Fix policy for adding a secret to a container

This patch fixes the policies for adding and removing secrets from a secret container. Story: 2009297 Task: 43727 Change-Id: I821b4f5998be5b40327311039979f5e00ea9cefc (cherry picked from commit 6c841b23af) (cherry picked from commit a8226fcf33) (cherry picked from commit 7cf500a982) (cherry picked from commit 54e342fa7c)
2021-10-15 11:51:10 -05:00
parent 42feeeaea9
commit ecfef01555
2 changed files with 11 additions and 2 deletions
--- a/barbican/common/policies/containers.py
+++ b/barbican/common/policies/containers.py
@@ -68,7 +68,10 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='container_secret:post',
-        check_str='rule:admin',
+        check_str='rule:container_project_admin or ' +
+                  'rule:container_project_creator or ' +
+                  'rule:container_project_creator_role and ' +
+                  'rule:container_non_private_read',
        scope_types=[],
        description='Add a secret to an existing container.',
        operations=[
@@ -80,7 +83,10 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='container_secret:delete',
-        check_str='rule:admin',
+        check_str='rule:container_project_admin or ' +
+                  'rule:container_project_creator or ' +
+                  'rule:container_project_creator_role and ' +
+                  'rule:container_non_private_read',
        scope_types=[],
        description='Remove a secret from a container.',
        operations=[