"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/admin/access_control.rst" between
barbican-11.0.0.tar.gz and barbican-12.0.0.tar.gz

About: OpenStack Barbican is the OpenStack Key Manager service. It provides secure storage, provisioning and management of secret data.
The "Wallaby" series (latest release).

access_control.rst  (barbican-11.0.0):access_control.rst  (barbican-12.0.0)
skipping to change at line 12 skipping to change at line 12
Access Control Access Control
============== ==============
Role Based Access Control (RBAC) Role Based Access Control (RBAC)
-------------------------------- --------------------------------
Like many other services, the Key Manager service supports the protection of its Like many other services, the Key Manager service supports the protection of its
APIs by enforcing policy rules defined in a policy file. The Key Manager APIs by enforcing policy rules defined in a policy file. The Key Manager
service stores a reference to a policy JSON file in its configuration file, service stores a reference to a policy JSON file in its configuration file,
:file:`/etc/barbican/barbican.conf`. Typically this file is named :file:`/etc/barbican/barbican.conf`. Typically this file is named
``policy.json`` and it is stored in :file:`/etc/barbican/policy.json`. ``policy.yaml`` and it is stored in :file:`/etc/barbican/policy.yaml`.
Each Key Manager API call has a line in the policy file that dictates which Each Key Manager API call has a line in the policy file that dictates which
level of access applies: level of access applies:
.. code-block:: ini .. code-block:: ini
API_NAME: RULE_STATEMENT or MATCH_STATEMENT API_NAME: RULE_STATEMENT or MATCH_STATEMENT
where ``RULE_STATEMENT`` can be another ``RULE_STATEMENT`` or a where ``RULE_STATEMENT`` can be another ``RULE_STATEMENT`` or a
``MATCH_STATEMENT``: ``MATCH_STATEMENT``:
skipping to change at line 49 skipping to change at line 49
.. warning:: The Key Manager service scopes the ownership of a secret at .. warning:: The Key Manager service scopes the ownership of a secret at
the project level. This means that many calls in the API will perform an the project level. This means that many calls in the API will perform an
additional check to ensure that the project_id of the token matches the additional check to ensure that the project_id of the token matches the
project_id stored as the secret owner. project_id stored as the secret owner.
Default Policy Default Policy
~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~
The policy engine in OpenStack is very flexible and allows for customized The policy engine in OpenStack is very flexible and allows for customized
policies that make sense for your particular cloud. The Key Manager service policies that make sense for your particular cloud. The Key Manager service
comes with a sample ``policy.json`` file which can be used as the starting comes with a sample ``policy.yaml`` file which can be used as the starting
point for a customized policy. The sample policy defines 5 distinct roles: point for a customized policy. The sample policy defines 5 distinct roles:
key-manager:service-admin key-manager:service-admin
The cloud administrator in charge of the Key Manager service. This user The cloud administrator in charge of the Key Manager service. This user
has access to all management APIs like the project-quotas. has access to all management APIs like the project-quotas.
admin admin
Project administrator. This user has full access to all resources owned Project administrator. This user has full access to all resources owned
by the project for which the admin role is scoped. by the project for which the admin role is scoped.
 End of changes. 2 change blocks. 
2 lines changed or deleted 2 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)