Policy configuration

Configuration

The following is an overview of all available policies in Barbican. For a sample configuration file.

barbican

admin
Default

role:admin

(no description provided)

observer
Default

role:observer

(no description provided)

creator
Default

role:creator

(no description provided)

audit
Default

role:audit

(no description provided)

service_admin
Default

role:key-manager:service-admin

(no description provided)

admin_or_creator
Default

rule:admin or rule:creator

(no description provided)

all_but_audit
Default

rule:admin or rule:observer or rule:creator

(no description provided)

all_users
Default

rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin

(no description provided)

secret_project_match
Default

project_id:%(target.secret.project_id)s

(no description provided)

secret_acl_read
Default

'read':%(target.secret.read)s

(no description provided)

secret_private_read
Default

'False':%(target.secret.read_project_access)s

(no description provided)

secret_creator_user
Default

user_id:%(target.secret.creator_id)s

(no description provided)

container_project_match
Default

project_id:%(target.container.project_id)s

(no description provided)

container_acl_read
Default

'read':%(target.container.read)s

(no description provided)

container_private_read
Default

'False':%(target.container.read_project_access)s

(no description provided)

container_creator_user
Default

user_id:%(target.container.creator_id)s

(no description provided)

secret_non_private_read
Default

rule:all_users and rule:secret_project_match and not rule:secret_private_read

(no description provided)

secret_decrypt_non_private_read
Default

rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read

(no description provided)

container_non_private_read
Default

rule:all_users and rule:container_project_match and not rule:container_private_read

(no description provided)

secret_project_admin
Default

rule:admin and rule:secret_project_match

(no description provided)

secret_project_creator
Default

rule:creator and rule:secret_project_match and rule:secret_creator_user

(no description provided)

secret_project_creator_role
Default

rule:creator and rule:secret_project_match

(no description provided)

container_project_admin
Default

rule:admin and rule:container_project_match

(no description provided)

container_project_creator
Default

rule:creator and rule:container_project_match and rule:container_creator_user

(no description provided)

container_project_creator_role
Default

rule:creator and rule:container_project_match

(no description provided)

secret_acls:get
Default

rule:all_but_audit and rule:secret_project_match

Operations

  • GET /v1/secrets/{secret-id}/acl

Scope Types

Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.

secret_acls:delete
Default

rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read)

Operations

  • DELETE /v1/secrets/{secret-id}/acl

Scope Types

Delete the ACL settings for a given secret.

secret_acls:put_patch
Default

rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read)

Operations

  • PUT /v1/secrets/{secret-id}/acl

  • PATCH /v1/secrets/{secret-id}/acl

Scope Types

Create new, replaces, or updates existing ACL for a given secret.

container_acls:get
Default

rule:all_but_audit and rule:container_project_match

Operations

  • GET /v1/containers/{container-id}/acl

Scope Types

Retrieve the ACL settings for a given container.

container_acls:delete
Default

rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read)

Operations

  • DELETE /v1/containers/{container-id}/acl

Scope Types

Delete ACL for a given container. No content is returned in the case of successful deletion.

container_acls:put_patch
Default

rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read)

Operations

  • PUT /v1/containers/{container-id}/acl

  • PATCH /v1/containers/{container-id}/acl

Scope Types

Create new or replaces existing ACL for a given container.

consumer:get
Default

rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

Operations

  • GET /v1/containers/{container-id}/consumers/{consumer-id}

Scope Types

List a specific consumer for a given container.

consumers:get
Default

rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

Operations

  • GET /v1/containers/{container-id}/consumers

Scope Types

List a containers consumers.

consumers:post
Default

rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

Operations

  • POST /v1/containers/{container-id}/consumers

Scope Types

Creates a consumer.

consumers:delete
Default

rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

Operations

  • DELETE /v1/containers/{container-id}/consumers/{consumer-id}

Scope Types

Deletes a consumer.

containers:post
Default

rule:admin_or_creator

Operations

  • POST /v1/containers

Scope Types

Creates a container.

containers:get
Default

rule:all_but_audit

Operations

  • GET /v1/containers

Scope Types

Lists a projects containers.

container:get
Default

rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read

Operations

  • GET /v1/containers/{container-id}

Scope Types

Retrieves a single container.

container:delete
Default

rule:container_project_admin or rule:container_project_creator

Operations

  • DELETE /v1/containers/{uuid}

Scope Types

Deletes a container.

container_secret:post
Default

rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read

Operations

  • POST /v1/containers/{container-id}/secrets

Scope Types

Add a secret to an existing container.

container_secret:delete
Default

rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read

Operations

  • DELETE /v1/containers/{container-id}/secrets/{secret-id}

Scope Types

Remove a secret from a container.

orders:get
Default

rule:all_but_audit

Operations

  • GET /v1/orders

Scope Types

Gets list of all orders associated with a project.

orders:post
Default

rule:admin_or_creator

Operations

  • POST /v1/orders

Scope Types

Creates an order.

orders:put
Default

rule:admin_or_creator

Operations

  • PUT /v1/orders

Scope Types

Unsupported method for the orders API.

order:get
Default

rule:all_users and project_id:%(target.order.project_id)s

Operations

  • GET /v1/orders/{order-id}

Scope Types

Retrieves an orders metadata.

order:delete
Default

rule:admin and project_id:%(target.order.project_id)s

Operations

  • DELETE /v1/orders/{order-id}

Scope Types

Deletes an order.

quotas:get
Default

rule:all_users

Operations

  • GET /v1/quotas

Scope Types

List quotas for the project the user belongs to.

project_quotas:get
Default

rule:service_admin

Operations

  • GET /v1/project-quotas

  • GET /v1/project-quotas/{uuid}

Scope Types

List quotas for the specified project.

project_quotas:put
Default

rule:service_admin

Operations

  • PUT /v1/project-quotas/{uuid}

Scope Types

Create or update the configured project quotas for the project with the specified UUID.

project_quotas:delete
Default

rule:service_admin

Operations

  • DELETE /v1/quotas}

Scope Types

Delete the project quotas configuration for the project with the requested UUID.

secret_meta:get
Default

rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read

Operations

  • GET /v1/secrets/{secret-id}/metadata

  • GET /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types

metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.

secret_meta:post
Default

rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read)

Operations

  • POST /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types

Adds a new key/value pair to the secrets user-defined metadata.

secret_meta:put
Default

rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read)

Operations

  • PUT /v1/secrets/{secret-id}/metadata

  • PUT /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types

metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.

secret_meta:delete
Default

rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read)

Operations

  • DELETE /v1/secrets/{secret-id}/metadata/{meta-key}

Scope Types

Delete secret user-defined metadata by key.

secret:decrypt
Default

rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read

Operations

  • GET /v1/secrets/{uuid}/payload

Scope Types

Retrieve a secrets payload.

secret:get
Default

rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read

Operations

  • GET” /v1/secrets/{secret-id}

Scope Types

Retrieves a secrets metadata.

secret:put
Default

rule:admin_or_creator and rule:secret_project_match

Operations

  • PUT /v1/secrets/{secret-id}

Scope Types

Add the payload to an existing metadata-only secret.

secret:delete
Default

rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and not rule:secret_private_read)

Operations

  • DELETE /v1/secrets/{secret-id}

Scope Types

Delete a secret by uuid.

secrets:post
Default

rule:admin_or_creator

Operations

  • POST /v1/secrets

Scope Types

Creates a Secret entity.

secrets:get
Default

rule:all_but_audit

Operations

  • GET /v1/secrets

Scope Types

Lists a projects secrets.

secretstores:get
Default

rule:admin

Operations

  • GET /v1/secret-stores

Scope Types

Get list of available secret store backends.

secretstores:get_global_default
Default

rule:admin

Operations

  • GET /v1/secret-stores/global-default

Scope Types

Get a reference to the secret store that is used as default secret store backend for the deployment.

secretstores:get_preferred
Default

rule:admin

Operations

  • GET /v1/secret-stores/preferred

Scope Types

Get a reference to the preferred secret store if assigned previously.

secretstore_preferred:post
Default

rule:admin

Operations

  • POST /v1/secret-stores/{ss-id}/preferred

Scope Types

Set a secret store backend to be preferred store backend for their project.

secretstore_preferred:delete
Default

rule:admin

Operations

  • DELETE /v1/secret-stores/{ss-id}/preferred

Scope Types

Remove preferred secret store backend setting for their project.

secretstore:get
Default

rule:admin

Operations

  • GET /v1/secret-stores/{ss-id}

Scope Types

Get details of secret store by its ID.

transport_key:get
Default

rule:all_users

Operations

  • GET /v1/transport_keys/{key-id}}

Scope Types

Get a specific transport key.

transport_key:delete
Default

rule:admin

Operations

  • DELETE /v1/transport_keys/{key-id}

Scope Types

Delete a specific transport key.

transport_keys:get
Default

rule:all_users

Operations

  • GET /v1/transport_keys

Scope Types

Get a list of all transport keys.

transport_keys:post
Default

rule:admin

Operations

  • POST /v1/transport_keys

Scope Types

Create a new transport key.