Default:rule:service_admin

(no description provided)

project_quotas:put
Default:rule:service_admin

(no description provided)

project_quotas:delete
Default:rule:service_admin

(no description provided)

secret_meta:get
Default:rule:all_but_audit

(no description provided)

secret_meta:post
Default:rule:admin_or_creator

(no description provided)

secret_meta:put
Default:rule:admin_or_creator

(no description provided)

secret_meta:delete
Default:rule:admin_or_creator

(no description provided)

secret:decrypt
Default:rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read

(no description provided)

secret:get
Default:rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read

(no description provided)

secret:put
Default:rule:admin_or_creator and rule:secret_project_match

(no description provided)

secret:delete
Default:rule:secret_project_admin or rule:secret_project_creator

(no description provided)

secrets:post
Default:rule:admin_or_creator

(no description provided)

secrets:get
Default:rule:all_but_audit

(no description provided)

secretstores:get
Default:rule:admin

(no description provided)

secretstores:get_global_default
Default:rule:admin

(no description provided)

secretstores:get_preferred
Default:rule:admin

(no description provided)

secretstore_preferred:post
Default:rule:admin

(no description provided)

secretstore_preferred:delete
Default:rule:admin

(no description provided)

secretstore:get
Default:rule:admin

(no description provided)

transport_key:get
Default:rule:all_users

(no description provided)

transport_key:delete
Default:rule:admin

(no description provided)

transport_keys:get
Default:rule:all_users

(no description provided)

transport_keys:post
Default:rule:admin

(no description provided)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.