From 2cb3d4154443f055b41ec352c575fb49ceedd177 Mon Sep 17 00:00:00 2001 From: Phil Sphicas Date: Thu, 16 Jan 2020 14:54:35 -0800 Subject: [PATCH] barbican: fix values overrides for stein and ocata When the default release was switched from ocata to stein, some of the policies were duplicated. This moves the ocata overrides back to where they belong, and adds overrides for pike, queens, and rocky. Change-Id: I342d69e721b2692987951055e41ed5e153a91d6c --- barbican/values.yaml | 4 ---- barbican/values_overrides/ocata.yaml | 6 ++++++ barbican/values_overrides/pike.yaml | 6 ++++++ barbican/values_overrides/queens.yaml | 6 ++++++ barbican/values_overrides/rocky.yaml | 6 ++++++ 5 files changed, 24 insertions(+), 4 deletions(-) create mode 100644 barbican/values_overrides/ocata.yaml create mode 100644 barbican/values_overrides/pike.yaml create mode 100644 barbican/values_overrides/queens.yaml create mode 100644 barbican/values_overrides/rocky.yaml diff --git a/barbican/values.yaml b/barbican/values.yaml index e12f89b6ce..aef40919a5 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -322,14 +322,10 @@ conf: admin_or_creator: rule:admin or rule:creator all_but_audit: rule:admin or rule:observer or rule:creator all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin - secret_project_match: project:%(target.secret.project_id)s secret_acl_read: "'read':%(target.secret.read)s" secret_private_read: "'False':%(target.secret.read_project_access)s" - secret_creator_user: user:%(target.secret.creator_id)s - container_project_match: project:%(target.container.project_id)s container_acl_read: "'read':%(target.container.read)s" container_private_read: "'False':%(target.container.read_project_access)s" - container_creator_user: user:%(target.container.creator_id)s secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read diff --git a/barbican/values_overrides/ocata.yaml b/barbican/values_overrides/ocata.yaml new file mode 100644 index 0000000000..5687ec9ef9 --- /dev/null +++ b/barbican/values_overrides/ocata.yaml @@ -0,0 +1,6 @@ +conf: + policy: + secret_project_match: project:%(target.secret.project_id)s + secret_creator_user: user:%(target.secret.creator_id)s + container_project_match: project:%(target.container.project_id)s + container_creator_user: user:%(target.container.creator_id)s diff --git a/barbican/values_overrides/pike.yaml b/barbican/values_overrides/pike.yaml new file mode 100644 index 0000000000..5687ec9ef9 --- /dev/null +++ b/barbican/values_overrides/pike.yaml @@ -0,0 +1,6 @@ +conf: + policy: + secret_project_match: project:%(target.secret.project_id)s + secret_creator_user: user:%(target.secret.creator_id)s + container_project_match: project:%(target.container.project_id)s + container_creator_user: user:%(target.container.creator_id)s diff --git a/barbican/values_overrides/queens.yaml b/barbican/values_overrides/queens.yaml new file mode 100644 index 0000000000..5687ec9ef9 --- /dev/null +++ b/barbican/values_overrides/queens.yaml @@ -0,0 +1,6 @@ +conf: + policy: + secret_project_match: project:%(target.secret.project_id)s + secret_creator_user: user:%(target.secret.creator_id)s + container_project_match: project:%(target.container.project_id)s + container_creator_user: user:%(target.container.creator_id)s diff --git a/barbican/values_overrides/rocky.yaml b/barbican/values_overrides/rocky.yaml new file mode 100644 index 0000000000..5687ec9ef9 --- /dev/null +++ b/barbican/values_overrides/rocky.yaml @@ -0,0 +1,6 @@ +conf: + policy: + secret_project_match: project:%(target.secret.project_id)s + secret_creator_user: user:%(target.secret.creator_id)s + container_project_match: project:%(target.container.project_id)s + container_creator_user: user:%(target.container.creator_id)s