Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OpenStack's Barbican policy file rewritten in rego language
package openstack.policy
import input.credentials as credentials
import input.action_name as action_name
import input.target as target
default allow = false
admin {
credentials.roles[_] = "admin"
}
observer {
credentials.roles[_] = "observer"
}
creator {
credentials.roles[_] = "creator"
}
audit {
credentials.roles[_] = "audit"
}
service_admin {
credentials.roles[_] = "key-manager:service-admin"
}
admin_or_creator {
admin
}
admin_or_creator {
creator
}
all_but_audit {
admin
}
all_but_audit {
creator
}
all_but_audit {
observer
}
all_users {
admin
}
all_users {
creator
}
all_users {
observer
}
all_users {
audit
}
secret_project_match {
credentials.project = target.target.secret.project_id
}
secret_acl_read {
"read" = target.target.secret.read
}
secret_private_read {
false = target.target.secret.read_project_access
}
secret_creator_user {
credentials.user = target.target.secret.creator_id
}
container_project_match {
credentials.project = target.target.container.project_id
}
container_acl_read {
"read" = target.target.container.read
}
container_private_read {
false = target.target.container.read_project_ac
}
container_creator_user {
credentials.user = target.target.container.creator_id
}
secret_non_private_read {
all_users
secret_project_match
not secret_private_read
}
secret_decrypt_non_private_read {
all_but_audit
secret_project_match
not secret_private_read
}
container_non_private_read {
all_users
container_project_match
not container_private_read
}
secret_project_admin {
admin
secret_project_match
}
secret_project_creator {
creator
secret_project_match
secret_creator_user
}
container_project_admin {
admin
container_project_match
}
container_project_creator {
creator
container_project_match
container_creator_user
}
allow {
action_name = "secret_acls:put_patch"
secret_project_admin
}
allow {
action_name = "secret_acls:put_patch"
secret_project_creator
}
allow {
action_name = "secret_acls:delete"
secret_project_admin
}
allow {
action_name = "secret_acls:delete"
secret_project_creator
}
allow {
action_name = "secret_acls:get"
all_but_audit
secret_project_match
}
allow {
action_name = "container_acls:put_patch"
container_project_admin
}
allow {
action_name = "container_acls:put_patch"
container_project_creator
}
allow {
action_name = "container_acls:delete"
container_project_admin
}
allow {
action_name = "container_acls:delete"
container_project_creator
}
allow {
action_name = "container_acls:get"
all_but_audit
container_project_match
}
allow {
action_name = "consumer:get"
admin
}
allow {
action_name = "consumer:get"
observer
}
allow {
action_name = "consumer:get"
creator
}
allow {
action_name = "consumer:get"
audit
}
allow {
action_name = "consumer:get"
container_non_private_read
}
allow {
action_name = "consumer:get"
container_project_creator
}
allow {
action_name = "consumer:get"
container_project_admin
}
allow {
action_name = "consumer:get"
container_acl_read
}
allow {
action_name = "consumers:get"
admin
}
allow {
action_name = "consumers:get"
observer
}
allow {
action_name = "consumers:get"
creator
}
allow {
action_name = "consumers:get"
audit
}
allow {
action_name = "consumers:get"
container_non_private_read
}
allow {
action_name = "consumers:get"
container_project_creator
}
allow {
action_name = "consumers:get"
container_project_admin
}
allow {
action_name = "consumers:get"
container_acl_read
}
allow {
action_name = "consumers:post"
admin
}
allow {
action_name = "consumers:post"
container_non_private_read
}
allow {
action_name = "consumers:post"
container_project_creator
}
allow {
action_name = "consumers:post"
container_project_admin
}
allow {
action_name = "consumers:post"
container_acl_read
}
allow {
action_name = "consumers:delete"
admin
}
allow {
action_name = "consumers:delete"
container_non_private_read
}
allow {
action_name = "consumers:delete"
container_project_creator
}
allow {
action_name = "consumers:delete"
container_project_admin
}
allow {
action_name = "consumers:delete"
container_acl_read
}
allow {
action_name = "containers:post"
admin_or_creator
}
allow {
action_name = "containers:get"
all_but_audit
}
allow {
action_name = "container:get"
container_non_private_read
}
allow {
action_name = "container:get"
container_project_creator
}
allow {
action_name = "container:get"
container_project_admin
}
allow {
action_name = "container:get"
container_acl_read
}
allow {
action_name = "container:delete"
container_project_admin
}
allow {
action_name = "container:delete"
container_project_creator
}
allow {
action_name = "container_secret:post"
admin
}
allow {
action_name = "container_secret:delete"
admin
}
allow {
action_name = "orders:post"
admin_or_creator
}
allow {
action_name = "orders:get"
all_but_audit
}
allow {
action_name = "order:get"
all_users
}
allow {
action_name = "order:put"
admin_or_creator
}
allow {
action_name = "order:delete"
admin
}
allow {
action_name = "quotas:get"
all_users
}
allow {
action_name = "project_quotas:get"
service_admin
}
allow {
action_name = "project_quotas:put"
service_admin
}
allow {
action_name = "project_quotas:delete"
service_admin
}
allow {
action_name = "secret_meta:get"
all_but_audit
}
allow {
action_name = "secret_meta:post"
admin_or_creator
}
allow {
action_name = "secret_meta:put"
admin_or_creator
}
allow {
action_name = "secret_meta:delete"
admin_or_creator
}
allow {
action_name = "secret:decrypt"
secret_decrypt_non_private_read
}
allow {
action_name = "secret:decrypt"
secret_project_creator
}
allow {
action_name = "secret:decrypt"
secret_project_admin
}
allow {
action_name = "secret:decrypt"
secret_acl_read
}
allow {
action_name = "secret:get"
secret_non_private_read
}
allow {
action_name = "secret:get"
secret_project_creator
}
allow {
action_name = "secret:get"
secret_project_admin
}
allow {
action_name = "secret:get"
secret_acl_read
}
allow {
action_name = "secret:put"
admin_or_creator
secret_project_match
}
allow {
action_name = "secret:delete"
secret_project_admin
}
allow {
action_name = "secret:delete"
secret_project_creator
}
allow {
action_name = "secrets:post"
admin_or_creator
}
allow {
action_name = "secrets:get"
all_but_audit
}
allow {
action_name = "secretstores:get"
admin
}
allow {
action_name = "secretstores:get_global_default"
admin
}
allow {
action_name = "secretstores:get_preferred"
admin
}
allow {
action_name = "secretstore_preferred:post"
admin
}
allow {
action_name = "secretstore_preferred:delete"
admin
}
allow {
action_name = "secretstore:get"
admin
}
allow {
action_name = "transport_key:get"
all_users
}
allow {
action_name = "transport_key:delete"
admin
}
allow {
action_name = "transport_keys:get"
all_users
}
allow {
action_name = "transport_keys:post"
admin
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.