Barbican

Add ability to provide per-secret policy to Barbican

Registered by Ade Lee on 2014-10-09

This is a proposal to add per-secret specific policy in Barbican to augment the generic operation based policy in policy.json. The idea would be to store certain attributes in the secret's metadata (like potentially a list of allowed users) that could be references as target.* attributes in policy rules. The idea would be to use these attributes to determine GET access for the secret or container. As will be explained in the spec, this has immediate implications for Neutron LBaaS and designating secrets a private.

Read the full specification

Blueprint information

Status:: Complete

Approver:: Douglas Mendizábal

Priority:: High

Drafter:: Ade Lee

Direction:: Approved

Assignee:: Arun Kant

Definition:: Approved

Series goal:: Accepted for kilo

Implementation:: Implemented

Milestone target:: 2015.1.0

Started by: Douglas Mendizábal on 2015-03-03

Completed by: Arun Kant on 2015-04-07

Related branches

Related bugs

Sprints

Whiteboard

See blueprint CR here: https://review.openstack.org/#/c/127353/

Gerrit topic: https://review.openstack.org/#q,topic:bp/add-per-secret-policy,n,z

Addressed by: https://review.openstack.org/#/c/164334/
Adding per secret ACL support with db layer changes (Part 1)

Addressed by: https://review.openstack.org/#/c/167712
Adding ACL db repository changes (Part 2)

Addressed by: https://review.openstack.org/#/c/164335/
Adding Secret ACL controller layer changes (Part 3)

Addressed by: https://review.openstack.org/#/c/165205/
Adding Container ACL controller layer changes (Part 4)

Addressed by: https://review.openstack.org/#/c/165207/
Adding policy layer changes for ACL support (Part 5)

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Kevin Fox