Policy configuration¶
Configuration¶
The following is an overview of all available policies in Barbican. For a sample configuration file.
barbican¶
adminDefault: role:admin(no description provided)
observerDefault: role:observer(no description provided)
creatorDefault: role:creator(no description provided)
auditDefault: role:audit(no description provided)
service_adminDefault: role:key-manager:service-admin(no description provided)
admin_or_creatorDefault: rule:admin or rule:creator(no description provided)
all_but_auditDefault: rule:admin or rule:observer or rule:creator(no description provided)
all_usersDefault: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin(no description provided)
secret_project_matchDefault: project:%(target.secret.project_id)s(no description provided)
secret_acl_readDefault: 'read':%(target.secret.read)s(no description provided)
secret_private_readDefault: 'False':%(target.secret.read_project_access)s(no description provided)
secret_creator_userDefault: user:%(target.secret.creator_id)s(no description provided)
container_project_matchDefault: project:%(target.container.project_id)s(no description provided)
container_acl_readDefault: 'read':%(target.container.read)s(no description provided)
container_private_readDefault: 'False':%(target.container.read_project_access)s(no description provided)
container_creator_userDefault: user:%(target.container.creator_id)s(no description provided)
secret_non_private_readDefault: rule:all_users and rule:secret_project_match and not rule:secret_private_read(no description provided)
secret_decrypt_non_private_readDefault: rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read(no description provided)
container_non_private_readDefault: rule:all_users and rule:container_project_match and not rule:container_private_read(no description provided)
secret_project_adminDefault: rule:admin and rule:secret_project_match(no description provided)
secret_project_creatorDefault: rule:creator and rule:secret_project_match and rule:secret_creator_user(no description provided)
container_project_adminDefault: rule:admin and rule:container_project_match(no description provided)
container_project_creatorDefault: rule:creator and rule:container_project_match and rule:container_creator_user(no description provided)
secret_acls:put_patchDefault: rule:secret_project_admin or rule:secret_project_creator(no description provided)
secret_acls:deleteDefault: rule:secret_project_admin or rule:secret_project_creator(no description provided)
secret_acls:getDefault: rule:all_but_audit and rule:secret_project_match(no description provided)
container_acls:put_patchDefault: rule:container_project_admin or rule:container_project_creator(no description provided)
container_acls:deleteDefault: rule:container_project_admin or rule:container_project_creator(no description provided)
container_acls:getDefault: rule:all_but_audit and rule:container_project_match(no description provided)
consumer:getDefault: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read(no description provided)
consumers:getDefault: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read(no description provided)
consumers:postDefault: rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read(no description provided)
consumers:deleteDefault: rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read(no description provided)
containers:postDefault: rule:admin_or_creator(no description provided)
containers:getDefault: rule:all_but_audit(no description provided)
container:getDefault: rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read(no description provided)
container:deleteDefault: rule:container_project_admin or rule:container_project_creator(no description provided)
container_secret:postDefault: rule:admin(no description provided)
container_secret:deleteDefault: rule:admin(no description provided)
orders:postDefault: rule:admin_or_creator(no description provided)
orders:getDefault: rule:all_but_audit(no description provided)
orders:putDefault: rule:admin_or_creator(no description provided)
order:getDefault: rule:all_users(no description provided)
order:deleteDefault: rule:admin(no description provided)
quotas:getDefault: rule:all_users(no description provided)
project_quotas:getDefault: rule:service_admin(no description provided)
project_quotas:putDefault: rule:service_admin(no description provided)
project_quotas:deleteDefault: rule:service_admin(no description provided)
secret_meta:getDefault: rule:all_but_audit(no description provided)
secret_meta:postDefault: rule:admin_or_creator(no description provided)
secret_meta:putDefault: rule:admin_or_creator(no description provided)
secret_meta:deleteDefault: rule:admin_or_creator(no description provided)
secret:decryptDefault: rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read(no description provided)
secret:getDefault: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read(no description provided)
secret:putDefault: rule:admin_or_creator and rule:secret_project_match(no description provided)
secret:deleteDefault: rule:secret_project_admin or rule:secret_project_creator(no description provided)
secrets:postDefault: rule:admin_or_creator(no description provided)
secrets:getDefault: rule:all_but_audit(no description provided)
secretstores:getDefault: rule:admin(no description provided)
secretstores:get_global_defaultDefault: rule:admin(no description provided)
secretstores:get_preferredDefault: rule:admin(no description provided)
secretstore_preferred:postDefault: rule:admin(no description provided)
secretstore_preferred:deleteDefault: rule:admin(no description provided)
secretstore:getDefault: rule:admin(no description provided)
transport_key:getDefault: rule:all_users(no description provided)
transport_key:deleteDefault: rule:admin(no description provided)
transport_keys:getDefault: rule:all_users(no description provided)
transport_keys:postDefault: rule:admin(no description provided)
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.