ce6336f393
Modified policy and tests to verify this change. As per this change, user with 'creator' role can delete a secret or a container as long as that user has initially created that secret or container. There is still a difference between 'admin' role and 'creator' role behavior around delete operation. With this change, users with 'creator' role cannot delete any other user's secret/container in same project while user with 'admin' role can do that. Updated role docs to reflect this behavior. Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
85 lines
5.0 KiB
JSON
85 lines
5.0 KiB
JSON
{
|
|
"admin": "role:admin",
|
|
"observer": "role:observer",
|
|
"creator": "role:creator",
|
|
"audit": "role:audit",
|
|
"service_admin": "role:key-manager:service-admin",
|
|
"admin_or_user_does_not_work": "project_id:%(project_id)s",
|
|
"admin_or_user": "rule:admin or project_id:%(project_id)s",
|
|
"admin_or_creator": "rule:admin or rule:creator",
|
|
"all_but_audit": "rule:admin or rule:observer or rule:creator",
|
|
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
|
|
"secret_project_match": "project:%(target.secret.project_id)s",
|
|
"secret_acl_read": "'read':%(target.secret.read)s",
|
|
"secret_private_read": "'False':%(target.secret.read_project_access)s",
|
|
"secret_creator_user": "user:%(target.secret.creator_id)s",
|
|
"container_project_match": "project:%(target.container.project_id)s",
|
|
"container_acl_read": "'read':%(target.container.read)s",
|
|
"container_private_read": "'False':%(target.container.read_project_access)s",
|
|
"container_creator_user": "user:%(target.container.creator_id)s",
|
|
|
|
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
|
|
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
|
|
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
|
|
"secret_project_admin": "rule:admin and rule:secret_project_match",
|
|
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
|
|
"container_project_admin": "rule:admin and rule:container_project_match",
|
|
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
|
|
|
|
"version:get": "@",
|
|
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
|
|
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
|
|
"secret:put": "rule:admin_or_creator and rule:secret_project_match",
|
|
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
|
|
"secrets:post": "rule:admin_or_creator",
|
|
"secrets:get": "rule:all_but_audit",
|
|
"orders:post": "rule:admin_or_creator",
|
|
"orders:get": "rule:all_but_audit",
|
|
"order:get": "rule:all_users",
|
|
"order:put": "rule:admin_or_creator",
|
|
"order:delete": "rule:admin",
|
|
"consumer:get": "rule:all_users",
|
|
"consumers:get": "rule:all_users",
|
|
"consumers:post": "rule:admin",
|
|
"consumers:delete": "rule:admin",
|
|
"containers:post": "rule:admin_or_creator",
|
|
"containers:get": "rule:all_but_audit",
|
|
"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
|
"container:delete": "rule:container_project_admin or rule:container_project_creator",
|
|
"container_secret:post": "rule:admin",
|
|
"container_secret:delete": "rule:admin",
|
|
"transport_key:get": "rule:all_users",
|
|
"transport_key:delete": "rule:admin",
|
|
"transport_keys:get": "rule:all_users",
|
|
"transport_keys:post": "rule:admin",
|
|
"certificate_authorities:get_limited": "rule:all_users",
|
|
"certificate_authorities:get_all": "rule:admin",
|
|
"certificate_authorities:post": "rule:admin",
|
|
"certificate_authorities:get_preferred_ca": "rule:all_users",
|
|
"certificate_authorities:get_global_preferred_ca": "rule:service_admin",
|
|
"certificate_authorities:unset_global_preferred": "rule:service_admin",
|
|
"certificate_authority:delete": "rule:admin",
|
|
"certificate_authority:get": "rule:all_users",
|
|
"certificate_authority:get_cacert": "rule:all_users",
|
|
"certificate_authority:get_ca_cert_chain": "rule:all_users",
|
|
"certificate_authority:get_projects": "rule:service_admin",
|
|
"certificate_authority:add_to_project": "rule:admin",
|
|
"certificate_authority:remove_from_project": "rule:admin",
|
|
"certificate_authority:set_preferred": "rule:admin",
|
|
"certificate_authority:set_global_preferred": "rule:service_admin",
|
|
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
|
|
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
|
|
"secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
|
|
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
|
|
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
|
|
"container_acls:get": "rule:all_but_audit and rule:container_project_match",
|
|
"quotas:get": "rule:all_users",
|
|
"project_quotas:get": "rule:service_admin",
|
|
"project_quotas:put": "rule:service_admin",
|
|
"project_quotas:delete": "rule:service_admin",
|
|
"secret_meta:get": "rule:all_but_audit",
|
|
"secret_meta:post": "rule:admin_or_creator",
|
|
"secret_meta:put": "rule:admin_or_creator",
|
|
"secret_meta:delete": "rule:admin_or_creator"
|
|
}
|