"Fossies" - the Fresh Open Source Software Archive

Member "barbican-12.0.0/doc/source/admin/access_control.rst" (14 Apr 2021, 3261 Bytes) of package /linux/misc/openstack/barbican-12.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) reStructured Text source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ==============
    2 Access Control
    3 ==============
    4 
    5 Role Based Access Control (RBAC)
    6 --------------------------------
    7 
    8 Like many other services, the Key Manager service supports the protection of its
    9 APIs by enforcing policy rules defined in a policy file.  The Key Manager
   10 service stores a reference to a policy JSON file in its configuration file,
   11 :file:`/etc/barbican/barbican.conf`.  Typically this file is named
   12 ``policy.yaml`` and it is stored in :file:`/etc/barbican/policy.yaml`.
   13 
   14 Each Key Manager API call has a line in the policy file that dictates which
   15 level of access applies:
   16 
   17 .. code-block:: ini
   18 
   19     API_NAME: RULE_STATEMENT or MATCH_STATEMENT
   20 
   21 where ``RULE_STATEMENT`` can be another ``RULE_STATEMENT`` or a
   22 ``MATCH_STATEMENT``:
   23 
   24 .. code-block:: ini
   25 
   26    RULE_STATEMENT: RULE_STATEMENT or MATCH_STATEMENT
   27 
   28 ``MATCH_STATEMENT`` is a set of identifiers that must match between the token
   29 provided by the caller of the API and the parameters or target entities of the
   30 API in question.  For example:
   31 
   32 .. code-block:: ini
   33 
   34     "secrets:post": "role:admin or role:creator"
   35 
   36 indicates that to create a new secret via a POST request, you must have either
   37 the admin or creator role in your token.
   38 
   39 .. warning:: The Key Manager service scopes the ownership of a secret at
   40     the project level.  This means that many calls in the API will perform an
   41     additional check to ensure that the project_id of the token matches the
   42     project_id stored as the secret owner.
   43 
   44 Default Policy
   45 ~~~~~~~~~~~~~~
   46 
   47 The policy engine in OpenStack is very flexible and allows for customized
   48 policies that make sense for your particular cloud.  The Key Manager service
   49 comes with a sample ``policy.yaml`` file which can be used as the starting
   50 point for a customized policy.  The sample policy defines 5 distinct roles:
   51 
   52 key-manager:service-admin
   53     The cloud administrator in charge of the Key Manager service.  This user
   54     has access to all management APIs like the project-quotas.
   55 
   56 admin
   57     Project administrator.  This user has full access to all resources owned
   58     by the project for which the admin role is scoped.
   59 
   60 creator
   61     Users with this role are allowed to create new resources and can only
   62     delete resources which are originally created (owned) by them. Users with
   63     this role cannot delete other user's resources managed within same project.
   64     They are also allowed full access to existing secrets owned by the project
   65     in scope.
   66 
   67 observer
   68     Users with this role are allowed to access to existing resources but are
   69     not allowed to upload new secrets or delete existing secrets.
   70 
   71 audit
   72     Users with this role are only allowed access to the resource metadata.
   73     So users with this role are unable to decrypt secrets.
   74 
   75 Access Control List API
   76 -----------------------
   77 
   78 There are some limitations that result from scoping ownership of a secret at the
   79 project level.  For example, there is no easy way for a user to upload a secret
   80 for which only they have access.   There is also no easy way to grant a user
   81 access to only a single secret.
   82 
   83 To address this limitations the Key Manager service includes an Access Control
   84 List (ACL) API.  For full details see the
   85 `ACL API User Guide <https://docs.openstack.org/api-guide/key-manager/acls.html>`__