Update secret:delete policy to allow admin to delete secret
Currently a secret can be orphan, if the project that owns it
is deleted by an user that doesn`t have permission on the
project.[1]
The orphan secret cannot be deleted because the current rule
enforces a scoped token on that project to delete it (that
doesn't exist anymore).
To solve this issue, it's necessary to override the secret:delete
policy rule to allow the cloud admin to delete it.
The secret:get policy rule also needed to be changed because the
Python Barbican client gets the secret to check if it has
consumers before actually deleting it. This patch is making these
updates by default
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1932705
Co-author: Mauricio Harley <mharley@redhat.com>
Change-Id: Id755a9efd896b900d31eca93c0136398ed1925b8
(cherry picked from commit 57d7ff378a
)
This commit is contained in:
parent
a00fcade41
commit
00274b2f07
@ -83,7 +83,8 @@ rules = [
|
||||
name='secret:get',
|
||||
check_str=(
|
||||
"True:%(enforce_new_defaults)s and "
|
||||
"(rule:secret_project_admin or "
|
||||
"(role:admin or "
|
||||
"rule:secret_project_admin or "
|
||||
"(rule:secret_project_member and rule:secret_owner) or "
|
||||
"(rule:secret_project_member and rule:secret_is_not_private) or "
|
||||
"rule:secret_acl_read)"),
|
||||
@ -118,7 +119,8 @@ rules = [
|
||||
name='secret:delete',
|
||||
check_str=(
|
||||
"True:%(enforce_new_defaults)s and "
|
||||
"(rule:secret_project_admin or "
|
||||
"(role:admin or "
|
||||
"rule:secret_project_admin or "
|
||||
"(rule:secret_project_member and rule:secret_owner) or "
|
||||
"(rule:secret_project_member and rule:secret_is_not_private))"),
|
||||
scope_types=['project'],
|
||||
|
Loading…
Reference in New Issue
Block a user