barbican-common 1:2.0.0-0ubuntu1 / etc / barbican / policy.json

This file is indexed.

/etc/barbican/policy.json is in barbican-common 1:2.0.0-0ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
{
    "admin": "role:admin",
    "observer": "role:observer",
    "creator": "role:creator",
    "audit": "role:audit",
    "service_admin": "role:key-manager:service-admin",
    "admin_or_user_does_not_work": "project_id:%(project_id)s",
    "admin_or_user": "rule:admin or project_id:%(project_id)s",
    "admin_or_creator": "rule:admin or rule:creator",
    "all_but_audit": "rule:admin or rule:observer or rule:creator",
    "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
    "secret_project_match": "project:%(target.secret.project_id)s",
    "secret_acl_read": "'read':%(target.secret.read)s",
    "secret_private_read": "'False':%(target.secret.read_project_access)s",
    "secret_creator_user": "user:%(target.secret.creator_id)s",
    "container_project_match": "project:%(target.container.project_id)s",
    "container_acl_read": "'read':%(target.container.read)s",
    "container_private_read": "'False':%(target.container.read_project_access)s",
    "container_creator_user": "user:%(target.container.creator_id)s",

    "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
    "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
    "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
    "secret_project_admin": "rule:admin and rule:secret_project_match",
    "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
    "container_project_admin": "rule:admin and rule:container_project_match",
    "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",

    "version:get": "@",
    "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
    "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
    "secret:put": "rule:admin_or_creator and rule:secret_project_match",
    "secret:delete": "rule:admin and rule:secret_project_match",
    "secrets:post": "rule:admin_or_creator",
    "secrets:get": "rule:all_but_audit",
    "orders:post": "rule:admin_or_creator",
    "orders:get": "rule:all_but_audit",
    "order:get": "rule:all_users",
    "order:put": "rule:admin_or_creator",
    "order:delete": "rule:admin",
    "consumer:get": "rule:all_users",
    "consumers:get": "rule:all_users",
    "consumers:post": "rule:admin",
    "consumers:delete": "rule:admin",
    "containers:post": "rule:admin_or_creator",
    "containers:get": "rule:all_but_audit",
    "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
    "container:delete": "rule:admin",
    "transport_key:get": "rule:all_users",
    "transport_key:delete": "rule:admin",
    "transport_keys:get": "rule:all_users",
    "transport_keys:post": "rule:admin",
    "certificate_authorities:get_limited": "rule:all_users",
    "certificate_authorities:get_all": "rule:admin",
    "certificate_authorities:post": "rule:admin",
    "certificate_authorities:get_preferred_ca": "rule:all_users",
    "certificate_authorities:get_global_preferred_ca": "rule:service_admin",
    "certificate_authorities:unset_global_preferred": "rule:service_admin",
    "certificate_authority:delete": "rule:admin",
    "certificate_authority:get": "rule:all_users",
    "certificate_authority:get_cacert": "rule:all_users",
    "certificate_authority:get_ca_cert_chain": "rule:all_users",
    "certificate_authority:get_projects": "rule:service_admin",
    "certificate_authority:add_to_project": "rule:admin",
    "certificate_authority:remove_from_project": "rule:admin",
    "certificate_authority:set_preferred": "rule:admin",
    "certificate_authority:set_global_preferred": "rule:service_admin",
    "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
    "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
    "secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
    "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
    "container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
    "container_acls:get": "rule:all_but_audit and rule:container_project_match",
    "quotas:get": "rule:all_users",
    "project_quotas:get": "rule:service_admin",
    "project_quotas:put": "rule:service_admin",
    "project_quotas:delete": "rule:service_admin",
    "secret_meta:get": "rule:all_but_audit",
    "secret_meta:post": "rule:admin_or_creator",
    "secret_meta:put": "rule:admin_or_creator",
    "secret_meta:delete": "rule:admin_or_creator"
}

APT Browse - Built by Thomas Orozco.