diff --git a/etc/skyline.yaml.sample b/etc/skyline.yaml.sample index 1753b45..05e74ab 100644 --- a/etc/skyline.yaml.sample +++ b/etc/skyline.yaml.sample @@ -75,6 +75,7 @@ openstack: database: trove identity: keystone image: glance + key-manager: barbican load-balancer: octavia network: neutron object-store: swift diff --git a/releasenotes/notes/add-barbican-configs-and-policies-3951a6784064045e.yaml b/releasenotes/notes/add-barbican-configs-and-policies-3951a6784064045e.yaml new file mode 100644 index 0000000..17cc503 --- /dev/null +++ b/releasenotes/notes/add-barbican-configs-and-policies-3951a6784064045e.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Add ``key-manager: barbican`` into service_mapping of skyline config. So that we will + generate barbican related endpoint into nginx file. + - | + Add barbican related policies. So that we provide policies of barbican to skyline-console. diff --git a/releasenotes/notes/add-magnum-configs-and-policies-b92cbaecac5a9379.yaml b/releasenotes/notes/add-magnum-configs-and-policies-b92cbaecac5a9379.yaml index 36e9d6a..e7be245 100644 --- a/releasenotes/notes/add-magnum-configs-and-policies-b92cbaecac5a9379.yaml +++ b/releasenotes/notes/add-magnum-configs-and-policies-b92cbaecac5a9379.yaml @@ -1,4 +1,7 @@ --- features: - | - Add Magnum config and policy in order to configure endpoint and provide policy to skyline-console. + Add ``container-infra: magnum`` into service_mapping of skyline config. So that we will + generate magnum related endpoint into nginx file. + - | + Add magnum related policies. So that we provide policies of magnum to skyline-console. diff --git a/releasenotes/notes/add-zun-configs-and-policies-6a761034b5851255.yaml b/releasenotes/notes/add-zun-configs-and-policies-6a761034b5851255.yaml index c578e24..3d673c4 100644 --- a/releasenotes/notes/add-zun-configs-and-policies-6a761034b5851255.yaml +++ b/releasenotes/notes/add-zun-configs-and-policies-6a761034b5851255.yaml @@ -1,4 +1,7 @@ --- features: - | - Add Zun config and policy in order to configure endpoint and provide policy to skyline-console. + Add ``container: zun`` into service_mapping of skyline config. So that we will + generate zun related endpoint into nginx file. + - | + Add zun related policies. So that we provide policies of zun to skyline-console. diff --git a/skyline_apiserver/config/openstack.py b/skyline_apiserver/config/openstack.py index 79fc211..d83d319 100644 --- a/skyline_apiserver/config/openstack.py +++ b/skyline_apiserver/config/openstack.py @@ -173,13 +173,14 @@ service_mapping = Opt( "database": "trove", "identity": "keystone", "image": "glance", + "key-manager": "barbican", "load-balancer": "octavia", "network": "neutron", "object-store": "swift", "orchestration": "heat", "placement": "placement", - "volumev3": "cinder", "sharev2": "manilav2", + "volumev3": "cinder", }, ) diff --git a/skyline_apiserver/policy/manager/barbican.py b/skyline_apiserver/policy/manager/barbican.py new file mode 100644 index 0000000..53f7036 --- /dev/null +++ b/skyline_apiserver/policy/manager/barbican.py @@ -0,0 +1,470 @@ +# flake8: noqa +# fmt: off + +from . import base + +list_rules = ( + base.Rule( + name="admin", + check_str=("role:admin"), + description="No description", + ), + base.Rule( + name="observer", + check_str=("role:observer"), + description="No description", + ), + base.Rule( + name="creator", + check_str=("role:creator"), + description="No description", + ), + base.Rule( + name="audit", + check_str=("role:audit"), + description="No description", + ), + base.Rule( + name="service_admin", + check_str=("role:key-manager:service-admin"), + description="No description", + ), + base.Rule( + name="admin_or_creator", + check_str=("rule:admin or rule:creator"), + description="No description", + ), + base.Rule( + name="all_but_audit", + check_str=("rule:admin or rule:observer or rule:creator"), + description="No description", + ), + base.Rule( + name="all_users", + check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"), + description="No description", + ), + base.Rule( + name="secret_project_match", + check_str=("project_id:%(target.secret.project_id)s"), + description="No description", + ), + base.Rule( + name="secret_acl_read", + check_str=("'read':%(target.secret.read)s"), + description="No description", + ), + base.Rule( + name="secret_private_read", + check_str=("'False':%(target.secret.read_project_access)s"), + description="No description", + ), + base.Rule( + name="secret_creator_user", + check_str=("user_id:%(target.secret.creator_id)s"), + description="No description", + ), + base.Rule( + name="container_project_match", + check_str=("project_id:%(target.container.project_id)s"), + description="No description", + ), + base.Rule( + name="container_acl_read", + check_str=("'read':%(target.container.read)s"), + description="No description", + ), + base.Rule( + name="container_private_read", + check_str=("'False':%(target.container.read_project_access)s"), + description="No description", + ), + base.Rule( + name="container_creator_user", + check_str=("user_id:%(target.container.creator_id)s"), + description="No description", + ), + base.Rule( + name="secret_non_private_read", + check_str=("rule:all_users and rule:secret_project_match and not rule:secret_private_read"), + description="No description", + ), + base.Rule( + name="secret_decrypt_non_private_read", + check_str=("rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"), + description="No description", + ), + base.Rule( + name="container_non_private_read", + check_str=("rule:all_users and rule:container_project_match and not rule:container_private_read"), + description="No description", + ), + base.Rule( + name="secret_project_admin", + check_str=("rule:admin and rule:secret_project_match"), + description="No description", + ), + base.Rule( + name="secret_project_creator", + check_str=("rule:creator and rule:secret_project_match and rule:secret_creator_user"), + description="No description", + ), + base.Rule( + name="secret_project_creator_role", + check_str=("rule:creator and rule:secret_project_match"), + description="No description", + ), + base.Rule( + name="container_project_admin", + check_str=("rule:admin and rule:container_project_match"), + description="No description", + ), + base.Rule( + name="container_project_creator", + check_str=("rule:creator and rule:container_project_match and rule:container_creator_user"), + description="No description", + ), + base.Rule( + name="container_project_creator_role", + check_str=("rule:creator and rule:container_project_match"), + description="No description", + ), + base.APIRule( + name="secret_acls:get", + check_str=("(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/acl"}], + ), + base.APIRule( + name="secret_acls:delete", + check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Delete the ACL settings for a given secret.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/acl"}], + ), + base.APIRule( + name="secret_acls:put_patch", + check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Create new, replaces, or updates existing ACL for a given secret.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/acl"}, {"method": "PATCH", "path": "/v1/secrets/{secret-id}/acl"}], + ), + base.APIRule( + name="container_acls:get", + check_str=("(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + description="Retrieve the ACL settings for a given container.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/containers/{container-id}/acl"}], + ), + base.APIRule( + name="container_acls:delete", + check_str=("rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + description="Delete ACL for a given container. No content is returned in the case of successful deletion.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/acl"}], + ), + base.APIRule( + name="container_acls:put_patch", + check_str=("rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + description="Create new or replaces existing ACL for a given container.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1/containers/{container-id}/acl"}, {"method": "PATCH", "path": "/v1/containers/{container-id}/acl"}], + ), + base.APIRule( + name="consumer:get", + check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"), + description="DEPRECATED: show information for a specific consumer", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers/{consumer-id}"}], + ), + base.APIRule( + name="container_consumers:get", + check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"), + description="List a containers consumers.", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers"}], + ), + base.APIRule( + name="container_consumers:post", + check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"), + description="Creates a consumer.", + scope_types=["project", "system"], + operations=[{"method": "POST", "path": "/v1/containers/{container-id}/consumers"}], + ), + base.APIRule( + name="container_consumers:delete", + check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"), + description="Deletes a consumer.", + scope_types=["project", "system"], + operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/consumers"}], + ), + base.APIRule( + name="secret_consumers:get", + check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"), + description="List consumers for a secret.", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/consumers"}], + ), + base.APIRule( + name="secret_consumers:post", + check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"), + description="Creates a consumer.", + scope_types=["project", "system"], + operations=[{"method": "POST", "path": "/v1/secrets/{secrets-id}/consumers"}], + ), + base.APIRule( + name="secret_consumers:delete", + check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"), + description="Deletes a consumer.", + scope_types=["project", "system"], + operations=[{"method": "DELETE", "path": "/v1/secrets/{secrets-id}/consumers"}], + ), + base.APIRule( + name="containers:post", + check_str=("rule:admin_or_creator or role:member"), + description="Creates a container.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1/containers"}], + ), + base.APIRule( + name="containers:get", + check_str=("rule:all_but_audit or role:member"), + description="Lists a projects containers.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/containers"}], + ), + base.APIRule( + name="container:get", + check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + description="Retrieves a single container.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/containers/{container-id}"}], + ), + base.APIRule( + name="container:delete", + check_str=("rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + description="Deletes a container.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1/containers/{uuid}"}], + ), + base.APIRule( + name="container_secret:post", + check_str=("rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + description="Add a secret to an existing container.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1/containers/{container-id}/secrets"}], + ), + base.APIRule( + name="container_secret:delete", + check_str=("rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + description="Remove a secret from a container.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/secrets/{secret-id}"}], + ), + base.APIRule( + name="orders:get", + check_str=("rule:all_but_audit or role:member"), + description="Gets list of all orders associated with a project.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/orders"}], + ), + base.APIRule( + name="orders:post", + check_str=("rule:admin_or_creator or role:member"), + description="Creates an order.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1/orders"}], + ), + base.APIRule( + name="orders:put", + check_str=("rule:admin_or_creator or role:member"), + description="Unsupported method for the orders API.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1/orders"}], + ), + base.APIRule( + name="order:get", + check_str=("rule:all_users and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"), + description="Retrieves an orders metadata.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/orders/{order-id}"}], + ), + base.APIRule( + name="order:delete", + check_str=("rule:admin and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"), + description="Deletes an order.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1/orders/{order-id}"}], + ), + base.APIRule( + name="quotas:get", + check_str=("rule:all_users or role:reader"), + description="List quotas for the project the user belongs to.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/quotas"}], + ), + base.APIRule( + name="project_quotas:get", + check_str=("rule:service_admin or role:reader and system_scope:all"), + description="List quotas for the specified project.", + scope_types=["system"], + operations=[{"method": "GET", "path": "/v1/project-quotas"}, {"method": "GET", "path": "/v1/project-quotas/{uuid}"}], + ), + base.APIRule( + name="project_quotas:put", + check_str=("rule:service_admin or role:admin and system_scope:all"), + description="Create or update the configured project quotas for the project with the specified UUID.", + scope_types=["system"], + operations=[{"method": "PUT", "path": "/v1/project-quotas/{uuid}"}], + ), + base.APIRule( + name="project_quotas:delete", + check_str=("rule:service_admin or role:admin and system_scope:all"), + description="Delete the project quotas configuration for the project with the requested UUID.", + scope_types=["system"], + operations=[{"method": "DELETE", "path": "/v1/quotas}"}], + ), + base.APIRule( + name="secret_meta:get", + check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "GET", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}], + ), + base.APIRule( + name="secret_meta:post", + check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Adds a new key/value pair to the secrets user-defined metadata.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}], + ), + base.APIRule( + name="secret_meta:put", + check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}], + ), + base.APIRule( + name="secret_meta:delete", + check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Delete secret user-defined metadata by key.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}], + ), + base.APIRule( + name="secret:decrypt", + check_str=("rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Retrieve a secrets payload.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/secrets/{uuid}/payload"}], + ), + base.APIRule( + name="secret:get", + check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Retrieves a secrets metadata.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}"}], + ), + base.APIRule( + name="secret:put", + check_str=("rule:admin_or_creator and rule:secret_project_match or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Add the payload to an existing metadata-only secret.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}"}], + ), + base.APIRule( + name="secret:delete", + check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and not rule:secret_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + description="Delete a secret by uuid.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}"}], + ), + base.APIRule( + name="secrets:post", + check_str=("rule:admin_or_creator or role:member"), + description="Creates a Secret entity.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1/secrets"}], + ), + base.APIRule( + name="secrets:get", + check_str=("rule:all_but_audit or role:member"), + description="Lists a projects secrets.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1/secrets"}], + ), + base.APIRule( + name="secretstores:get", + check_str=("rule:all_users or role:reader"), + description="Get list of available secret store backends.", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/secret-stores"}], + ), + base.APIRule( + name="secretstores:get_global_default", + check_str=("rule:all_users or role:reader"), + description="Get a reference to the secret store that is used as default secret store backend for the deployment.", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/secret-stores/global-default"}], + ), + base.APIRule( + name="secretstores:get_preferred", + check_str=("rule:all_users or role:reader"), + description="Get a reference to the preferred secret store if assigned previously.", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/secret-stores/preferred"}], + ), + base.APIRule( + name="secretstore_preferred:post", + check_str=("rule:admin"), + description="Set a secret store backend to be preferred store backend for their project.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1/secret-stores/{ss-id}/preferred"}], + ), + base.APIRule( + name="secretstore_preferred:delete", + check_str=("rule:admin"), + description="Remove preferred secret store backend setting for their project.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1/secret-stores/{ss-id}/preferred"}], + ), + base.APIRule( + name="secretstore:get", + check_str=("rule:all_users or role:reader"), + description="Get details of secret store by its ID.", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/secret-stores/{ss-id}"}], + ), + base.APIRule( + name="transport_key:get", + check_str=("rule:all_users or role:reader"), + description="Get a specific transport key.", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/transport_keys/{key-id}}"}], + ), + base.APIRule( + name="transport_key:delete", + check_str=("role:admin and system_scope:all"), + description="Delete a specific transport key.", + scope_types=["system"], + operations=[{"method": "DELETE", "path": "/v1/transport_keys/{key-id}"}], + ), + base.APIRule( + name="transport_keys:get", + check_str=("rule:all_users or role:reader"), + description="Get a list of all transport keys.", + scope_types=["project", "system"], + operations=[{"method": "GET", "path": "/v1/transport_keys"}], + ), + base.APIRule( + name="transport_keys:post", + check_str=("role:admin and system_scope:all"), + description="Create a new transport key.", + scope_types=["system"], + operations=[{"method": "POST", "path": "/v1/transport_keys"}], + ), +) + +__all__ = ("list_rules",) diff --git a/skyline_apiserver/types/constants.py b/skyline_apiserver/types/constants.py index ca7b3cd..191e798 100644 --- a/skyline_apiserver/types/constants.py +++ b/skyline_apiserver/types/constants.py @@ -45,6 +45,7 @@ POLICY_NS = "oslo.policy.policies" SUPPORTED_SERVICE_EPS = { # openstack_service: [, ,] + "barbican": ["barbican"], "cinder": ["cinder"], "glance": ["glance"], "heat": ["heat"], diff --git a/tools/post_install.sh b/tools/post_install.sh index 23c0baa..b9a7048 100755 --- a/tools/post_install.sh +++ b/tools/post_install.sh @@ -19,7 +19,8 @@ INSTALL_PROJECTS="keystone \ octavia \ manila \ magnum \ - zun" + zun\ + barbican" BRANCH=`git rev-parse --abbrev-ref HEAD` for project in ${INSTALL_PROJECTS} @@ -31,3 +32,8 @@ for deprecated_project in ${INSTALL_DEPRECATED_PROJECTS} do pip install -U ${deprecated_project} done + +# Patch barbican +# https://review.opendev.org/c/openstack/barbican/+/839147 +patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/barbican/common/policies/secrets.py" +sed -i "s/'GET\"'/'GET'/g" $patch_path