Removed the policy from values in favor of policy in code
As services have the default policy in code, the policy in values files is removed. Change-Id: Icc07e3915a3b07beb02e8c0845d8d6e18adfcfea
This commit is contained in:
xuxant02@gmail.com
parent
58e19cdb65
commit
420dac178e
@ -14,7 +14,7 @@ apiVersion: v1
|
|||||||
appVersion: v1.0.0
|
appVersion: v1.0.0
|
||||||
description: OpenStack-Helm Barbican
|
description: OpenStack-Helm Barbican
|
||||||
name: barbican
|
name: barbican
|
||||||
version: 0.2.8
|
version: 0.2.9
|
||||||
home: https://docs.openstack.org/barbican/latest/
|
home: https://docs.openstack.org/barbican/latest/
|
||||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
|
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
|
||||||
sources:
|
sources:
|
||||||
|
|||||||
@ -323,102 +323,7 @@ conf:
|
|||||||
oslo_config_project: barbican
|
oslo_config_project: barbican
|
||||||
filter:http_proxy_to_wsgi:
|
filter:http_proxy_to_wsgi:
|
||||||
paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
|
paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
|
||||||
policy:
|
policy: {}
|
||||||
admin: role:admin
|
|
||||||
observer: role:observer
|
|
||||||
creator: role:creator
|
|
||||||
audit: role:audit
|
|
||||||
service_admin: role:key-manager:service-admin
|
|
||||||
admin_or_user_does_not_work: project_id:%(project_id)s
|
|
||||||
admin_or_user: rule:admin or project_id:%(project_id)s
|
|
||||||
admin_or_creator: rule:admin or rule:creator
|
|
||||||
all_but_audit: rule:admin or rule:observer or rule:creator
|
|
||||||
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
|
|
||||||
secret_acl_read: "'read':%(target.secret.read)s"
|
|
||||||
secret_private_read: "'False':%(target.secret.read_project_access)s"
|
|
||||||
container_acl_read: "'read':%(target.container.read)s"
|
|
||||||
container_private_read: "'False':%(target.container.read_project_access)s"
|
|
||||||
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
|
|
||||||
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
|
|
||||||
and not rule:secret_private_read
|
|
||||||
container_non_private_read: rule:all_users and rule:container_project_match and not
|
|
||||||
rule:container_private_read
|
|
||||||
secret_project_admin: rule:admin and rule:secret_project_match
|
|
||||||
secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
|
|
||||||
container_project_admin: rule:admin and rule:container_project_match
|
|
||||||
container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
|
|
||||||
version:get: "@"
|
|
||||||
secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
|
|
||||||
or rule:secret_project_admin or rule:secret_acl_read
|
|
||||||
secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
|
|
||||||
or rule:secret_acl_read
|
|
||||||
secret:put: rule:admin_or_creator and rule:secret_project_match
|
|
||||||
secret:delete: rule:secret_project_admin or rule:secret_project_creator
|
|
||||||
secrets:post: rule:admin_or_creator
|
|
||||||
secrets:get: rule:all_but_audit
|
|
||||||
orders:post: rule:admin_or_creator
|
|
||||||
orders:get: rule:all_but_audit
|
|
||||||
order:get: rule:all_users
|
|
||||||
order:put: rule:admin_or_creator
|
|
||||||
order:delete: rule:admin
|
|
||||||
consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
|
||||||
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
|
||||||
consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
|
||||||
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
|
||||||
consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
|
||||||
or rule:container_project_admin or rule:container_acl_read
|
|
||||||
consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
|
||||||
or rule:container_project_admin or rule:container_acl_read
|
|
||||||
containers:post: rule:admin_or_creator
|
|
||||||
containers:get: rule:all_but_audit
|
|
||||||
container:get: rule:container_non_private_read or rule:container_project_creator or
|
|
||||||
rule:container_project_admin or rule:container_acl_read
|
|
||||||
container:delete: rule:container_project_admin or rule:container_project_creator
|
|
||||||
container_secret:post: rule:admin
|
|
||||||
container_secret:delete: rule:admin
|
|
||||||
transport_key:get: rule:all_users
|
|
||||||
transport_key:delete: rule:admin
|
|
||||||
transport_keys:get: rule:all_users
|
|
||||||
transport_keys:post: rule:admin
|
|
||||||
certificate_authorities:get_limited: rule:all_users
|
|
||||||
certificate_authorities:get_all: rule:admin
|
|
||||||
certificate_authorities:post: rule:admin
|
|
||||||
certificate_authorities:get_preferred_ca: rule:all_users
|
|
||||||
certificate_authorities:get_global_preferred_ca: rule:service_admin
|
|
||||||
certificate_authorities:unset_global_preferred: rule:service_admin
|
|
||||||
certificate_authority:delete: rule:admin
|
|
||||||
certificate_authority:get: rule:all_users
|
|
||||||
certificate_authority:get_cacert: rule:all_users
|
|
||||||
certificate_authority:get_ca_cert_chain: rule:all_users
|
|
||||||
certificate_authority:get_projects: rule:service_admin
|
|
||||||
certificate_authority:add_to_project: rule:admin
|
|
||||||
certificate_authority:remove_from_project: rule:admin
|
|
||||||
certificate_authority:set_preferred: rule:admin
|
|
||||||
certificate_authority:set_global_preferred: rule:service_admin
|
|
||||||
secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
|
|
||||||
secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
|
|
||||||
secret_acls:get: rule:all_but_audit and rule:secret_project_match
|
|
||||||
container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
|
|
||||||
container_acls:delete: rule:container_project_admin or rule:container_project_creator
|
|
||||||
container_acls:get: rule:all_but_audit and rule:container_project_match
|
|
||||||
quotas:get: rule:all_users
|
|
||||||
project_quotas:get: rule:service_admin
|
|
||||||
project_quotas:put: rule:service_admin
|
|
||||||
project_quotas:delete: rule:service_admin
|
|
||||||
secret_meta:get: rule:all_but_audit
|
|
||||||
secret_meta:post: rule:admin_or_creator
|
|
||||||
secret_meta:put: rule:admin_or_creator
|
|
||||||
secret_meta:delete: rule:admin_or_creator
|
|
||||||
secretstores:get: rule:admin
|
|
||||||
secretstores:get_global_default: rule:admin
|
|
||||||
secretstores:get_preferred: rule:admin
|
|
||||||
secretstore_preferred:post: rule:admin
|
|
||||||
secretstore_preferred:delete: rule:admin
|
|
||||||
secretstore:get: rule:admin
|
|
||||||
secret_project_match: project_id:%(target.secret.project_id)s
|
|
||||||
secret_creator_user: user_id:%(target.secret.creator_id)s
|
|
||||||
container_project_match: project_id:%(target.container.project_id)s
|
|
||||||
container_creator_user: user_id:%(target.container.creator_id)s
|
|
||||||
audit_map:
|
audit_map:
|
||||||
DEFAULT:
|
DEFAULT:
|
||||||
# default target endpoint type
|
# default target endpoint type
|
||||||
|
|||||||
@ -12,4 +12,5 @@ barbican:
|
|||||||
- 0.2.6 Allow Barbican to talk to Mariadb over TLS
|
- 0.2.6 Allow Barbican to talk to Mariadb over TLS
|
||||||
- 0.2.7 Fix db connection key name
|
- 0.2.7 Fix db connection key name
|
||||||
- 0.2.8 Update htk requirements repo
|
- 0.2.8 Update htk requirements repo
|
||||||
|
- 0.2.9 Removed default policy in favor in code policy
|
||||||
...
|
...
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user