Implement secure RBAC for secretmeta API

Add new project scope specific RBAC rules for the secretmeta API. The old rules still apply, but eventually will be deprecated. The new rules do include some changes to default policy, which are documented in the release note. Change-Id: Ib771a4615c1aa5a9beb1dc036b79c6ed982ba4de
2021-03-08 15:20:23 -05:00 · 2021-03-08 15:20:23 -05:00 · f02d81be2b
commit f02d81be2b
parent 265908ec5f
2 changed files with 26 additions and 8 deletions
--- a/barbican/common/policies/secretmeta.py
+++ b/barbican/common/policies/secretmeta.py
@ -13,11 +13,12 @@
 from oslo_policy import policy


+_MEMBER = "role:member"
 rules = [
    policy.DocumentedRuleDefault(
        name='secret_meta:get',
-        check_str='rule:all_but_audit',
-        scope_types=[],
+        check_str=f'rule:all_but_audit or {_MEMBER}',
+        scope_types=['project'],
        description='metadata/: Lists a secrets user-defined metadata. || ' +
                    'metadata/{key}: Retrieves a secrets user-added metadata.',
        operations=[
@ -33,8 +34,8 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='secret_meta:post',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
        description='Adds a new key/value pair to the secrets user-defined ' +
                    'metadata.',
        operations=[
@ -46,8 +47,8 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='secret_meta:put',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
        description='metadata/: Sets the user-defined metadata for a secret ' +
                    '|| metadata/{key}: Updates an existing key/value pair ' +
                    'in the secrets user-defined metadata.',
@ -64,8 +65,8 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='secret_meta:delete',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
        description='Delete secret user-defined metadata by key.',
        operations=[
            {
--- a/releasenotes/notes/secure-rbac-secretmeta-policy-587cdad4e2ecee3a.yaml
+++ b/releasenotes/notes/secure-rbac-secretmeta-policy-587cdad4e2ecee3a.yaml
@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Implement secure-rbac for secretmeta resource.
+security:
+  - |
+    The current policy allows all users except those with the audit role to
+    list a secrets metadata keys and get the metadata values. The new
+    desired policy will restrict this to members.  For backwards
+    compatibility, the old policies remain in effect, but they are
+    deprecated and will be removed in future, leaving the more restrictive
+    new policy.
+  - |
+    The new secure-rbac policy allows for secret metadata addition,
+    modification and deletion by members.  This is a change from the previous
+    policy that only allowed deletion by the project admin or the secret
+    creator.