Removed the policy from values in favor of policy in code
As services have the default policy in code, the policy in values files is removed. Change-Id: Icc07e3915a3b07beb02e8c0845d8d6e18adfcfea
This commit is contained in:
xuxant02@gmail.com
parent
58e19cdb65
commit
420dac178e
|
|
@ -14,7 +14,7 @@ apiVersion: v1
|
|||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Barbican
|
||||
name: barbican
|
||||
version: 0.2.8
|
||||
version: 0.2.9
|
||||
home: https://docs.openstack.org/barbican/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
|
||||
sources:
|
||||
|
|
|
|||
|
|
@ -323,102 +323,7 @@ conf:
|
|||
oslo_config_project: barbican
|
||||
filter:http_proxy_to_wsgi:
|
||||
paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
|
||||
policy:
|
||||
admin: role:admin
|
||||
observer: role:observer
|
||||
creator: role:creator
|
||||
audit: role:audit
|
||||
service_admin: role:key-manager:service-admin
|
||||
admin_or_user_does_not_work: project_id:%(project_id)s
|
||||
admin_or_user: rule:admin or project_id:%(project_id)s
|
||||
admin_or_creator: rule:admin or rule:creator
|
||||
all_but_audit: rule:admin or rule:observer or rule:creator
|
||||
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
|
||||
secret_acl_read: "'read':%(target.secret.read)s"
|
||||
secret_private_read: "'False':%(target.secret.read_project_access)s"
|
||||
container_acl_read: "'read':%(target.container.read)s"
|
||||
container_private_read: "'False':%(target.container.read_project_access)s"
|
||||
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
|
||||
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
|
||||
and not rule:secret_private_read
|
||||
container_non_private_read: rule:all_users and rule:container_project_match and not
|
||||
rule:container_private_read
|
||||
secret_project_admin: rule:admin and rule:secret_project_match
|
||||
secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
|
||||
container_project_admin: rule:admin and rule:container_project_match
|
||||
container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
|
||||
version:get: "@"
|
||||
secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
|
||||
or rule:secret_project_admin or rule:secret_acl_read
|
||||
secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
|
||||
or rule:secret_acl_read
|
||||
secret:put: rule:admin_or_creator and rule:secret_project_match
|
||||
secret:delete: rule:secret_project_admin or rule:secret_project_creator
|
||||
secrets:post: rule:admin_or_creator
|
||||
secrets:get: rule:all_but_audit
|
||||
orders:post: rule:admin_or_creator
|
||||
orders:get: rule:all_but_audit
|
||||
order:get: rule:all_users
|
||||
order:put: rule:admin_or_creator
|
||||
order:delete: rule:admin
|
||||
consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
||||
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
||||
consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
|
||||
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
|
||||
consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
||||
or rule:container_project_admin or rule:container_acl_read
|
||||
consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
|
||||
or rule:container_project_admin or rule:container_acl_read
|
||||
containers:post: rule:admin_or_creator
|
||||
containers:get: rule:all_but_audit
|
||||
container:get: rule:container_non_private_read or rule:container_project_creator or
|
||||
rule:container_project_admin or rule:container_acl_read
|
||||
container:delete: rule:container_project_admin or rule:container_project_creator
|
||||
container_secret:post: rule:admin
|
||||
container_secret:delete: rule:admin
|
||||
transport_key:get: rule:all_users
|
||||
transport_key:delete: rule:admin
|
||||
transport_keys:get: rule:all_users
|
||||
transport_keys:post: rule:admin
|
||||
certificate_authorities:get_limited: rule:all_users
|
||||
certificate_authorities:get_all: rule:admin
|
||||
certificate_authorities:post: rule:admin
|
||||
certificate_authorities:get_preferred_ca: rule:all_users
|
||||
certificate_authorities:get_global_preferred_ca: rule:service_admin
|
||||
certificate_authorities:unset_global_preferred: rule:service_admin
|
||||
certificate_authority:delete: rule:admin
|
||||
certificate_authority:get: rule:all_users
|
||||
certificate_authority:get_cacert: rule:all_users
|
||||
certificate_authority:get_ca_cert_chain: rule:all_users
|
||||
certificate_authority:get_projects: rule:service_admin
|
||||
certificate_authority:add_to_project: rule:admin
|
||||
certificate_authority:remove_from_project: rule:admin
|
||||
certificate_authority:set_preferred: rule:admin
|
||||
certificate_authority:set_global_preferred: rule:service_admin
|
||||
secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
|
||||
secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
|
||||
secret_acls:get: rule:all_but_audit and rule:secret_project_match
|
||||
container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
|
||||
container_acls:delete: rule:container_project_admin or rule:container_project_creator
|
||||
container_acls:get: rule:all_but_audit and rule:container_project_match
|
||||
quotas:get: rule:all_users
|
||||
project_quotas:get: rule:service_admin
|
||||
project_quotas:put: rule:service_admin
|
||||
project_quotas:delete: rule:service_admin
|
||||
secret_meta:get: rule:all_but_audit
|
||||
secret_meta:post: rule:admin_or_creator
|
||||
secret_meta:put: rule:admin_or_creator
|
||||
secret_meta:delete: rule:admin_or_creator
|
||||
secretstores:get: rule:admin
|
||||
secretstores:get_global_default: rule:admin
|
||||
secretstores:get_preferred: rule:admin
|
||||
secretstore_preferred:post: rule:admin
|
||||
secretstore_preferred:delete: rule:admin
|
||||
secretstore:get: rule:admin
|
||||
secret_project_match: project_id:%(target.secret.project_id)s
|
||||
secret_creator_user: user_id:%(target.secret.creator_id)s
|
||||
container_project_match: project_id:%(target.container.project_id)s
|
||||
container_creator_user: user_id:%(target.container.creator_id)s
|
||||
policy: {}
|
||||
audit_map:
|
||||
DEFAULT:
|
||||
# default target endpoint type
|
||||
|
|
|
|||
|
|
@ -12,4 +12,5 @@ barbican:
|
|||
- 0.2.6 Allow Barbican to talk to Mariadb over TLS
|
||||
- 0.2.7 Fix db connection key name
|
||||
- 0.2.8 Update htk requirements repo
|
||||
- 0.2.9 Removed default policy in favor in code policy
|
||||
...
|
||||
|
|
|
|||
Loading…
Reference in New Issue