Browse Source

Fix policy for adding a secret to a container

This patch fixes the policies for adding and removing secrets from a
secret container.

Story: 2009297
Task: 43727
Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc
(cherry picked from commit 6c841b23af)
(cherry picked from commit a8226fcf33)
(cherry picked from commit 7cf500a982)
(cherry picked from commit 54e342fa7c)
changes/36/816136/2
Douglas Mendizábal 7 months ago
parent
commit
ecfef01555
  1. 3
      barbican/common/policies/base.py
  2. 10
      barbican/common/policies/containers.py

3
barbican/common/policies/base.py

@ -89,6 +89,9 @@ rules = [
name='container_project_creator',
check_str="rule:creator and rule:container_project_match and " +
"rule:container_creator_user"),
policy.RuleDefault(
name='container_project_creator_role',
check_str="rule:creator and rule:container_project_match"),
]

10
barbican/common/policies/containers.py

@ -68,7 +68,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='container_secret:post',
check_str='rule:admin',
check_str='rule:container_project_admin or ' +
'rule:container_project_creator or ' +
'rule:container_project_creator_role and ' +
'rule:container_non_private_read',
scope_types=[],
description='Add a secret to an existing container.',
operations=[
@ -80,7 +83,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='container_secret:delete',
check_str='rule:admin',
check_str='rule:container_project_admin or ' +
'rule:container_project_creator or ' +
'rule:container_project_creator_role and ' +
'rule:container_non_private_read',
scope_types=[],
description='Remove a secret from a container.',
operations=[

Loading…
Cancel
Save