Skip to content

[Barbican] harden policy.yaml #9988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+106 −70
Open

[Barbican] harden policy.yaml #9988

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion openstack/barbican/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ appVersion: dalmatian
description: A Helm chart for Openstack Barbican
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
name: barbican
version: 0.7.9
version: 0.7.10
dependencies:
- condition: mariadb.enabled
name: mariadb
Expand Down
174 changes: 105 additions & 69 deletions openstack/barbican/templates/etc/_barbican-policy.yaml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,100 +1,136 @@
"admin": "role:cloud_keymanager_admin"
"context_is_admin": "rule:admin"
"service_admin": "rule:admin or role:resource_service"
"service_user": "role:service"
"viewer": "role:keymanager_viewer"
# ---- Roles → convenience rules ----
"key_admin": "role:keymanager_admin"
"viewer": "role:keymanager_viewer"

"context_is_admin": "rule:key_admin"
"context_is_editor": "rule:context_is_admin"
"context_is_viewer": "rule:context_is_admin or rule:viewer"

# ---- Common object-scoping and ownership ----
"secret_project_match": "project_id:%(target.secret.project_id)s"
"container_project_match": "project_id:%(target.container.project_id)s"
"order_project_match": "project_id:%(target.order.project_id)s"

"context_is_key_admin": "rule:context_is_admin or rule:key_admin"
"context_is_editor": "rule:context_is_key_admin"
"context_is_viewer": "rule:context_is_editor or rule:viewer"
"secret_creator_user": "user_id:%(target.secret.creator_id)s"
"container_creator_user": "user_id:%(target.container.creator_id)s"

# ---- Privacy / ACL flags ----
"secret_private_read": "'False':%(target.secret.read_project_access)s"
"container_private_read": "'False':%(target.container.read_project_access)s"
"secret_acl_read": "'read':%(target.secret.read)s"
"container_acl_read": "'read':%(target.container.read)s"

# ---- Derived non-private read guards (project-scoped) ----
"secret_non_private_read": "rule:context_is_viewer and rule:secret_project_match and not rule:secret_private_read"
"secret_decrypt_non_private_read": "rule:context_is_viewer and rule:secret_project_match and not rule:secret_private_read"
"container_non_private_read": "rule:context_is_viewer and rule:container_project_match and not rule:container_private_read"

"secret_project_admin": "rule:context_is_key_admin and rule:secret_project_match"
"secret_project_creator": "rule:context_is_editor and rule:secret_project_match and rule:secret_creator_user"
"container_project_admin": "rule:context_is_key_admin and rule:container_project_match"
"container_project_creator": "rule:context_is_editor and rule:container_project_match and rule:container_creator_user"
# ---- Project-scoped admin/creator (creator still requires admin for writes) ----
"secret_project_admin": "rule:context_is_admin and rule:secret_project_match"
"secret_project_creator": "rule:context_is_admin and rule:secret_project_match and rule:secret_creator_user"

"container_project_admin": "rule:context_is_admin and rule:container_project_match"
"container_project_creator": "rule:context_is_admin and rule:container_project_match and rule:container_creator_user"

# ---- Version ----
"version:get": "@"
"secret:decrypt": "rule:service_user or rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"
"secret:get": "rule:service_user or rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"
"secret:put": "rule:context_is_editor and rule:secret_project_match"
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator"

"secret_consumers:get": "rule:context_is_editor"
"secret_consumers:post": "rule:context_is_editor"
"secret_consumers:delete": "rule:context_is_editor"
# ---- Secrets ----
"secret:get": "rule:secret_project_admin or rule:secret_project_creator or rule:secret_non_private_read or rule:secret_acl_read"
"secret:decrypt": "rule:secret_project_admin or rule:secret_project_creator or rule:secret_decrypt_non_private_read or rule:secret_acl_read"

"secrets:post": "rule:context_is_editor"
"secret:put": "rule:context_is_editor and rule:secret_project_match"
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator"

"secrets:get": "rule:context_is_viewer"

"orders:post": "rule:context_is_editor"
"orders:get": "rule:context_is_viewer"
"order:get": "rule:context_is_viewer"
"orders:put": "rule:context_is_editor"
"order:delete": "rule:context_is_key_admin"
# ---- Secret metadata ----
"secret_meta:get": "rule:secret_project_admin or rule:secret_project_creator or rule:secret_non_private_read or rule:secret_acl_read"
"secret_meta:post": "rule:context_is_editor and rule:secret_project_match"
"secret_meta:put": "rule:context_is_editor and rule:secret_project_match"
"secret_meta:delete": "rule:context_is_editor and rule:secret_project_match"

"consumer:get": "rule:service_user or rule:context_is_viewer or rule:container_non_private_read or rule:container_project_admin or rule:container_acl_read"
"container_consumers:get": "rule:context_is_viewer or rule:container_non_private_read or rule:container_project_admin or rule:container_acl_read"
"container_consumers:post": "rule:context_is_key_admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
"container_consumers:delete": "rule:service_user or rule:context_is_key_admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
# ---- Secret ACLs ----
"secret_acls:get": "rule:context_is_viewer and rule:secret_project_match"
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator"
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator"

# ---- Containers ----
"containers:post": "rule:context_is_editor"
"containers:get": "rule:context_is_viewer"
"container:get": "rule:service_user or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"

"container:get": "rule:container_project_admin or rule:container_project_creator or rule:container_non_private_read or rule:container_acl_read"
"container:delete": "rule:container_project_admin or rule:container_project_creator"

"container_secret:post": "rule:context_is_key_admin"
"container_secret:delete": "rule:context_is_key_admin"
# Attach/detach secrets to existing container → require project match
"container_secret:post": "rule:context_is_admin and rule:container_project_match"
"container_secret:delete": "rule:context_is_admin and rule:container_project_match"

"transport_key:get": "rule:context_is_viewer"
"transport_key:delete": "rule:context_is_key_admin"
"transport_keys:get": "rule:context_is_viewer"
"transport_keys:post": "rule:context_is_key_admin"
# ---- Container ACLs ----
"container_acls:get": "rule:context_is_viewer and rule:container_project_match"
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator"
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator"

"certificate_authorities:get_limited": "rule:context_is_viewer"
"certificate_authorities:get_all": "rule:context_is_key_admin"
"certificate_authorities:post": "rule:context_is_key_admin"
"certificate_authorities:get_preferred_ca": "rule:context_is_viewer"
"certificate_authorities:get_global_preferred_ca": "rule:context_is_admin"
"certificate_authorities:unset_global_preferred": "rule:context_is_admin"
# ---- Consumers ----
# View consumers (viewer must be in same project or use non-private/ACL/admin)
"consumer:get": "(rule:context_is_viewer and rule:container_project_match) or rule:container_non_private_read or rule:container_project_admin or rule:container_acl_read"
"container_consumers:get": "(rule:context_is_viewer and rule:container_project_match) or rule:container_non_private_read or rule:container_project_admin or rule:container_acl_read"

"certificate_authority:delete": "rule:context_is_key_admin"
"certificate_authority:get": "rule:context_is_viewer"
"certificate_authority:get_cacert": "rule:context_is_viewer"
"certificate_authority:get_ca_cert_chain": "rule:context_is_viewer"
"certificate_authority:get_projects": "rule:context_is_admin"
"certificate_authority:add_to_project": "rule:context_is_key_admin"
"certificate_authority:remove_from_project": "rule:context_is_key_admin"
"certificate_authority:set_preferred": "rule:context_is_key_admin"
"certificate_authority:set_global_preferred": "rule:context_is_admin"
# Modify consumers on an existing container → require project match on admin/ACL paths
"container_consumers:post": "(rule:context_is_admin and rule:container_project_match) or rule:container_project_creator or rule:container_project_admin or (rule:container_acl_read and rule:container_project_match)"
"container_consumers:delete": "(rule:context_is_admin and rule:container_project_match) or rule:container_project_creator or rule:container_project_admin or (rule:container_acl_read and rule:container_project_match)"

"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator"
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator"
"secret_acls:get": "rule:context_is_viewer and rule:secret_project_match"
# ---- Secret consumers ----
"secret_consumers:get": "rule:context_is_viewer and rule:secret_project_match"
"secret_consumers:post": "rule:context_is_editor and rule:secret_project_match"
"secret_consumers:delete": "rule:context_is_editor and rule:secret_project_match"

"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator"
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator"
"container_acls:get": "rule:context_is_viewer and rule:container_project_match"
# ---- Orders ----
"orders:get": "rule:context_is_viewer"
"orders:post": "rule:context_is_editor"
"orders:put": "rule:context_is_editor"

"order_project_member": "rule:context_is_viewer and rule:order_project_match"
"order:get": "rule:order_project_member"
"order:delete": "rule:context_is_admin and rule:order_project_member"

# ---- Quotas ----
"quotas:get": "rule:context_is_viewer"
"project_quotas:get": "rule:context_is_admin"
"project_quotas:put": "rule:context_is_admin"
"project_quotas:delete": "rule:context_is_admin"

"project_quotas:get": "rule:service_admin"
"project_quotas:put": "rule:service_admin"
"project_quotas:delete": "rule:service_admin"
# ---- Transport keys ----
"transport_keys:get": "rule:context_is_viewer"
"transport_key:get": "rule:context_is_viewer"
"transport_keys:post": "rule:context_is_admin"
"transport_key:delete": "rule:context_is_admin"

# ---- Secret stores ----
"secretstores:get": "rule:context_is_admin"
"secretstores:get_global_default": "rule:context_is_admin"
"secretstores:get_preferred": "rule:context_is_admin"
"secretstore_preferred:post": "rule:context_is_admin"
"secretstore_preferred:delete": "rule:context_is_admin"
"secretstore:get": "rule:context_is_admin"

# ---- Certificate Authorities ----
"certificate_authorities:get_limited": "rule:context_is_viewer"
"certificate_authorities:get_preferred_ca": "rule:context_is_viewer"

"secret_meta:get": "rule:context_is_viewer"
"secret_meta:post": "rule:context_is_editor"
"secret_meta:put": "rule:context_is_editor"
"secret_meta:delete": "rule:context_is_editor"
"certificate_authorities:get_all": "rule:context_is_admin"
"certificate_authorities:post": "rule:context_is_admin"
"certificate_authorities:unset_global_preferred": "rule:context_is_admin"
"certificate_authorities:get_global_preferred_ca": "rule:context_is_admin"

"secretstores:get": "rule:context_is_key_admin"
"secretstores:get_global_default": "rule:context_is_key_admin"
"secretstores:get_preferred": "rule:context_is_key_admin"
"certificate_authority:get": "rule:context_is_viewer"
"certificate_authority:get_cacert": "rule:context_is_viewer"
"certificate_authority:get_ca_cert_chain": "rule:context_is_viewer"

"secretstore_preferred:post": "rule:context_is_key_admin"
"secretstore_preferred:delete": "rule:context_is_key_admin"
"secretstore:get": "rule:context_is_key_admin"
"certificate_authority:delete": "rule:context_is_admin"
"certificate_authority:get_projects": "rule:context_is_admin"
"certificate_authority:add_to_project": "rule:context_is_admin"
"certificate_authority:remove_from_project": "rule:context_is_admin"
"certificate_authority:set_preferred": "rule:context_is_admin"
"certificate_authority:set_global_preferred": "rule:context_is_admin"