Created
June 7, 2018 12:50
-
-
Save JAORMX/19399f507e3c0243bd007ff96398116a to your computer and use it in GitHub Desktop.
Barbican's policy.json file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"admin": "role:admin", | |
"observer": "role:observer", | |
"creator": "role:creator", | |
"audit": "role:audit", | |
"service_admin": "role:key-manager:service-admin", | |
"admin_or_user_does_not_work": "project_id:%(project_id)s", | |
"admin_or_user": "rule:admin or project_id:%(project_id)s", | |
"admin_or_creator": "rule:admin or rule:creator", | |
"all_but_audit": "rule:admin or rule:observer or rule:creator", | |
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin", | |
"secret_project_match": "project:%(target.secret.project_id)s", | |
"secret_acl_read": "'read':%(target.secret.read)s", | |
"secret_private_read": "'False':%(target.secret.read_project_access)s", | |
"secret_creator_user": "user:%(target.secret.creator_id)s", | |
"container_project_match": "project:%(target.container.project_id)s", | |
"container_acl_read": "'read':%(target.container.read)s", | |
"container_private_read": "'False':%(target.container.read_project_access)s", | |
"container_creator_user": "user:%(target.container.creator_id)s", | |
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read", | |
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read", | |
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read", | |
"secret_project_admin": "rule:admin and rule:secret_project_match", | |
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user", | |
"container_project_admin": "rule:admin and rule:container_project_match", | |
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user", | |
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator", | |
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator", | |
"secret_acls:get": "rule:all_but_audit and rule:secret_project_match", | |
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator", | |
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator", | |
"container_acls:get": "rule:all_but_audit and rule:container_project_match", | |
"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", | |
"consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", | |
"consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", | |
"consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", | |
"containers:post": "rule:admin_or_creator", | |
"containers:get": "rule:all_but_audit", | |
"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", | |
"container:delete": "rule:container_project_admin or rule:container_project_creator", | |
"container_secret:post": "rule:admin", | |
"container_secret:delete": "rule:admin", | |
"orders:post": "rule:admin_or_creator", | |
"orders:get": "rule:all_but_audit", | |
"order:get": "rule:all_users", | |
"order:put": "rule:admin_or_creator", | |
"order:delete": "rule:admin", | |
"quotas:get": "rule:all_users", | |
"project_quotas:get": "rule:service_admin", | |
"project_quotas:put": "rule:service_admin", | |
"project_quotas:delete": "rule:service_admin", | |
"secret_meta:get": "rule:all_but_audit", | |
"secret_meta:post": "rule:admin_or_creator", | |
"secret_meta:put": "rule:admin_or_creator", | |
"secret_meta:delete": "rule:admin_or_creator", | |
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", | |
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", | |
"secret:put": "rule:admin_or_creator and rule:secret_project_match", | |
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator", | |
"secrets:post": "rule:admin_or_creator", | |
"secrets:get": "rule:all_but_audit", | |
"secretstores:get": "rule:admin", | |
"secretstores:get_global_default": "rule:admin", | |
"secretstores:get_preferred": "rule:admin", | |
"secretstore_preferred:post": "rule:admin", | |
"secretstore_preferred:delete": "rule:admin", | |
"secretstore:get": "rule:admin", | |
"transport_key:get": "rule:all_users", | |
"transport_key:delete": "rule:admin", | |
"transport_keys:get": "rule:all_users", | |
"transport_keys:post": "rule:admin" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment