Barbican Sample Policy

The following is a sample Barbican policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific Barbican APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.

The sample policy file can also be viewed in file form.

"admin": "role:admin"
"observer": "role:observer"
"creator": "role:creator"
"audit": "role:audit"
"service_admin": "role:key-manager:service-admin"
"admin_or_creator": "rule:admin or rule:creator"
"all_but_audit": "rule:admin or rule:observer or rule:creator"
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"
"secret_project_match": "project_id:%(target.secret.project_id)s"
"secret_acl_read": "'read':%(target.secret.read)s"
"secret_private_read": "'False':%(target.secret.read_project_access)s"
"secret_creator_user": "user_id:%(target.secret.creator_id)s"
"container_project_match": "project_id:%(target.container.project_id)s"
"container_acl_read": "'read':%(target.container.read)s"
"container_private_read": "'False':%(target.container.read_project_access)s"
"container_creator_user": "user_id:%(target.container.creator_id)s"
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"
"secret_project_admin": "rule:admin and rule:secret_project_match"
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"
"secret_project_creator_role": "rule:creator and rule:secret_project_match"
"container_project_admin": "rule:admin and rule:container_project_match"
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"
"container_project_creator_role": "rule:creator and rule:container_project_match"
"secret_acls:get": "(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"container_acls:get": "(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"
"container_consumers:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read  or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"
"container_consumers:post": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read  or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"
"container_consumers:delete": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read  or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"
"secret_consumers:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read  or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"
"secret_consumers:post": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read  or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"
"secret_consumers:delete": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read  or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"
"containers:post": "rule:admin_or_creator or role:member"
"containers:get": "rule:all_but_audit or role:member"
"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
"container:delete": "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
"container_secret:post": "rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
"container_secret:delete": "rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
"orders:get": "rule:all_but_audit or role:member"
"orders:post": "rule:admin_or_creator or role:member"
"orders:put": "rule:admin_or_creator or role:member"
"order:get": "rule:all_users and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"
"order:delete": "rule:admin and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"
"quotas:get": "rule:all_users or role:reader"
"project_quotas:get": "rule:service_admin or role:reader and system_scope:all"
"project_quotas:put": "rule:service_admin or role:admin and system_scope:all"
"project_quotas:delete": "rule:service_admin or role:admin and system_scope:all"
"secret_meta:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret_meta:post": "rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret_meta:put": "rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret_meta:delete": "rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret:put": "rule:admin_or_creator and rule:secret_project_match or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and not rule:secret_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
"secrets:post": "rule:admin_or_creator or role:member"
"secrets:get": "rule:all_but_audit or role:member"
"secretstores:get": "rule:all_users or role:reader"
"secretstores:get_global_default": "rule:all_users or role:reader"
"secretstores:get_preferred": "rule:all_users or role:reader"
"secretstore_preferred:post": "rule:admin"
"secretstore_preferred:delete": "rule:admin"
"secretstore:get": "rule:all_users or role:reader"
"transport_key:get": "rule:all_users or role:reader"
"transport_key:delete": "role:admin and system_scope:all"
"transport_keys:get": "rule:all_users or role:reader"
"transport_keys:post": "role:admin and system_scope:all"