策略配置¶
警告
自 Barbican 12.0.0 (Wallaby) 起,JSON 格式的策略文件已被弃用。此 oslopolicy-convert-json-to-yaml 工具将以向后兼容的方式将现有的 JSON 格式策略文件迁移到 YAML。
配置¶
以下是 Barbican 中所有可用策略的概述。有关示例配置文件,请参阅
barbican¶
secret_project_match- 默认值:
project_id:%(target.secret.project_id)s
(未提供描述)
secret_project_reader- 默认值:
role:reader and rule:secret_project_match
(未提供描述)
secret_project_member- 默认值:
role:member and rule:secret_project_match
(未提供描述)
secret_project_admin- 默认值:
role:admin and rule:secret_project_match
(未提供描述)
secret_owner- 默认值:
user_id:%(target.secret.creator_id)s
(未提供描述)
secret_is_not_private- 默认值:
True:%(target.secret.read_project_access)s
(未提供描述)
secret_acl_read- 默认值:
'read':%(target.secret.read)s
(未提供描述)
container_project_match- 默认值:
project_id:%(target.container.project_id)s
(未提供描述)
container_project_member- 默认值:
role:member and rule:container_project_match
(未提供描述)
container_project_admin- 默认值:
role:admin and rule:container_project_match
(未提供描述)
container_owner- 默认值:
user_id:%(target.container.creator_id)s
(未提供描述)
container_is_not_private- 默认值:
True:%(target.container.read_project_access)s
(未提供描述)
container_acl_read- 默认值:
'read':%(target.container.read)s
(未提供描述)
order_project_match- 默认值:
project_id:%(target.order.project_id)s
(未提供描述)
order_project_member- 默认值:
role:member and rule:order_project_match
(未提供描述)
audit- 默认值:
role:audit
(未提供描述)
observer- 默认值:
role:observer
(未提供描述)
creator- 默认值:
role:creator
(未提供描述)
admin(管理员)- 默认值:
role:admin
(未提供描述)
service_admin- 默认值:
role:key-manager:service-admin
(未提供描述)
all_users- 默认值:
rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
(未提供描述)
all_but_audit- 默认值:
rule:admin or rule:observer or rule:creator
(未提供描述)
admin_or_creator- 默认值:
rule:admin or rule:creator
(未提供描述)
secret_creator_user- 默认值:
user_id:%(target.secret.creator_id)s
(未提供描述)
secret_private_read- 默认值:
'False':%(target.secret.read_project_access)s
(未提供描述)
secret_non_private_read- 默认值:
rule:all_users and rule:secret_project_match and not rule:secret_private_read
(未提供描述)
secret_decrypt_non_private_read- 默认值:
rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read
(未提供描述)
secret_project_creator- 默认值:
rule:creator and rule:secret_project_match and rule:secret_creator_user
(未提供描述)
secret_project_creator_role- 默认值:
rule:creator and rule:secret_project_match
(未提供描述)
container_private_read- 默认值:
'False':%(target.container.read_project_access)s
(未提供描述)
container_creator_user- 默认值:
user_id:%(target.container.creator_id)s
(未提供描述)
container_non_private_read- 默认值:
rule:all_users and rule:container_project_match and not rule:container_private_read
(未提供描述)
container_project_creator- 默认值:
rule:creator and rule:container_project_match and rule:container_creator_user
(未提供描述)
container_project_creator_role- 默认值:
rule:creator and rule:container_project_match
(未提供描述)
secret_acls:get- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))- 操作:
GET
/v1/secrets/{secret-id}/acl
- 作用域类型:
project
检索给定 secret 的 ACL 设置。如果未为该 secret 定义 ACL,则返回默认 ACL。
secret_acls:delete- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))- 操作:
DELETE
/v1/secrets/{secret-id}/acl
- 作用域类型:
project
删除给定 secret 的 ACL 设置。
secret_acls:put_patch- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))- 操作:
PUT
/v1/secrets/{secret-id}/aclPATCH
/v1/secrets/{secret-id}/acl
- 作用域类型:
project
为给定 secret 创建、替换或更新 ACL。
container_acls:get- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))- 操作:
GET
/v1/containers/{container-id}/acl
- 作用域类型:
project
检索给定 container 的 ACL 设置。
container_acls:delete- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))- 操作:
DELETE
/v1/containers/{container-id}/acl
- 作用域类型:
project
删除给定 container 的 ACL。成功删除后不会返回任何内容。
container_acls:put_patch- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))- 操作:
PUT
/v1/containers/{container-id}/aclPATCH
/v1/containers/{container-id}/acl
- 作用域类型:
project
为给定 container 创建、替换或更新 ACL。
consumer:get- 默认值:
True:%(enforce_new_defaults)s and (role:admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)- 操作:
GET
/v1/containers/{container-id}/consumers/{consumer-id}
- 作用域类型:
project
已弃用:显示特定 consumer 的信息
container_consumers:get- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)- 操作:
GET
/v1/containers/{container-id}/consumers
- 作用域类型:
project
列出 container 的 consumers。
container_consumers:post- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)- 操作:
POST
/v1/containers/{container-id}/consumers
- 作用域类型:
project
创建 consumer。
container_consumers:delete- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)- 操作:
DELETE
/v1/containers/{container-id}/consumers
- 作用域类型:
project
删除 consumer。
secret_consumers:get- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)- 操作:
GET
/v1/secrets/{secret-id}/consumers
- 作用域类型:
project
列出 secret 的 consumers。
secret_consumers:post- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)- 操作:
POST
/v1/secrets/{secrets-id}/consumers
- 作用域类型:
project
创建 consumer。
secret_consumers:delete- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)- 操作:
DELETE
/v1/secrets/{secrets-id}/consumers
- 作用域类型:
project
删除 consumer。
containers:post- 默认值:
True:%(enforce_new_defaults)s and role:member- 操作:
POST
/v1/containers
- 作用域类型:
project
创建 container。
containers:get- 默认值:
True:%(enforce_new_defaults)s and role:member- 操作:
GET
/v1/containers
- 作用域类型:
project
列出项目的 containers。
container:get- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)- 操作:
GET
/v1/containers/{container-id}
- 作用域类型:
project
检索单个 container。
container:delete- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))- 操作:
DELETE
/v1/containers/{uuid}
- 作用域类型:
project
删除 container。
container_secret:post- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))- 操作:
POST
/v1/containers/{container-id}/secrets
- 作用域类型:
project
将 secret 添加到现有 container。
container_secret:delete- 默认值:
True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))- 操作:
DELETE
/v1/containers/{container-id}/secrets/{secret-id}
- 作用域类型:
project
从 container 中删除 secret。
orders:get- 默认值:
True:%(enforce_new_defaults)s and role:member- 操作:
GET
/v1/orders
- 作用域类型:
project
获取与项目关联的所有订单列表。
orders:post- 默认值:
True:%(enforce_new_defaults)s and role:member- 操作:
POST
/v1/orders
- 作用域类型:
project
创建订单。
orders:put- 默认值:
True:%(enforce_new_defaults)s and role:member- 操作:
PUT
/v1/orders
- 作用域类型:
project
不支持 orders API 的方法。
order:get- 默认值:
True:%(enforce_new_defaults)s and rule:order_project_member- 操作:
GET
/v1/orders/{order-id}
- 作用域类型:
project
检索订单元数据。
order:delete- 默认值:
True:%(enforce_new_defaults)s and rule:order_project_member- 操作:
DELETE
/v1/orders/{order-id}
- 作用域类型:
project
删除订单。
quotas:get- 默认值:
True:%(enforce_new_defaults)s and role:reader- 操作:
GET
/v1/quotas
- 作用域类型:
project
列出用户所属项目的配额。
project_quotas:get- 默认值:
True:%(enforce_new_defaults)s and role:admin- 操作:
GET
/v1/project-quotasGET
/v1/project-quotas/{uuid}
- 作用域类型:
project
列出指定项目的配额。
project_quotas:put- 默认值:
True:%(enforce_new_defaults)s and role:admin- 操作:
PUT
/v1/project-quotas/{uuid}
- 作用域类型:
project
创建或更新具有指定 UUID 的项目的已配置项目配额。
project_quotas:delete- 默认值:
True:%(enforce_new_defaults)s and role:admin- 操作:
DELETE
/v1/quotas}
- 作用域类型:
project
删除请求 UUID 对应的项目的项目配额配置。
secret_meta:get- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)- 操作:
GET
/v1/secrets/{secret-id}/metadataGET
/v1/secrets/{secret-id}/metadata/{meta-key}
- 作用域类型:
project
metadata/: 列出 secret 的用户定义元数据。 || metadata/{key}: 检索 secret 的用户添加的元数据。
secret_meta:post- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))- 操作:
POST
/v1/secrets/{secret-id}/metadata/{meta-key}
- 作用域类型:
project
向 secret 的用户定义元数据添加新的键/值对。
secret_meta:put- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))- 操作:
PUT
/v1/secrets/{secret-id}/metadataPUT
/v1/secrets/{secret-id}/metadata/{meta-key}
- 作用域类型:
project
metadata/: 设置 secret 的用户定义元数据 || metadata/{key}: 更新 secret 的用户定义元数据中的现有键/值对。
secret_meta:delete- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))- 操作:
DELETE
/v1/secrets/{secret-id}/metadata/{meta-key}
- 作用域类型:
project
按键删除 secret 用户定义的元数据。
secret:decrypt- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)- 操作:
GET
/v1/secrets/{uuid}/payload
- 作用域类型:
project
检索 secret 的 payload。
secret:get- 默认值:
True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)- 操作:
GET
/v1/secrets/{secret-id}
- 作用域类型:
project
检索 secret 的元数据。
secret:put- 默认值:
True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))- 操作:
PUT
/v1/secrets/{secret-id}
- 作用域类型:
project
将 payload 添加到现有的仅元数据 secret。
secret:delete- 默认值:
True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))- 操作:
DELETE
/v1/secrets/{secret-id}
- 作用域类型:
project
按 UUID 删除 secret。
secrets:post- 默认值:
True:%(enforce_new_defaults)s and role:member- 操作:
POST
/v1/secrets
- 作用域类型:
project
创建 Secret 实体。
secrets:get- 默认值:
True:%(enforce_new_defaults)s and role:member- 操作:
GET
/v1/secrets
- 作用域类型:
project
列出项目的 secrets。
secretstores:get- 默认值:
True:%(enforce_new_defaults)s and role:reader- 操作:
GET
/v1/secret-stores
- 作用域类型:
project
获取可用的 secret store 后端的列表。
secretstores:get_global_default- 默认值:
True:%(enforce_new_defaults)s and role:reader- 操作:
GET
/v1/secret-stores/global-default
- 作用域类型:
project
获取用作部署默认 secret store 后端的 secret store 的引用。
secretstores:get_preferred- 默认值:
True:%(enforce_new_defaults)s and role:reader- 操作:
GET
/v1/secret-stores/preferred
- 作用域类型:
project
获取先前分配的首选 secret store 的引用。
secretstore_preferred:post- 默认值:
True:%(enforce_new_defaults)s and role:admin- 操作:
POST
/v1/secret-stores/{ss-id}/preferred
- 作用域类型:
project
将 secret store 后端设置为其项目的首选 store 后端。
secretstore_preferred:delete- 默认值:
True:%(enforce_new_defaults)s and role:admin- 操作:
DELETE
/v1/secret-stores/{ss-id}/preferred
- 作用域类型:
project
删除其项目的首选 secret store 后端设置。
secretstore:get- 默认值:
True:%(enforce_new_defaults)s and role:reader- 操作:
GET
/v1/secret-stores/{ss-id}
- 作用域类型:
project
按其 ID 获取 secret store 的详细信息。
transport_key:get- 默认值:
True:%(enforce_new_defaults)s and role:reader- 操作:
GET
/v1/transport_keys/{key-id}}
- 作用域类型:
project
获取特定的 transport key。
transport_key:delete- 默认值:
True:%(enforce_new_defaults)s and role:admin- 操作:
DELETE
/v1/transport_keys/{key-id}
- 作用域类型:
project
删除特定的 transport key。
transport_keys:get- 默认值:
True:%(enforce_new_defaults)s and role:reader- 操作:
GET
/v1/transport_keys
- 作用域类型:
project
获取所有 transport key 的列表。
transport_keys:post- 默认值:
True:%(enforce_new_defaults)s and role:admin- 操作:
POST
/v1/transport_keys
- 作用域类型:
project
创建新的 transport key。
