Add ability to provide per-secret policy to Barbican

Registered by Ade Lee on 2014-10-09

This is a proposal to add per-secret specific policy in Barbican to augment the generic operation based policy in policy.json. The idea would be to store certain attributes in the secret's metadata (like potentially a list of allowed users) that could be references as target.* attributes in policy rules. The idea would be to use these attributes to determine GET access for the secret or container. As will be explained in the spec, this has immediate implications for Neutron LBaaS and designating secrets a private.

Blueprint information

Status:
Complete
Approver:
Douglas Mendizábal
Priority:
High
Drafter:
Ade Lee
Direction:
Approved
Assignee:
Arun Kant
Definition:
Approved
Series goal:
Accepted for kilo
Implementation:
Implemented
Milestone target:
milestone icon 2015.1.0
Started by
Douglas Mendizábal on 2015-03-03
Completed by
Arun Kant on 2015-04-07

Related branches

Sprints

Whiteboard

See blueprint CR here: https://review.openstack.org/#/c/127353/

Gerrit topic: https://review.openstack.org/#q,topic:bp/add-per-secret-policy,n,z

Addressed by: https://review.openstack.org/#/c/164334/
    Adding per secret ACL support with db layer changes (Part 1)

Addressed by: https://review.openstack.org/#/c/167712
    Adding ACL db repository changes (Part 2)

Addressed by: https://review.openstack.org/#/c/164335/
    Adding Secret ACL controller layer changes (Part 3)

Addressed by: https://review.openstack.org/#/c/165205/
    Adding Container ACL controller layer changes (Part 4)

Addressed by: https://review.openstack.org/#/c/165207/
    Adding policy layer changes for ACL support (Part 5)

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.