Barbican Sample Policy

The following is a sample Barbican policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific Barbican APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.

The sample policy file can also be viewed in file form.

#"admin": "role:admin"

#"observer": "role:observer"

#"creator": "role:creator"

#"audit": "role:audit"

#"service_admin": "role:key-manager:service-admin"

#"admin_or_creator": "rule:admin or rule:creator"

#"all_but_audit": "rule:admin or rule:observer or rule:creator"

#"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"

#"secret_project_match": "project_id:%(target.secret.project_id)s"

#"secret_acl_read": "'read':%(target.secret.read)s"

#"secret_private_read": "'False':%(target.secret.read_project_access)s"

#"secret_creator_user": "user_id:%(target.secret.creator_id)s"

#"container_project_match": "project_id:%(target.container.project_id)s"

#"container_acl_read": "'read':%(target.container.read)s"

#"container_private_read": "'False':%(target.container.read_project_access)s"

#"container_creator_user": "user_id:%(target.container.creator_id)s"

#"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"

#"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"

#"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"

#"secret_project_admin": "rule:admin and rule:secret_project_match"

#"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"

#"container_project_admin": "rule:admin and rule:container_project_match"

#"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"

# Retrieve the ACL settings for a given secret.If no ACL is defined
# for that secret, then Default ACL is returned.
# GET  /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:get": "(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"

# Delete the ACL settings for a given secret.
# DELETE  /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"

# Create new, replaces, or updates existing ACL for a given secret.
# PUT  /v1/secrets/{secret-id}/acl
# PATCH  /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"

# Retrieve the ACL settings for a given container.
# GET  /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:get": "(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"

# Delete ACL for a given container. No content is returned in the case
# of successful deletion.
# DELETE  /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:delete": "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"

# Create new or replaces existing ACL for a given container.
# PUT  /v1/containers/{container-id}/acl
# PATCH  /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"

# List a specific consumer for a given container.
# GET  /v1/containers/{container-id}/consumers/{consumer-id}
# Intended scope(s): project, system
#"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"

# List a containers consumers.
# GET  /v1/containers/{container-id}/consumers
# Intended scope(s): project, system
#"consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"

# Creates a consumer.
# POST  /v1/containers/{container-id}/consumers
# Intended scope(s): project, system
#"consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"

# Deletes a consumer.
# DELETE  /v1/containers/{container-id}/consumers/{consumer-id}
# Intended scope(s): project, system
#"consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"

# Creates a container.
# POST  /v1/containers
# Intended scope(s): project
#"containers:post": "rule:admin_or_creator or role:member"

# Lists a projects containers.
# GET  /v1/containers
# Intended scope(s): project
#"containers:get": "rule:all_but_audit or role:member"

# Retrieves a single container.
# GET  /v1/containers/{container-id}
# Intended scope(s): project
#"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"

# Deletes a container.
# DELETE  /v1/containers/{uuid}
# Intended scope(s): project
#"container:delete": "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"

# Add a secret to an existing container.
# POST  /v1/containers/{container-id}/secrets
# Intended scope(s): project
#"container_secret:post": "rule:admin or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"

# Remove a secret from a container.
# DELETE  /v1/containers/{container-id}/secrets/{secret-id}
# Intended scope(s): project
#"container_secret:delete": "rule:admin or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"

# Gets list of all orders associated with a project.
# GET  /v1/orders
# Intended scope(s): project
#"orders:get": "rule:all_but_audit or role:member"

# Creates an order.
# POST  /v1/orders
# Intended scope(s): project
#"orders:post": "rule:admin_or_creator or role:member"

# Unsupported method for the orders API.
# PUT  /v1/orders
# Intended scope(s): project
#"orders:put": "rule:admin_or_creator or role:member"

# Retrieves an orders metadata.
# GET  /v1/orders/{order-id}
# Intended scope(s): project
#"order:get": "rule:all_users or role:member"

# Deletes an order.
# DELETE  /v1/orders/{order-id}
# Intended scope(s): project
#"order:delete": "rule:admin or role:member"

# List quotas for the project the user belongs to.
# GET  /v1/quotas
# Intended scope(s): project
#"quotas:get": "rule:all_users or role:reader"

# List quotas for the specified project.
# GET  /v1/project-quotas
# GET  /v1/project-quotas/{uuid}
# Intended scope(s): system
#"project_quotas:get": "rule:service_admin or role:reader and system_scope:all"

# Create or update the configured project quotas for the project with
# the specified UUID.
# PUT  /v1/project-quotas/{uuid}
# Intended scope(s): system
#"project_quotas:put": "rule:service_admin or role:admin and system_scope:all"

# Delete the project quotas configuration for the project with the
# requested UUID.
# DELETE  /v1/quotas}
# Intended scope(s): system
#"project_quotas:delete": "rule:service_admin or role:admin and system_scope:all"

# metadata/: Lists a secrets user-defined metadata. || metadata/{key}:
# Retrieves a secrets user-added metadata.
# GET  /v1/secrets/{secret-id}/metadata
# GET  /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:get": "rule:all_but_audit or role:member"

# Adds a new key/value pair to the secrets user-defined metadata.
# POST  /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:post": "rule:admin_or_creator or role:member"

# metadata/: Sets the user-defined metadata for a secret ||
# metadata/{key}: Updates an existing key/value pair in the secrets
# user-defined metadata.
# PUT  /v1/secrets/{secret-id}/metadata
# PUT  /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:put": "rule:admin_or_creator or role:member"

# Delete secret user-defined metadata by key.
# DELETE  /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:delete": "rule:admin_or_creator or role:member"

# Retrieve a secrets payload.
# GET  /v1/secrets/{uuid}/payload
# Intended scope(s): project
#"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"

# Retrieves a secrets metadata.
# GET"  /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"

# Add the payload to an existing metadata-only secret.
# PUT  /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:put": "rule:admin_or_creator and rule:secret_project_match or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"

# Delete a secret by uuid.
# DELETE  /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:delete": "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"

# Creates a Secret entity.
# POST  /v1/secrets
# Intended scope(s): project
#"secrets:post": "rule:admin_or_creator or role:member"

# Lists a projects secrets.
# GET  /v1/secrets
# Intended scope(s): project
#"secrets:get": "rule:all_but_audit or role:member"

# Get list of available secret store backends.
# GET  /v1/secret-stores
# Intended scope(s): project, system
#"secretstores:get": "rule:all_users or role:reader"

# Get a reference to the secret store that is used as default secret
# store backend for the deployment.
# GET  /v1/secret-stores/global-default
# Intended scope(s): project, system
#"secretstores:get_global_default": "rule:all_users or role:reader"

# Get a reference to the preferred secret store if assigned
# previously.
# GET  /v1/secret-stores/preferred
# Intended scope(s): project, system
#"secretstores:get_preferred": "rule:all_users or role:reader"

# Set a secret store backend to be preferred store backend for their
# project.
# POST  /v1/secret-stores/{ss-id}/preferred
# Intended scope(s): project
#"secretstore_preferred:post": "rule:admin"

# Remove preferred secret store backend setting for their project.
# DELETE  /v1/secret-stores/{ss-id}/preferred
# Intended scope(s): project
#"secretstore_preferred:delete": "rule:admin"

# Get details of secret store by its ID.
# GET  /v1/secret-stores/{ss-id}
# Intended scope(s): project, system
#"secretstore:get": "rule:all_users or role:reader"

# Get a specific transport key.
# GET  /v1/transport_keys/{key-id}}
# Intended scope(s): project, system
#"transport_key:get": "rule:all_users or role:reader"

# Delete a specific transport key.
# DELETE  /v1/transport_keys/{key-id}
# Intended scope(s): system
#"transport_key:delete": "role:admin and system_scope:all"

# Get a list of all transport keys.
# GET  /v1/transport_keys
# Intended scope(s): project, system
#"transport_keys:get": "rule:all_users or role:reader"

# Create a new transport key.
# POST  /v1/transport_keys
# Intended scope(s): system
#"transport_keys:post": "role:admin and system_scope:all"