Update secret:delete policy to allow admin to delete secret
Currently a secret can be orphan, if the project that owns it is deleted by an user that doesn`t have permission on the project.[1] The orphan secret cannot be deleted because the current rule enforces a scoped token on that project to delete it (that doesn't exist anymore). To solve this issue, it's necessary to override the secret:delete policy rule to allow the cloud admin to delete it. The secret:get policy rule also needed to be changed because the Python Barbican client gets the secret to check if it has consumers before actually deleting it. This patch is making these updates by default [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932705 Co-author: Mauricio Harley <mharley@redhat.com> Change-Id: Id755a9efd896b900d31eca93c0136398ed1925b8 (cherry picked from commit 57d7ff378a497af361c7597f2958f6cd4c0ce25b)
This commit is contained in:
parent
a00fcade41
commit
00274b2f07
@ -83,7 +83,8 @@ rules = [
|
||||
name='secret:get',
|
||||
check_str=(
|
||||
"True:%(enforce_new_defaults)s and "
|
||||
"(rule:secret_project_admin or "
|
||||
"(role:admin or "
|
||||
"rule:secret_project_admin or "
|
||||
"(rule:secret_project_member and rule:secret_owner) or "
|
||||
"(rule:secret_project_member and rule:secret_is_not_private) or "
|
||||
"rule:secret_acl_read)"),
|
||||
@ -118,7 +119,8 @@ rules = [
|
||||
name='secret:delete',
|
||||
check_str=(
|
||||
"True:%(enforce_new_defaults)s and "
|
||||
"(rule:secret_project_admin or "
|
||||
"(role:admin or "
|
||||
"rule:secret_project_admin or "
|
||||
"(rule:secret_project_member and rule:secret_owner) or "
|
||||
"(rule:secret_project_member and rule:secret_is_not_private))"),
|
||||
scope_types=['project'],
|
||||
|
Loading…
x
Reference in New Issue
Block a user