ce6336f393
Modified policy and tests to verify this change. As per this change, user with 'creator' role can delete a secret or a container as long as that user has initially created that secret or container. There is still a difference between 'admin' role and 'creator' role behavior around delete operation. With this change, users with 'creator' role cannot delete any other user's secret/container in same project while user with 'admin' role can do that. Updated role docs to reflect this behavior. Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
93 lines
2.4 KiB
Plaintext
93 lines
2.4 KiB
Plaintext
[DEFAULT]
|
|
|
|
[identity]
|
|
# Replace these with values that represent your identity configuration
|
|
uri=http://localhost:5000/v3
|
|
version=v3
|
|
|
|
username=admin
|
|
project_name=admin
|
|
password=secretadmin
|
|
domain_name=Default
|
|
|
|
service_admin=service-admin
|
|
service_admin_project=service
|
|
service_admin_password=secretservice
|
|
|
|
[rbac_users]
|
|
# Replace these values that represent additional users for RBAC testing
|
|
project_a=project_a
|
|
project_b=project_b
|
|
|
|
# users for project_a
|
|
admin_a=project_a_admin
|
|
admin_a_password=barbican
|
|
creator_a=project_a_creator
|
|
creator_a_password=barbican
|
|
creator_a_2=project_a_creator_2
|
|
creator_a_2_password=barbican
|
|
observer_a=project_a_observer
|
|
observer_a_password=barbican
|
|
auditor_a=project_a_auditor
|
|
auditor_a_password=barbican
|
|
|
|
# users for project_b
|
|
admin_b=project_b_admin
|
|
admin_b_password=barbican
|
|
creator_b=project_b_creator
|
|
creator_b_password=barbican
|
|
observer_b=project_b_observer
|
|
observer_b_password=barbican
|
|
auditor_b=project_b_auditor
|
|
auditor_b_password=barbican
|
|
|
|
[keymanager]
|
|
|
|
# For selecting service endpoint from service catalog,
|
|
# following attributes are used to find it.
|
|
|
|
#service_type=key-manager
|
|
#service_name=barbican
|
|
#region_name=RegionOne
|
|
#endpoint_type=public
|
|
#verify_ssl=True
|
|
|
|
# use this to increase the timeout (in seconds) when debugging API calls
|
|
#timeout=10
|
|
|
|
# use this to run the functional tests against a
|
|
# different barbican server than the one that is
|
|
# specified in the service catalog. To use what is
|
|
# in the service catalog, just comment this out
|
|
# or leave it blank.
|
|
# override_url=http://localhost:9311
|
|
# override_url_version=v1
|
|
|
|
# Flag to indicate if (when True) the server is setting the href's returned in
|
|
# requests via barbican.conf's 'host_href' setting, or else (when False) the
|
|
# server is setting the href's from the wsgi request.
|
|
# Default value is True.
|
|
server_host_href_set = True
|
|
|
|
[quotas]
|
|
# For each resource, the default maximum number that can be used for
|
|
# a project is set below. This value can be overridden for each
|
|
# project through the API. A negative value means no limit. A zero
|
|
# value effectively disables the resource.
|
|
# These should be set identically to the system under test.
|
|
|
|
# default number of secrets allowed per project
|
|
quota_secrets = -1
|
|
|
|
# default number of orders allowed per project
|
|
quota_orders = -1
|
|
|
|
# default number of containers allowed per project
|
|
quota_containers = -1
|
|
|
|
# default number of consumers allowed per project
|
|
quota_consumers = -1
|
|
|
|
# default number of CAs allowed per project
|
|
quota_cas = -1
|