-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy-barbican-stable-zed.yaml
84 lines (84 loc) · 9.52 KB
/
policy-barbican-stable-zed.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
"system_reader": "role:reader and system_scope:all"
"system_admin": "role:admin and system_scope:all"
"secret_project_match": "project_id:%(target.secret.project_id)s"
"secret_project_reader": "role:reader and rule:secret_project_match"
"secret_project_member": "role:member and rule:secret_project_match"
"secret_project_admin": "role:admin and rule:secret_project_match"
"secret_owner": "user_id:%(target.secret.creator_id)s"
"secret_is_not_private": "True:%(target.secret.read_project_access)s"
"secret_acl_read": "'read':%(target.secret.read)s"
"container_project_match": "project_id:%(target.container.project_id)s"
"container_project_member": "role:member and rule:container_project_match"
"container_project_admin": "role:admin and rule:container_project_match"
"container_owner": "user_id:%(target.container.creator_id)s"
"container_is_not_private": "True:%(target.container.read_project_access)s"
"container_acl_read": "'read':%(target.container.read)s"
"order_project_match": "project_id:%(target.order.project_id)s"
"order_project_member": "role:member and rule:order_project_match"
"audit": "role:audit"
"observer": "role:observer"
"creator": "role:creator"
"admin": "role:admin"
"service_admin": "role:key-manager:service-admin"
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"
"all_but_audit": "rule:admin or rule:observer or rule:creator"
"admin_or_creator": "rule:admin or rule:creator"
"secret_creator_user": "user_id:%(target.secret.creator_id)s"
"secret_private_read": "'False':%(target.secret.read_project_access)s"
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"
"secret_project_creator_role": "rule:creator and rule:secret_project_match"
"container_private_read": "'False':%(target.container.read_project_access)s"
"container_creator_user": "user_id:%(target.container.creator_id)s"
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"
"container_project_creator_role": "rule:creator and rule:container_project_match"
"secret_acls:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
"secret_acls:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
"secret_acls:put_patch": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
"container_acls:get": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
"container_acls:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
"container_acls:put_patch": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
"consumer:get": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
"container_consumers:get": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
"container_consumers:post": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
"container_consumers:delete": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
"secret_consumers:get": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
"secret_consumers:post": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
"secret_consumers:delete": "True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
"containers:post": "True:%(enforce_new_defaults)s and role:member"
"containers:get": "True:%(enforce_new_defaults)s and role:member"
"container:get": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
"container:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
"container_secret:post": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
"container_secret:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
"orders:get": "True:%(enforce_new_defaults)s and role:member"
"orders:post": "True:%(enforce_new_defaults)s and role:member"
"orders:put": "True:%(enforce_new_defaults)s and role:member"
"order:get": "True:%(enforce_new_defaults)s and rule:order_project_member"
"order:delete": "True:%(enforce_new_defaults)s and rule:order_project_member"
"quotas:get": "True:%(enforce_new_defaults)s and role:reader"
"project_quotas:get": "True:%(enforce_new_defaults)s and rule:system_reader"
"project_quotas:put": "True:%(enforce_new_defaults)s and rule:system_admin"
"project_quotas:delete": "True:%(enforce_new_defaults)s and rule:system_admin"
"secret_meta:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
"secret_meta:post": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
"secret_meta:put": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
"secret_meta:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
"secret:decrypt": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
"secret:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
"secret:put": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
"secret:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
"secrets:post": "True:%(enforce_new_defaults)s and role:member"
"secrets:get": "True:%(enforce_new_defaults)s and role:member"
"secretstores:get": "True:%(enforce_new_defaults)s and role:reader"
"secretstores:get_global_default": "True:%(enforce_new_defaults)s and role:reader"
"secretstores:get_preferred": "True:%(enforce_new_defaults)s and role:reader"
"secretstore_preferred:post": "True:%(enforce_new_defaults)s and role:admin"
"secretstore_preferred:delete": "True:%(enforce_new_defaults)s and role:admin"
"secretstore:get": "True:%(enforce_new_defaults)s and role:reader"
"transport_key:get": "True:%(enforce_new_defaults)s and role:reader"
"transport_key:delete": "True:%(enforce_new_defaults)s and rule:system_admin"
"transport_keys:get": "True:%(enforce_new_defaults)s and role:reader"
"transport_keys:post": "True:%(enforce_new_defaults)s and rule:system_admin"