Created
June 6, 2018 11:11
-
-
Save JAORMX/23679c582f3a20c89d192027b8d17050 to your computer and use it in GitHub Desktop.
OpenStack's Barbican policy file rewritten in rego language
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package openstack.policy | |
import input.credentials as credentials | |
import input.action_name as action_name | |
import input.target as target | |
default allow = false | |
admin { | |
credentials.roles[_] = "admin" | |
} | |
observer { | |
credentials.roles[_] = "observer" | |
} | |
creator { | |
credentials.roles[_] = "creator" | |
} | |
audit { | |
credentials.roles[_] = "audit" | |
} | |
service_admin { | |
credentials.roles[_] = "key-manager:service-admin" | |
} | |
admin_or_creator { | |
admin | |
} | |
admin_or_creator { | |
creator | |
} | |
all_but_audit { | |
admin | |
} | |
all_but_audit { | |
creator | |
} | |
all_but_audit { | |
observer | |
} | |
all_users { | |
admin | |
} | |
all_users { | |
creator | |
} | |
all_users { | |
observer | |
} | |
all_users { | |
audit | |
} | |
secret_project_match { | |
credentials.project = target.target.secret.project_id | |
} | |
secret_acl_read { | |
"read" = target.target.secret.read | |
} | |
secret_private_read { | |
false = target.target.secret.read_project_access | |
} | |
secret_creator_user { | |
credentials.user = target.target.secret.creator_id | |
} | |
container_project_match { | |
credentials.project = target.target.container.project_id | |
} | |
container_acl_read { | |
"read" = target.target.container.read | |
} | |
container_private_read { | |
false = target.target.container.read_project_ac | |
} | |
container_creator_user { | |
credentials.user = target.target.container.creator_id | |
} | |
secret_non_private_read { | |
all_users | |
secret_project_match | |
not secret_private_read | |
} | |
secret_decrypt_non_private_read { | |
all_but_audit | |
secret_project_match | |
not secret_private_read | |
} | |
container_non_private_read { | |
all_users | |
container_project_match | |
not container_private_read | |
} | |
secret_project_admin { | |
admin | |
secret_project_match | |
} | |
secret_project_creator { | |
creator | |
secret_project_match | |
secret_creator_user | |
} | |
container_project_admin { | |
admin | |
container_project_match | |
} | |
container_project_creator { | |
creator | |
container_project_match | |
container_creator_user | |
} | |
allow { | |
action_name = "secret_acls:put_patch" | |
secret_project_admin | |
} | |
allow { | |
action_name = "secret_acls:put_patch" | |
secret_project_creator | |
} | |
allow { | |
action_name = "secret_acls:delete" | |
secret_project_admin | |
} | |
allow { | |
action_name = "secret_acls:delete" | |
secret_project_creator | |
} | |
allow { | |
action_name = "secret_acls:get" | |
all_but_audit | |
secret_project_match | |
} | |
allow { | |
action_name = "container_acls:put_patch" | |
container_project_admin | |
} | |
allow { | |
action_name = "container_acls:put_patch" | |
container_project_creator | |
} | |
allow { | |
action_name = "container_acls:delete" | |
container_project_admin | |
} | |
allow { | |
action_name = "container_acls:delete" | |
container_project_creator | |
} | |
allow { | |
action_name = "container_acls:get" | |
all_but_audit | |
container_project_match | |
} | |
allow { | |
action_name = "consumer:get" | |
admin | |
} | |
allow { | |
action_name = "consumer:get" | |
observer | |
} | |
allow { | |
action_name = "consumer:get" | |
creator | |
} | |
allow { | |
action_name = "consumer:get" | |
audit | |
} | |
allow { | |
action_name = "consumer:get" | |
container_non_private_read | |
} | |
allow { | |
action_name = "consumer:get" | |
container_project_creator | |
} | |
allow { | |
action_name = "consumer:get" | |
container_project_admin | |
} | |
allow { | |
action_name = "consumer:get" | |
container_acl_read | |
} | |
allow { | |
action_name = "consumers:get" | |
admin | |
} | |
allow { | |
action_name = "consumers:get" | |
observer | |
} | |
allow { | |
action_name = "consumers:get" | |
creator | |
} | |
allow { | |
action_name = "consumers:get" | |
audit | |
} | |
allow { | |
action_name = "consumers:get" | |
container_non_private_read | |
} | |
allow { | |
action_name = "consumers:get" | |
container_project_creator | |
} | |
allow { | |
action_name = "consumers:get" | |
container_project_admin | |
} | |
allow { | |
action_name = "consumers:get" | |
container_acl_read | |
} | |
allow { | |
action_name = "consumers:post" | |
admin | |
} | |
allow { | |
action_name = "consumers:post" | |
container_non_private_read | |
} | |
allow { | |
action_name = "consumers:post" | |
container_project_creator | |
} | |
allow { | |
action_name = "consumers:post" | |
container_project_admin | |
} | |
allow { | |
action_name = "consumers:post" | |
container_acl_read | |
} | |
allow { | |
action_name = "consumers:delete" | |
admin | |
} | |
allow { | |
action_name = "consumers:delete" | |
container_non_private_read | |
} | |
allow { | |
action_name = "consumers:delete" | |
container_project_creator | |
} | |
allow { | |
action_name = "consumers:delete" | |
container_project_admin | |
} | |
allow { | |
action_name = "consumers:delete" | |
container_acl_read | |
} | |
allow { | |
action_name = "containers:post" | |
admin_or_creator | |
} | |
allow { | |
action_name = "containers:get" | |
all_but_audit | |
} | |
allow { | |
action_name = "container:get" | |
container_non_private_read | |
} | |
allow { | |
action_name = "container:get" | |
container_project_creator | |
} | |
allow { | |
action_name = "container:get" | |
container_project_admin | |
} | |
allow { | |
action_name = "container:get" | |
container_acl_read | |
} | |
allow { | |
action_name = "container:delete" | |
container_project_admin | |
} | |
allow { | |
action_name = "container:delete" | |
container_project_creator | |
} | |
allow { | |
action_name = "container_secret:post" | |
admin | |
} | |
allow { | |
action_name = "container_secret:delete" | |
admin | |
} | |
allow { | |
action_name = "orders:post" | |
admin_or_creator | |
} | |
allow { | |
action_name = "orders:get" | |
all_but_audit | |
} | |
allow { | |
action_name = "order:get" | |
all_users | |
} | |
allow { | |
action_name = "order:put" | |
admin_or_creator | |
} | |
allow { | |
action_name = "order:delete" | |
admin | |
} | |
allow { | |
action_name = "quotas:get" | |
all_users | |
} | |
allow { | |
action_name = "project_quotas:get" | |
service_admin | |
} | |
allow { | |
action_name = "project_quotas:put" | |
service_admin | |
} | |
allow { | |
action_name = "project_quotas:delete" | |
service_admin | |
} | |
allow { | |
action_name = "secret_meta:get" | |
all_but_audit | |
} | |
allow { | |
action_name = "secret_meta:post" | |
admin_or_creator | |
} | |
allow { | |
action_name = "secret_meta:put" | |
admin_or_creator | |
} | |
allow { | |
action_name = "secret_meta:delete" | |
admin_or_creator | |
} | |
allow { | |
action_name = "secret:decrypt" | |
secret_decrypt_non_private_read | |
} | |
allow { | |
action_name = "secret:decrypt" | |
secret_project_creator | |
} | |
allow { | |
action_name = "secret:decrypt" | |
secret_project_admin | |
} | |
allow { | |
action_name = "secret:decrypt" | |
secret_acl_read | |
} | |
allow { | |
action_name = "secret:get" | |
secret_non_private_read | |
} | |
allow { | |
action_name = "secret:get" | |
secret_project_creator | |
} | |
allow { | |
action_name = "secret:get" | |
secret_project_admin | |
} | |
allow { | |
action_name = "secret:get" | |
secret_acl_read | |
} | |
allow { | |
action_name = "secret:put" | |
admin_or_creator | |
secret_project_match | |
} | |
allow { | |
action_name = "secret:delete" | |
secret_project_admin | |
} | |
allow { | |
action_name = "secret:delete" | |
secret_project_creator | |
} | |
allow { | |
action_name = "secrets:post" | |
admin_or_creator | |
} | |
allow { | |
action_name = "secrets:get" | |
all_but_audit | |
} | |
allow { | |
action_name = "secretstores:get" | |
admin | |
} | |
allow { | |
action_name = "secretstores:get_global_default" | |
admin | |
} | |
allow { | |
action_name = "secretstores:get_preferred" | |
admin | |
} | |
allow { | |
action_name = "secretstore_preferred:post" | |
admin | |
} | |
allow { | |
action_name = "secretstore_preferred:delete" | |
admin | |
} | |
allow { | |
action_name = "secretstore:get" | |
admin | |
} | |
allow { | |
action_name = "transport_key:get" | |
all_users | |
} | |
allow { | |
action_name = "transport_key:delete" | |
admin | |
} | |
allow { | |
action_name = "transport_keys:get" | |
all_users | |
} | |
allow { | |
action_name = "transport_keys:post" | |
admin | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment