f02d81be2b
Add new project scope specific RBAC rules for the secretmeta API. The old rules still apply, but eventually will be deprecated. The new rules do include some changes to default policy, which are documented in the release note. Change-Id: Ib771a4615c1aa5a9beb1dc036b79c6ed982ba4de
18 lines
694 B
YAML
18 lines
694 B
YAML
---
|
|
features:
|
|
- |
|
|
Implement secure-rbac for secretmeta resource.
|
|
security:
|
|
- |
|
|
The current policy allows all users except those with the audit role to
|
|
list a secrets metadata keys and get the metadata values. The new
|
|
desired policy will restrict this to members. For backwards
|
|
compatibility, the old policies remain in effect, but they are
|
|
deprecated and will be removed in future, leaving the more restrictive
|
|
new policy.
|
|
- |
|
|
The new secure-rbac policy allows for secret metadata addition,
|
|
modification and deletion by members. This is a change from the previous
|
|
policy that only allowed deletion by the project admin or the secret
|
|
creator.
|