Fix policy for adding a secret to a container

This patch fixes the policies for adding and removing secrets from a secret container. Story: 2009297 Task: 43727 Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc (cherry picked from commit 6c841b23af) (cherry picked from commit a8226fcf33) (cherry picked from commit 7cf500a982) (cherry picked from commit 54e342fa7c)
7 months ago · ecfef01555
2 changed files with 11 additions and 2 deletions
--- a/barbican/common/policies/base.py
+++ b/barbican/common/policies/base.py
@ -89,6 +89,9 @@ rules = [
        name='container_project_creator',
        check_str="rule:creator and rule:container_project_match and " +
                  "rule:container_creator_user"),
+    policy.RuleDefault(
+        name='container_project_creator_role',
+        check_str="rule:creator and rule:container_project_match"),
 ]


--- a/barbican/common/policies/containers.py
+++ b/barbican/common/policies/containers.py
@ -68,7 +68,10 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='container_secret:post',
-        check_str='rule:admin',
+        check_str='rule:container_project_admin or ' +
+                  'rule:container_project_creator or ' +
+                  'rule:container_project_creator_role and ' +
+                  'rule:container_non_private_read',
        scope_types=[],
        description='Add a secret to an existing container.',
        operations=[
@ -80,7 +83,10 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='container_secret:delete',
-        check_str='rule:admin',
+        check_str='rule:container_project_admin or ' +
+                  'rule:container_project_creator or ' +
+                  'rule:container_project_creator_role and ' +
+                  'rule:container_non_private_read',
        scope_types=[],
        description='Remove a secret from a container.',
        operations=[