Skip to content

Instantly share code, notes, and snippets.

@JAORMX

JAORMX/barbican-policy.rego

Created June 6, 2018 11:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JAORMX/23679c582f3a20c89d192027b8d17050 to your computer and use it in GitHub Desktop.
Save JAORMX/23679c582f3a20c89d192027b8d17050 to your computer and use it in GitHub Desktop.
Download ZIP
OpenStack's Barbican policy file rewritten in rego language
Raw
barbican-policy.rego
package openstack.policy
import input.credentials as credentials
import input.action_name as action_name
import input.target as target
default allow = false
admin {
credentials.roles[_] = "admin"
}
observer {
credentials.roles[_] = "observer"
}
creator {
credentials.roles[_] = "creator"
}
audit {
credentials.roles[_] = "audit"
}
service_admin {
credentials.roles[_] = "key-manager:service-admin"
}
admin_or_creator {
admin
}
admin_or_creator {
creator
}
all_but_audit {
admin
}
all_but_audit {
creator
}
all_but_audit {
observer
}
all_users {
admin
}
all_users {
creator
}
all_users {
observer
}
all_users {
audit
}
secret_project_match {
credentials.project = target.target.secret.project_id
}
secret_acl_read {
"read" = target.target.secret.read
}
secret_private_read {
false = target.target.secret.read_project_access
}
secret_creator_user {
credentials.user = target.target.secret.creator_id
}
container_project_match {
credentials.project = target.target.container.project_id
}
container_acl_read {
"read" = target.target.container.read
}
container_private_read {
false = target.target.container.read_project_ac
}
container_creator_user {
credentials.user = target.target.container.creator_id
}
secret_non_private_read {
all_users
secret_project_match
not secret_private_read
}
secret_decrypt_non_private_read {
all_but_audit
secret_project_match
not secret_private_read
}
container_non_private_read {
all_users
container_project_match
not container_private_read
}
secret_project_admin {
admin
secret_project_match
}
secret_project_creator {
creator
secret_project_match
secret_creator_user
}
container_project_admin {
admin
container_project_match
}
container_project_creator {
creator
container_project_match
container_creator_user
}
allow {
action_name = "secret_acls:put_patch"
secret_project_admin
}
allow {
action_name = "secret_acls:put_patch"
secret_project_creator
}
allow {
action_name = "secret_acls:delete"
secret_project_admin
}
allow {
action_name = "secret_acls:delete"
secret_project_creator
}
allow {
action_name = "secret_acls:get"
all_but_audit
secret_project_match
}
allow {
action_name = "container_acls:put_patch"
container_project_admin
}
allow {
action_name = "container_acls:put_patch"
container_project_creator
}
allow {
action_name = "container_acls:delete"
container_project_admin
}
allow {
action_name = "container_acls:delete"
container_project_creator
}
allow {
action_name = "container_acls:get"
all_but_audit
container_project_match
}
allow {
action_name = "consumer:get"
admin
}
allow {
action_name = "consumer:get"
observer
}
allow {
action_name = "consumer:get"
creator
}
allow {
action_name = "consumer:get"
audit
}
allow {
action_name = "consumer:get"
container_non_private_read
}
allow {
action_name = "consumer:get"
container_project_creator
}
allow {
action_name = "consumer:get"
container_project_admin
}
allow {
action_name = "consumer:get"
container_acl_read
}
allow {
action_name = "consumers:get"
admin
}
allow {
action_name = "consumers:get"
observer
}
allow {
action_name = "consumers:get"
creator
}
allow {
action_name = "consumers:get"
audit
}
allow {
action_name = "consumers:get"
container_non_private_read
}
allow {
action_name = "consumers:get"
container_project_creator
}
allow {
action_name = "consumers:get"
container_project_admin
}
allow {
action_name = "consumers:get"
container_acl_read
}
allow {
action_name = "consumers:post"
admin
}
allow {
action_name = "consumers:post"
container_non_private_read
}
allow {
action_name = "consumers:post"
container_project_creator
}
allow {
action_name = "consumers:post"
container_project_admin
}
allow {
action_name = "consumers:post"
container_acl_read
}
allow {
action_name = "consumers:delete"
admin
}
allow {
action_name = "consumers:delete"
container_non_private_read
}
allow {
action_name = "consumers:delete"
container_project_creator
}
allow {
action_name = "consumers:delete"
container_project_admin
}
allow {
action_name = "consumers:delete"
container_acl_read
}
allow {
action_name = "containers:post"
admin_or_creator
}
allow {
action_name = "containers:get"
all_but_audit
}
allow {
action_name = "container:get"
container_non_private_read
}
allow {
action_name = "container:get"
container_project_creator
}
allow {
action_name = "container:get"
container_project_admin
}
allow {
action_name = "container:get"
container_acl_read
}
allow {
action_name = "container:delete"
container_project_admin
}
allow {
action_name = "container:delete"
container_project_creator
}
allow {
action_name = "container_secret:post"
admin
}
allow {
action_name = "container_secret:delete"
admin
}
allow {
action_name = "orders:post"
admin_or_creator
}
allow {
action_name = "orders:get"
all_but_audit
}
allow {
action_name = "order:get"
all_users
}
allow {
action_name = "order:put"
admin_or_creator
}
allow {
action_name = "order:delete"
admin
}
allow {
action_name = "quotas:get"
all_users
}
allow {
action_name = "project_quotas:get"
service_admin
}
allow {
action_name = "project_quotas:put"
service_admin
}
allow {
action_name = "project_quotas:delete"
service_admin
}
allow {
action_name = "secret_meta:get"
all_but_audit
}
allow {
action_name = "secret_meta:post"
admin_or_creator
}
allow {
action_name = "secret_meta:put"
admin_or_creator
}
allow {
action_name = "secret_meta:delete"
admin_or_creator
}
allow {
action_name = "secret:decrypt"
secret_decrypt_non_private_read
}
allow {
action_name = "secret:decrypt"
secret_project_creator
}
allow {
action_name = "secret:decrypt"
secret_project_admin
}
allow {
action_name = "secret:decrypt"
secret_acl_read
}
allow {
action_name = "secret:get"
secret_non_private_read
}
allow {
action_name = "secret:get"
secret_project_creator
}
allow {
action_name = "secret:get"
secret_project_admin
}
allow {
action_name = "secret:get"
secret_acl_read
}
allow {
action_name = "secret:put"
admin_or_creator
secret_project_match
}
allow {
action_name = "secret:delete"
secret_project_admin
}
allow {
action_name = "secret:delete"
secret_project_creator
}
allow {
action_name = "secrets:post"
admin_or_creator
}
allow {
action_name = "secrets:get"
all_but_audit
}
allow {
action_name = "secretstores:get"
admin
}
allow {
action_name = "secretstores:get_global_default"
admin
}
allow {
action_name = "secretstores:get_preferred"
admin
}
allow {
action_name = "secretstore_preferred:post"
admin
}
allow {
action_name = "secretstore_preferred:delete"
admin
}
allow {
action_name = "secretstore:get"
admin
}
allow {
action_name = "transport_key:get"
all_users
}
allow {
action_name = "transport_key:delete"
admin
}
allow {
action_name = "transport_keys:get"
all_users
}
allow {
action_name = "transport_keys:post"
admin
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment