Barbican 示例策略¶
以下是一个 Barbican 示例策略文件,它从代码中的默认策略值自动生成。如果您使用的是默认策略,则无需维护此文件,也不应将其复制到部署中。 这样做会导致重复的策略定义。 此文件旨在帮助解释哪些策略操作保护特定的 Barbican API,但除非您计划为不是默认操作的操作提供不同的策略,否则不建议将其复制并粘贴到部署中。
示例策略文件也可以在 文件形式 中查看。
#"secret_project_match": "project_id:%(target.secret.project_id)s"
#"secret_project_reader": "role:reader and rule:secret_project_match"
#"secret_project_member": "role:member and rule:secret_project_match"
#"secret_project_admin": "role:admin and rule:secret_project_match"
#"secret_owner": "user_id:%(target.secret.creator_id)s"
#"secret_is_not_private": "True:%(target.secret.read_project_access)s"
#"secret_acl_read": "'read':%(target.secret.read)s"
#"container_project_match": "project_id:%(target.container.project_id)s"
#"container_project_member": "role:member and rule:container_project_match"
#"container_project_admin": "role:admin and rule:container_project_match"
#"container_owner": "user_id:%(target.container.creator_id)s"
#"container_is_not_private": "True:%(target.container.read_project_access)s"
#"container_acl_read": "'read':%(target.container.read)s"
#"order_project_match": "project_id:%(target.order.project_id)s"
#"order_project_member": "role:member and rule:order_project_match"
#"audit": "role:audit"
#"observer": "role:observer"
#"creator": "role:creator"
#"admin": "role:admin"
#"service_admin": "role:key-manager:service-admin"
#"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"
#"all_but_audit": "rule:admin or rule:observer or rule:creator"
#"admin_or_creator": "rule:admin or rule:creator"
#"secret_creator_user": "user_id:%(target.secret.creator_id)s"
#"secret_private_read": "'False':%(target.secret.read_project_access)s"
#"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"
#"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"
#"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"
#"secret_project_creator_role": "rule:creator and rule:secret_project_match"
#"container_private_read": "'False':%(target.container.read_project_access)s"
#"container_creator_user": "user_id:%(target.container.creator_id)s"
#"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"
#"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"
#"container_project_creator_role": "rule:creator and rule:container_project_match"
# Retrieve the ACL settings for a given secret.If no ACL is defined
# for that secret, then Default ACL is returned.
# GET /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
# DEPRECATED
# "secret_acls:get":"rule:all_but_audit and rule:secret_project_match"
# has been deprecated since W in favor of
# "secret_acls:get":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Delete the ACL settings for a given secret.
# DELETE /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
# DEPRECATED
# "secret_acls:delete":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_acls:delete":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Create new, replaces, or updates existing ACL for a given secret.
# PUT /v1/secrets/{secret-id}/acl
# PATCH /v1/secrets/{secret-id}/acl
# Intended scope(s): project
#"secret_acls:put_patch": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
# DEPRECATED
# "secret_acls:put_patch":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_acls:put_patch":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Retrieve the ACL settings for a given container.
# GET /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:get": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
# DEPRECATED
# "container_acls:get":"rule:all_but_audit and
# rule:container_project_match" has been deprecated since W in favor
# of "container_acls:get":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Delete ACL for a given container. No content is returned in the case
# of successful deletion.
# DELETE /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
# DEPRECATED
# "container_acls:delete":"rule:container_project_admin or
# rule:container_project_creator or
# (rule:container_project_creator_role and
# rule:container_non_private_read)" has been deprecated since W in
# favor of "container_acls:delete":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Create new or replaces existing ACL for a given container.
# PUT /v1/containers/{container-id}/acl
# PATCH /v1/containers/{container-id}/acl
# Intended scope(s): project
#"container_acls:put_patch": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
# DEPRECATED
# "container_acls:put_patch":"rule:container_project_admin or
# rule:container_project_creator or
# (rule:container_project_creator_role and
# rule:container_non_private_read)" has been deprecated since W in
# favor of "container_acls:put_patch":"True:%(enforce_new_defaults)s
# and (rule:container_project_admin or (rule:container_project_member
# and rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# DEPRECATED: show information for a specific consumer
# GET /v1/containers/{container-id}/consumers/{consumer-id}
# Intended scope(s): project
#"consumer:get": "True:%(enforce_new_defaults)s and (role:admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
# DEPRECATED
# "consumer:get":"rule:admin or rule:observer or rule:creator or
# rule:audit or rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read" has been deprecated since W in favor of
# "consumer:get":"True:%(enforce_new_defaults)s and (role:admin or
# (rule:container_project_member and rule:container_owner) or
# (rule:container_project_member and rule:container_is_not_private)
# or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# List a containers consumers.
# GET /v1/containers/{container-id}/consumers
# Intended scope(s): project
#"container_consumers:get": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
# DEPRECATED
# "container_consumers:get":"rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read" has been deprecated since W in favor of
# "container_consumers:get":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private) or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Creates a consumer.
# POST /v1/containers/{container-id}/consumers
# Intended scope(s): project
#"container_consumers:post": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
# DEPRECATED
# "container_consumers:post":"rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read " has been deprecated since W in favor of
# "container_consumers:post":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private) or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Deletes a consumer.
# DELETE /v1/containers/{container-id}/consumers
# Intended scope(s): project
#"container_consumers:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
# DEPRECATED
# "container_consumers:delete":"rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read " has been deprecated since W in favor of
# "container_consumers:delete":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private) or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# List consumers for a secret.
# GET /v1/secrets/{secret-id}/consumers
# Intended scope(s): project
#"secret_consumers:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
# DEPRECATED
# "secret_consumers:get":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret_consumers:get":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Creates a consumer.
# POST /v1/secrets/{secrets-id}/consumers
# Intended scope(s): project
#"secret_consumers:post": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
# DEPRECATED
# "secret_consumers:post":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret_consumers:post":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Deletes a consumer.
# DELETE /v1/secrets/{secrets-id}/consumers
# Intended scope(s): project
#"secret_consumers:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
# DEPRECATED
# "secret_consumers:delete":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret_consumers:delete":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Creates a container.
# POST /v1/containers
# Intended scope(s): project
#"containers:post": "True:%(enforce_new_defaults)s and role:member"
# DEPRECATED
# "containers:post":"rule:admin_or_creator" has been deprecated since
# W in favor of "containers:post":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Lists a projects containers.
# GET /v1/containers
# Intended scope(s): project
#"containers:get": "True:%(enforce_new_defaults)s and role:member"
# DEPRECATED
# "containers:get":"rule:all_but_audit" has been deprecated since W in
# favor of "containers:get":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Retrieves a single container.
# GET /v1/containers/{container-id}
# Intended scope(s): project
#"container:get": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"
# DEPRECATED
# "container:get":"rule:container_non_private_read or
# rule:container_project_creator or rule:container_project_admin or
# rule:container_acl_read" has been deprecated since W in favor of
# "container:get":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private) or rule:container_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Deletes a container.
# DELETE /v1/containers/{uuid}
# Intended scope(s): project
#"container:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
# DEPRECATED
# "container:delete":"rule:container_project_admin or
# rule:container_project_creator" has been deprecated since W in favor
# of "container:delete":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Add a secret to an existing container.
# POST /v1/containers/{container-id}/secrets
# Intended scope(s): project
#"container_secret:post": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
# DEPRECATED
# "container_secret:post":"rule:container_project_admin or
# rule:container_project_creator or
# rule:container_project_creator_role and
# rule:container_non_private_read" has been deprecated since W in
# favor of "container_secret:post":"True:%(enforce_new_defaults)s and
# (rule:container_project_admin or (rule:container_project_member and
# rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Remove a secret from a container.
# DELETE /v1/containers/{container-id}/secrets/{secret-id}
# Intended scope(s): project
#"container_secret:delete": "True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"
# DEPRECATED
# "container_secret:delete":"rule:container_project_admin or
# rule:container_project_creator or
# rule:container_project_creator_role and
# rule:container_non_private_read" has been deprecated since W in
# favor of "container_secret:delete":"True:%(enforce_new_defaults)s
# and (rule:container_project_admin or (rule:container_project_member
# and rule:container_owner) or (rule:container_project_member and
# rule:container_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Gets list of all orders associated with a project.
# GET /v1/orders
# Intended scope(s): project
#"orders:get": "True:%(enforce_new_defaults)s and role:member"
# DEPRECATED
# "orders:get":"rule:all_but_audit" has been deprecated since W in
# favor of "orders:get":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Creates an order.
# POST /v1/orders
# Intended scope(s): project
#"orders:post": "True:%(enforce_new_defaults)s and role:member"
# DEPRECATED
# "orders:post":"rule:admin_or_creator" has been deprecated since W in
# favor of "orders:post":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Unsupported method for the orders API.
# PUT /v1/orders
# Intended scope(s): project
#"orders:put": "True:%(enforce_new_defaults)s and role:member"
# DEPRECATED
# "orders:put":"rule:admin_or_creator" has been deprecated since W in
# favor of "orders:put":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Retrieves an orders metadata.
# GET /v1/orders/{order-id}
# Intended scope(s): project
#"order:get": "True:%(enforce_new_defaults)s and rule:order_project_member"
# DEPRECATED
# "order:get":"rule:all_users and
# project_id:%(target.order.project_id)s" has been deprecated since W
# in favor of "order:get":"True:%(enforce_new_defaults)s and
# rule:order_project_member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Deletes an order.
# DELETE /v1/orders/{order-id}
# Intended scope(s): project
#"order:delete": "True:%(enforce_new_defaults)s and rule:order_project_member"
# DEPRECATED
# "order:delete":"rule:admin and
# project_id:%(target.order.project_id)s" has been deprecated since W
# in favor of "order:delete":"True:%(enforce_new_defaults)s and
# rule:order_project_member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# List quotas for the project the user belongs to.
# GET /v1/quotas
# Intended scope(s): project
#"quotas:get": "True:%(enforce_new_defaults)s and role:reader"
# DEPRECATED
# "quotas:get":"rule:all_users" has been deprecated since W in favor
# of "quotas:get":"True:%(enforce_new_defaults)s and role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# List quotas for the specified project.
# GET /v1/project-quotas
# GET /v1/project-quotas/{uuid}
# Intended scope(s): project
#"project_quotas:get": "True:%(enforce_new_defaults)s and role:admin"
# DEPRECATED
# "project_quotas:get":"rule:service_admin" has been deprecated since
# W in favor of "project_quotas:get":"True:%(enforce_new_defaults)s
# and role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Create or update the configured project quotas for the project with
# the specified UUID.
# PUT /v1/project-quotas/{uuid}
# Intended scope(s): project
#"project_quotas:put": "True:%(enforce_new_defaults)s and role:admin"
# DEPRECATED
# "project_quotas:put":"rule:service_admin" has been deprecated since
# W in favor of "project_quotas:put":"True:%(enforce_new_defaults)s
# and role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Delete the project quotas configuration for the project with the
# requested UUID.
# DELETE /v1/quotas}
# Intended scope(s): project
#"project_quotas:delete": "True:%(enforce_new_defaults)s and role:admin"
# DEPRECATED
# "project_quotas:delete":"rule:service_admin" has been deprecated
# since W in favor of
# "project_quotas:delete":"True:%(enforce_new_defaults)s and
# role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# metadata/: Lists a secrets user-defined metadata. || metadata/{key}:
# Retrieves a secrets user-added metadata.
# GET /v1/secrets/{secret-id}/metadata
# GET /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:get": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
# DEPRECATED
# "secret_meta:get":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret_meta:get":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Adds a new key/value pair to the secrets user-defined metadata.
# POST /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:post": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
# DEPRECATED
# "secret_meta:post":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_meta:post":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# metadata/: Sets the user-defined metadata for a secret ||
# metadata/{key}: Updates an existing key/value pair in the secrets
# user-defined metadata.
# PUT /v1/secrets/{secret-id}/metadata
# PUT /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:put": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
# DEPRECATED
# "secret_meta:put":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_meta:put":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Delete secret user-defined metadata by key.
# DELETE /v1/secrets/{secret-id}/metadata/{meta-key}
# Intended scope(s): project
#"secret_meta:delete": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
# DEPRECATED
# "secret_meta:delete":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# rule:secret_non_private_read)" has been deprecated since W in favor
# of "secret_meta:delete":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Retrieve a secrets payload.
# GET /v1/secrets/{uuid}/payload
# Intended scope(s): project
#"secret:decrypt": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
# DEPRECATED
# "secret:decrypt":"rule:secret_decrypt_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret:decrypt":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Retrieves a secrets metadata.
# GET /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:get": "True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"
# DEPRECATED
# "secret:get":"rule:secret_non_private_read or
# rule:secret_project_creator or rule:secret_project_admin or
# rule:secret_acl_read" has been deprecated since W in favor of
# "secret:get":"True:%(enforce_new_defaults)s and (role:admin or
# rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private) or rule:secret_acl_read)".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Add the payload to an existing metadata-only secret.
# PUT /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:put": "True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
# DEPRECATED
# "secret:put":"rule:admin_or_creator and rule:secret_project_match"
# has been deprecated since W in favor of
# "secret:put":"True:%(enforce_new_defaults)s and
# (rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Delete a secret by uuid.
# DELETE /v1/secrets/{secret-id}
# Intended scope(s): project
#"secret:delete": "True:%(enforce_new_defaults)s and (role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"
# DEPRECATED
# "secret:delete":"rule:secret_project_admin or
# rule:secret_project_creator or (rule:secret_project_creator_role and
# not rule:secret_private_read)" has been deprecated since W in favor
# of "secret:delete":"True:%(enforce_new_defaults)s and (role:admin or
# rule:secret_project_admin or (rule:secret_project_member and
# rule:secret_owner) or (rule:secret_project_member and
# rule:secret_is_not_private))".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Creates a Secret entity.
# POST /v1/secrets
# Intended scope(s): project
#"secrets:post": "True:%(enforce_new_defaults)s and role:member"
# DEPRECATED
# "secrets:post":"rule:admin_or_creator" has been deprecated since W
# in favor of "secrets:post":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Lists a projects secrets.
# GET /v1/secrets
# Intended scope(s): project
#"secrets:get": "True:%(enforce_new_defaults)s and role:member"
# DEPRECATED
# "secrets:get":"rule:all_but_audit" has been deprecated since W in
# favor of "secrets:get":"True:%(enforce_new_defaults)s and
# role:member".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Get list of available secret store backends.
# GET /v1/secret-stores
# Intended scope(s): project
#"secretstores:get": "True:%(enforce_new_defaults)s and role:reader"
# DEPRECATED
# "secretstores:get":"rule:all_users" has been deprecated since W in
# favor of "secretstores:get":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Get a reference to the secret store that is used as default secret
# store backend for the deployment.
# GET /v1/secret-stores/global-default
# Intended scope(s): project
#"secretstores:get_global_default": "True:%(enforce_new_defaults)s and role:reader"
# DEPRECATED
# "secretstores:get_global_default":"rule:all_users" has been
# deprecated since W in favor of
# "secretstores:get_global_default":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Get a reference to the preferred secret store if assigned
# previously.
# GET /v1/secret-stores/preferred
# Intended scope(s): project
#"secretstores:get_preferred": "True:%(enforce_new_defaults)s and role:reader"
# DEPRECATED
# "secretstores:get_preferred":"rule:all_users" has been deprecated
# since W in favor of
# "secretstores:get_preferred":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Set a secret store backend to be preferred store backend for their
# project.
# POST /v1/secret-stores/{ss-id}/preferred
# Intended scope(s): project
#"secretstore_preferred:post": "True:%(enforce_new_defaults)s and role:admin"
# DEPRECATED
# "secretstore_preferred:post":"rule:admin" has been deprecated since
# W in favor of
# "secretstore_preferred:post":"True:%(enforce_new_defaults)s and
# role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Remove preferred secret store backend setting for their project.
# DELETE /v1/secret-stores/{ss-id}/preferred
# Intended scope(s): project
#"secretstore_preferred:delete": "True:%(enforce_new_defaults)s and role:admin"
# DEPRECATED
# "secretstore_preferred:delete":"rule:admin" has been deprecated
# since W in favor of
# "secretstore_preferred:delete":"True:%(enforce_new_defaults)s and
# role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Get details of secret store by its ID.
# GET /v1/secret-stores/{ss-id}
# Intended scope(s): project
#"secretstore:get": "True:%(enforce_new_defaults)s and role:reader"
# DEPRECATED
# "secretstore:get":"rule:all_users" has been deprecated since W in
# favor of "secretstore:get":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Get a specific transport key.
# GET /v1/transport_keys/{key-id}}
# Intended scope(s): project
#"transport_key:get": "True:%(enforce_new_defaults)s and role:reader"
# DEPRECATED
# "transport_key:get":"rule:all_users" has been deprecated since W in
# favor of "transport_key:get":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Delete a specific transport key.
# DELETE /v1/transport_keys/{key-id}
# Intended scope(s): project
#"transport_key:delete": "True:%(enforce_new_defaults)s and role:admin"
# DEPRECATED
# "transport_key:delete":"rule:service_admin" has been deprecated
# since W in favor of
# "transport_key:delete":"True:%(enforce_new_defaults)s and
# role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Get a list of all transport keys.
# GET /v1/transport_keys
# Intended scope(s): project
#"transport_keys:get": "True:%(enforce_new_defaults)s and role:reader"
# DEPRECATED
# "transport_keys:get":"rule:all_users" has been deprecated since W in
# favor of "transport_keys:get":"True:%(enforce_new_defaults)s and
# role:reader".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
# Create a new transport key.
# POST /v1/transport_keys
# Intended scope(s): project
#"transport_keys:post": "True:%(enforce_new_defaults)s and role:admin"
# DEPRECATED
# "transport_keys:post":"rule:service_admin" has been deprecated since
# W in favor of "transport_keys:post":"True:%(enforce_new_defaults)s
# and role:admin".
# The default policy for the Key Manager API has been updated to use
# scopes and default roles.
