barbican/doc/source/admin/access_control.rst
Ghanshyam Mann d6c01bba59 [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also replace policy.json to policy.yaml ref from doc and tests.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: Idaa65dac1c97324d671b9a07a2f3d51bb128e8c2
2021-02-02 08:36:59 -06:00

3.2 KiB

Access Control

Role Based Access Control (RBAC)

Like many other services, the Key Manager service supports the protection of its APIs by enforcing policy rules defined in a policy file. The Key Manager service stores a reference to a policy JSON file in its configuration file, /etc/barbican/barbican.conf. Typically this file is named policy.yaml and it is stored in /etc/barbican/policy.yaml.

Each Key Manager API call has a line in the policy file that dictates which level of access applies:

API_NAME: RULE_STATEMENT or MATCH_STATEMENT

where RULE_STATEMENT can be another RULE_STATEMENT or a MATCH_STATEMENT:

RULE_STATEMENT: RULE_STATEMENT or MATCH_STATEMENT

MATCH_STATEMENT is a set of identifiers that must match between the token provided by the caller of the API and the parameters or target entities of the API in question. For example:

"secrets:post": "role:admin or role:creator"

indicates that to create a new secret via a POST request, you must have either the admin or creator role in your token.

Warning

The Key Manager service scopes the ownership of a secret at the project level. This means that many calls in the API will perform an additional check to ensure that the project_id of the token matches the project_id stored as the secret owner.

Default Policy

The policy engine in OpenStack is very flexible and allows for customized policies that make sense for your particular cloud. The Key Manager service comes with a sample policy.yaml file which can be used as the starting point for a customized policy. The sample policy defines 5 distinct roles:

key-manager:service-admin

The cloud administrator in charge of the Key Manager service. This user has access to all management APIs like the project-quotas.

admin

Project administrator. This user has full access to all resources owned by the project for which the admin role is scoped.

creator

Users with this role are allowed to create new resources and can only delete resources which are originally created (owned) by them. Users with this role cannot delete other user's resources managed within same project. They are also allowed full access to existing secrets owned by the project in scope.

observer

Users with this role are allowed to access to existing resources but are not allowed to upload new secrets or delete existing secrets.

audit

Users with this role are only allowed access to the resource metadata. So users with this role are unable to decrypt secrets.

Access Control List API

There are some limitations that result from scoping ownership of a secret at the project level. For example, there is no easy way for a user to upload a secret for which only they have access. There is also no easy way to grant a user access to only a single secret.

To address this limitations the Key Manager service includes an Access Control List (ACL) API. For full details see the ACL API User Guide